WebKit Bugzilla
Attachment 371143 Details for
Bug 198467
: [JSC] Crash explicitly if StructureIDs are exhausted
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-198467-20190602041909.patch (text/plain), 2.57 KB, created by
Yusuke Suzuki
on 2019-06-02 04:19:11 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Yusuke Suzuki
Created:
2019-06-02 04:19:11 PDT
Size:
2.57 KB
patch
obsolete
>Subversion Revision: 246020 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 038e6d0a295721eda8d9c8a90627f07d1e5841e0..cd5bf419cb82bd8e403cc5b79c23771b77aca127 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,25 @@ >+2019-06-02 Yusuke Suzuki <ysuzuki@apple.com> >+ >+ [JSC] Crash explicitly if StructureIDs are exhausted >+ https://bugs.webkit.org/show_bug.cgi?id=198467 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ When StructureIDTable::m_size reaches to s_maximumNumberOfStructures, newCapacity in resize function is also capped with s_maximumNumberOfStructures. >+ So m_size == newCapacity. In that case, the following code in resize function, `makeFreeListFromRange(m_size, m_capacity - 1);` starts executing the >+ wrong code. >+ >+ Currently, this is safe. We immediately execute the wrong code in makeFreeListFromRange, and crash with zero division. But we should not rely on >+ this crash, and instead we should explicitly crash because we exhaust StructureIDs. >+ >+ This patch inserts RELEASE_ASSERT for `m_size < newCapacity` status to ensure that resize is always extending the table. >+ >+ In practice, this crash does not happen in Safari because Safari has memory footprint limit. To exhaust StructureIDs, we need to allocate massive >+ amount of Structures, and it exceeds the memory footprint limit and the process will be killed. >+ >+ * runtime/StructureIDTable.cpp: >+ (JSC::StructureIDTable::resize): >+ > 2019-05-31 Yusuke Suzuki <ysuzuki@apple.com> > > Unreviewed, fix setEntryAddressCommon register usage in LLInt ASM Windows 64 >diff --git a/Source/JavaScriptCore/runtime/StructureIDTable.cpp b/Source/JavaScriptCore/runtime/StructureIDTable.cpp >index b7a601f89e6ca9c0d20c0b964cc8453b5a12209e..6ba3daa719a91c268bed90a3ea08b264045c18e6 100644 >--- a/Source/JavaScriptCore/runtime/StructureIDTable.cpp >+++ b/Source/JavaScriptCore/runtime/StructureIDTable.cpp >@@ -102,6 +102,10 @@ void StructureIDTable::resize(size_t newCapacity) > if (newCapacity > s_maximumNumberOfStructures) > newCapacity = s_maximumNumberOfStructures; > >+ // If m_size is already s_maximumNumberOfStructures, newCapacity becomes s_maximumNumberOfStructures in the above code. >+ // In that case, we should crash because of exhaust of StructureIDs. >+ RELEASE_ASSERT_WITH_MESSAGE(m_size < newCapacity, "Crash intentionally because of exhaust of StructureIDs."); >+ > // Create the new table. > auto newTable = makeUniqueArray<StructureOrOffset>(newCapacity); >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=371143">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 198467
: 371143 |
371160