Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chakracore throws an abort trap (or oom crash on edge) with an invalid length to String.prototype.repeat ... maybe just display an error massage? #6042

Closed
ghost opened this issue Mar 21, 2019 · 1 comment
Closed

chakracore throws an abort trap (or oom crash on edge) with an invalid length to String.prototype.repeat ... maybe just display an error massage? #6042

ghost opened this issue Mar 21, 2019 · 1 comment
Labels
Answered Question

Comments

@ghost
Copy link

ghost commented Mar 21, 2019

Test akayn$ ./chakra xx.js
Abort trap: 6
Test akayn$

the crash results because of this line:

file xx.js:

let b = 'a'.repeat(5 * 0x313131 * 1000);
///////////////

for some reason string repeat throws an abort trap instead of an error massage ..
(on edge you throw out of memory error...

Maybe display an error massage instead?

Reading symbols from chakra...done.
(gdb) run
Starting program: /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/out/Test/chakra /Users/akayn/Desktop/1J29WCBFYGJW.reproducer.js
[New Thread 0xd03 of process 57184]
warning: unhandled dyld version (15)
[New Thread 0xc03 of process 57184]
[New Thread 0xf07 of process 57184]
[New Thread 0x1503 of process 57184]
[New Thread 0x1603 of process 57184]

Thread 2 received signal SIGILL, Illegal instruction.
0x00000001002da7f1 in JsUtil::QuickSortSwap<Memory::_no_write_barrier_policy, char>::swap (a=, b=, size=)
at /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/lib/Common/DataStructures/QuickSort.h:167
167 CC_QSORT_SWAP_LOOP(CC_QSORT_SWAP4, (CC_QSORT_SWAP4*) a, (CC_QSORT_SWAP4*) b, size / 4)
(gdb) i r
rax 0x1 1
rbx 0x10500ac00 4378897408
rcx 0x7fff667a208a 140734912667786
rdx 0x0 0
rsi 0x4 4
rdi 0x7ffeefbfd040 140732920746048
rbp 0x7ffeefbfd300 0x7ffeefbfd300
rsp 0x7ffeefbfd300 0x7ffeefbfd300
r8 0x0 0
r9 0x0 0
r10 0x7ffeefbfd038 140732920746040
r11 0x202 514
r12 0x0 0
r13 0x10500ac00 4378897408
r14 0x0 0
r15 0x0 0
rip 0x1002da7f1 0x1002da7f1 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87425>
eflags 0x10202 [ IF RF ]
cs 0x2b 43
ss
ds
es
---Type to continue, or q to quit---
fs 0x0 0
gs 0x0 0
(gdb) bt
#0 0x00000001002da7f1 in JsUtil::QuickSortSwap<Memory::_no_write_barrier_policy, char>::swap (a=, b=, size=)
at /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/lib/Common/DataStructures/QuickSort.h:167
#1 JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort (base=0x0, nmemb=,
size=, comparer=0xc00000009, context=0x1d00000014)
at /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/lib/Common/DataStructures/QuickSort.h:220
#2 0x00007ffeefbfd310 in ?? ()
#3 0x00000001002da8f9 in JsUtil::QuickSortSwap<Memory::_no_write_barrier_policy, char>::swap (a=, b=, size=)
at /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/lib/Common/DataStructures/QuickSort.h:172
#4 JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort (base=0x0, nmemb=,
size=, comparer=0xc00000009, context=0x1d00000014)
at /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/lib/Common/DataStructures/QuickSort.h:220
#5 0x00007ffeefbfd340 in ?? ()
#6 0x00000001003379ed in Memory::FreeObject::GetNext (this=) at /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/lib/Common/Memory/FreeObject.h:15
#7 Memory::SmallHeapBlockAllocator<Memory::SmallNormalWithBarrierHeapBlockT >::InlinedAllocImpl (this=,
recycler=, sizeCat=<error reading variable: Cannot access memory at address 0x40>,
attributes=<error reading variable: Cannot access memory at address 0x100>)
at /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/lib/Common/Memory/SmallHeapBlockAllocator.h:161
#8 Memory::SmallHeapBlockAllocator<Memory::SmallNormalWithBarrierHeapBlockT >::InlinedAlloc<(Memory::ObjectInfoBits)256> (
this=, recycler=, sizeCat=<error reading variable: Cannot access memory at address 0x40>)
at /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/lib/Common/Memory/SmallHeapBlockAllocator.h:245
#9 Memory::HeapBucketT<Memory::SmallNormalWithBarrierHeapBlockT >::RealAlloc<(Memory::ObjectInfoBits)256, false> (
this=, recycler=, sizeCat=64, size=56) at /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/lib/Common/Memory/HeapBucket.inl:15
#10 Memory::HeapInfo::RealAlloc<(Memory::ObjectInfoBits)256, false> (this=, recycler=, sizeCat=64, size=56)
---Type to continue, or q to quit---
at /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/lib/Common/Memory/HeapInfo.h:649
#11 Memory::Recycler::RealAllocFromBucket<(Memory::ObjectInfoBits)256, true, false> (this=, heap=, size=56)
at /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/lib/Common/Memory/Recycler.inl:298
#12 Memory::Recycler::RealAlloc<(Memory::ObjectInfoBits)256, false> (this=, heap=, size=56)
at /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/lib/Common/Memory/Recycler.inl:373
#13 0x00000001003379ed in Memory::Recycler::AllocWithAttributesInlined<(Memory::ObjectInfoBits)256, false> (this=, size=56)
#14 Memory::Recycler::AllocInlined (this=, size=56) at /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/lib/Common/Memory/Recycler.h:1369
#15 operator newMemory::Recycler (byteSize=56, alloc=, AllocFunc=<error reading variable: Cannot access memory at address 0x0>)
at /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/lib/Common/DataStructures/../Memory/Allocator.h:486
#16 Js::FunctionBody::EnsureCodeGenRuntimeDataCommon<(Js::FunctionProxy::AuxPointerType)26> (

