Bug 254331 - Aborted at Source/JavaScriptCore/runtime/ArrayBuffer.cpp(113)
Summary: Aborted at Source/JavaScriptCore/runtime/ArrayBuffer.cpp(113)
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-23 06:16 PDT by xiangwei1895
Modified: 2023-03-28 00:04 PDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description xiangwei1895 2023-03-23 06:16:01 PDT 
my JSC crashed when executing the following code:

PoC:
const v2 = new Int16Array(59925);
function f3(a4, a5, a6, a7) {
    const o10 = {
        "maxByteLength": 786701,
    };
    const v12 = new ArrayBuffer(32, o10);
    return a6;
}
v2.forEach(f3);


mprotect failed: Cannot allocate memory
SHOULD NEVER BE REACHED
/home/data/WebKit/Source/JavaScriptCore/runtime/ArrayBuffer.cpp(113) : WTF::RefPtr<JSC::BufferMemoryHandle> JSC::tryAllocateResizableMemory(VM*, size_t, size_t)
Aborted (core dumped)
Comment 1 Alexey Proskuryakov 2023-03-23 15:00:10 PDT 
On macOS Apple Silicon, I get an exception and no crash.

>>> const v2 = new Int16Array(59925);
undefined
>>> function f3(a4, a5, a6, a7) {
...     const o10 = {
...         "maxByteLength": 786701,
...     };
...     const v12 = new ArrayBuffer(32, o10);
...     return a6;
... }
undefined
>>> v2.forEach(f3);
Exception: RangeError: Out of memory
>>>
Comment 2 Yusuke Suzuki 2023-03-23 15:28:18 PDT 
This is memory exhaustion on Linux platform, and RELEASE_ASSERT_NOT_REACHED. Thus, not a security issue.