Javascript OOM in invalid table size
Reported by
b.kurin...@gmail.com,
Dec 30
|
|||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Steps to reproduce the problem:
1) ./d8 poc.js
or
2) Open special crafted html-file (based on poc.js) in Google Chrome (poc.html)
poc.js
var arr1 = [0,1];
function ObjCreate(make) {
this.make = make;
}
var obj1 = new ObjCreate();
function main() {
arr1.reduce(f3);
Object.getOwnPropertyDescriptors(Array(99).join(obj1.make));
}
function f3() {
obj1["make"] = RegExp(Array(60000).join("CCC"));
}
main();
What is the expected behavior?
What went wrong?
1) d8 is crash.
2) Tab in Google Chrome is crash.
<--- Last few GCs --->
[3915:0x62e000000400] 248 ms: Scavenge 1.4 (3.8) -> 0.8 (4.3) MB, 0.5 / 0.0 ms (average mu = 1.000, current mu = 1.000) allocation failure
<--- JS stacktrace --->
==== JS stack trace =========================================
Security context: 0x7ed8b899a101 <JSObject>
0: builtin exit frame: getOwnPropertyDescriptors(this=0x7ed8b8981fc9 <JSFunction Object (sfi = 0x7ed77b607e11)>,0x7efaae380139 <Very long string[17639902]>,0x7ed8b8981fc9 <JSFunction Object (sfi = 0x7ed77b607e11)>)
1: main [0x7ed8b89a44a1] [16.js:16] [bytecode=0x7ed8b89a4829 offset=72](this=0x7ecd619001d9 <JSGlobal Object>)
2: /* anonymous */ [0x7ed8b89a42a9] [16.js:25] [bytecode=0x...
#
# Fatal javascript OOM in invalid table size
#
Received signal 4 ILL_ILLOPN 5584bbdbb75c
==== C stack trace ===============================
[0x5584b9d7ae21]
[0x5584bbdc3dbf]
[0x7f43962e4890]
[0x5584bbdbb75c]
[0x5584b9e7560d]
[0x5584b9e7550e]
[0x5584bab287e9]
[0x5584bb0eddfe]
[0x5584bb0ee0e2]
[0x5584bb0f61c0]
[0x5584bae7faec]
[0x5584ba9bf3d9]
[0x5584bae86f01]
[0x5584bae83739]
[0x5584bae811a0]
[0x5584bae854c8]
[0x5584bae7f292]
[0x5584ba1007c1]
[0x5584bbc3820b]
[end of stack trace]
Illegal instruction (core dumped)
Did this work before? N/A
Chrome version: <Copy from: 'about:version'> Channel: n/a
OS Version: 10.0
Flash Version:
,
Dec 30
Reduced PoC:
Object.getOwnPropertyDescriptors(Array(1e9).join('c'));
Basically same as a standard crash for cumulative memory exhaustion:
Array(1e3).fill(0).map(() => Array(10e6).fill(0));
But maybe Chrome/V8 can be a bit smarter in its own internal bindings for getOwnPropertyDescriptors (as well as other built-ins) and simply throw an exception preemptively so the script can intercept it.
,
Dec 31
,
Jan 1
Thanks for filing the issue! Tried checking the issue on reported chrome version 71.0.3578.98 using Windows 10 by creating test file with the code given in comment#0. Even tried creating a test file by using the Reduced PoC given in C#2, yet that didn't help us in triaging it further. @Reporter: Could you please share a sample test file with the code given in C#0, this helps us to triage the issue further in a better way. Any additional inputs from your end may be helpful.
,
Jan 1
Simply run that code in devtools console and the tab will crash in a few seconds. Make sure to use Chrome 64-bit.
,
Jan 1
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 2
Able to reproduce the issue on reported chrome version 71.0.3578.98 and on the latest canary 73.0.3657.0 using Ubuntu 14.04, Mac 10.14.1 and Windows 10 As the issue is seen from M60(60.0.3112.0) considering it as Non-Regression and marking it as Untriaged. Thanks!
,
Jan 7
See #2, is this something that makes sense to implement?
,
Jan 8
Yes. We should fix this. The issue is that when we grow a hash table or ordered hash table, we check the new capacity against a limit, and simply crash if it is exceeded. We should actually throw a RangeError instead crashing, to mimick what we do with strings. FixedArrays suffer from the same issue btw. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by b.kurin...@gmail.com
, Dec 30