Reading symbols from chakra...done.
(gdb) run
Starting program: /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/out/Test/chakra /Users/akayn/Desktop/1J29WCBFYGJW.reproducer.js
[New Thread 0xc03 of process 57202]
warning: unhandled dyld version (15)
[New Thread 0xb07 of process 57202]
[New Thread 0xd03 of process 57202]
[New Thread 0x1503 of process 57202]
[New Thread 0x2903 of process 57202]

Thread 2 received signal SIGILL, Illegal instruction.
0x00000001002da7f1 in JsUtil::QuickSortSwap<Memory::_no_write_barrier_policy, char>::swap (a=, b=, size=)
at /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/lib/Common/DataStructures/QuickSort.h:167
167 CC_QSORT_SWAP_LOOP(CC_QSORT_SWAP4, (CC_QSORT_SWAP4*) a, (CC_QSORT_SWAP4*) b, size / 4)
(gdb) i r
rax 0x1 1
rbx 0x906005400 38755390464
rcx 0x7fff667a208a 140734912667786
rdx 0x0 0
rsi 0x4 4
rdi 0x7ffeefbfd040 140732920746048
rbp 0x7ffeefbfd300 0x7ffeefbfd300
rsp 0x7ffeefbfd300 0x7ffeefbfd300
r8 0x0 0
r9 0x0 0
r10 0x7ffeefbfd038 140732920746040
r11 0x202 514
r12 0x0 0
r13 0x906005400 38755390464
r14 0x0 0
r15 0x0 0
rip 0x1002da7f1 0x1002da7f1 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87425>
eflags 0x10202 [ IF RF ]
cs 0x2b 43
ss
ds
es
---Type to continue, or q to quit---
fs 0x0 0
gs 0x0 0
CCQ_SORT2(2, 4)
CCQ_SORT2(2, 3)
CCQ_SORT2(5, 6)

// Sorting Networks - END

union CC_QSORT_SWAP8
{
    char chr[8]; // optimized for Js::Var
};

union CC_QSORT_SWAP4
{
    char chr[4]; // optimized for TypedArray
};

union CC_QSORT_SWAP2
{
    char chr[2]; // others
};

#define CC_QSORT_SWAP_LOOP(T, a, b, nsize)        \
{                                       \
    for (size_t i = 0; i < nsize; i++)  \
    {                                   \
        T c = (a)[i];                   \
        (a)[i] = (b)[i];                \
        (b)[i] = c;                     \
    }                                   \
}

template <class Policy, class T>
class QuickSortSwap
{
public:

(gdb) run
Starting program: /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/out/Test/chakra /Users/akayn/Desktop/1J29WCBFYGJW.reproducer.js
[New Thread 0xc03 of process 57202]
warning: unhandled dyld version (15)
[New Thread 0xb07 of process 57202]
[New Thread 0xd03 of process 57202]
[New Thread 0x1503 of process 57202]
[New Thread 0x2903 of process 57202]

Thread 2 received signal SIGILL, Illegal instruction.
0x00000001002da7f1 in JsUtil::QuickSortSwap<Memory::_no_write_barrier_policy, char>::swap (a=, b=, size=)
at /Volumes/edrive/testing/jsh/TARGETS/ChakraCore/lib/Common/DataStructures/QuickSort.h:167
167 CC_QSORT_SWAP_LOOP(CC_QSORT_SWAP4, (CC_QSORT_SWAP4*) a, (CC_QSORT_SWAP4*) b, size / 4)
(gdb) i r
rax 0x1 1
rbx 0x906005400 38755390464
rcx 0x7fff667a208a 140734912667786
rdx 0x0 0
rsi 0x4 4
rdi 0x7ffeefbfd040 140732920746048
rbp 0x7ffeefbfd300 0x7ffeefbfd300
rsp 0x7ffeefbfd300 0x7ffeefbfd300
r8 0x0 0
r9 0x0 0
r10 0x7ffeefbfd038 140732920746040
r11 0x202 514
r12 0x0 0
r13 0x906005400 38755390464
r14 0x0 0
r15 0x0 0
rip 0x1002da7f1 0x1002da7f1 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87425>
eflags 0x10202 [ IF RF ]
cs 0x2b 43
ss
ds
es
---Type to continue, or q to quit---
fs 0x0 0
gs 0x0 0
(gdb) layout asm

482>: c3 retq
0x00000001002da82b <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87483>: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
0x00000001002da830 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87488>: 55 push %rbp
0x00000001002da831 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87489>: 48 89 e5 mov %rsp,%rbp
0x00000001002da834 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87492>: e8 97 ff ff ff callq 0x1002da7d0 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87392>
0x00000001002da839 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87497>: 5d pop %rbp
0x00000001002da83a <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87498>: c3 retq
0x00000001002da83b <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87499>: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
0x00000001002da840 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87504>: 55 push %rbp
0x00000001002da841 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87505>: 48 89 e5 mov %rsp,%rbp
0x00000001002da844 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87508>: e8 87 ff ff ff callq 0x1002da7d0 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87392>
0x00000001002da849 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87513>: 5d pop %rbp
0x00000001002da84a <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87514>: c3 retq
0x00000001002da84b <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87515>: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
0x00000001002da850 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87520>: 55 push %rbp
---Type to continue, or q to quit---
0x00000001002da851 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87521>: 48 89 e5 mov %rsp,%rbp
0x00000001002da854 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87524>: e8 77 ff ff ff callq 0x1002da7d0 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87392>
0x00000001002da859 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87529>: 5d pop %rbp
0x00000001002da85a <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87530>: c3 retq
0x00000001002da85b <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87531>: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
0x00000001002da860 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87536>: 55 push %rbp
0x00000001002da861 <JsUtil::QuickSort<Memory::_no_write_barrier_policy, char, int ()(void, void const*, void const*)>::Sort(char*, unsigned long, unsigned long, int ()(void, void const*, void const*), void*)+87537>: 48 89 e5 mov %rsp,%rbp

(3b7c.2cdc): Break instruction exception - code 80000003 (first chance)
KERNELBASE!wil::details::DebugBreak+0x2:
00007fff`92acd862 cc int 3
0:015> k

Child-SP RetAddr Call Site

00 0000008c3be7a258 00007fff6cb2ff1a KERNELBASE!wil::details::DebugBreak+0x2
01 0000008c3be7a260 00007fff6ca03b06 chakra!ReportFatalException+0x26
02 0000008c3be7a2b0 00007fff6cc2f836 chakra!OutOfMemory_unrecoverable_error+0x26
03 0000008c3be7a2f0 00007fff6c9f9700 chakra!Js::Exception::RaiseIfScriptActive+0x3a
04 0000008c3be7a320 00007fff6cb24949 chakra!Js::Throw::OutOfMemory+0x10
05 0000008c3be7a360 00007fff6ca90245 chakra!Math::DefaultOverflowPolicy+0x9
06 0000008c3be7a390 00007fff6cbd9b4f chakra!UInt32Math::Add<void __cdecl(void)>+0xd8211
07 0000008c3be7a3c0 00007fff6ca488d4 chakra!Js::JavascriptString::RepeatCore+0x6b
08 0000008c3be7a460 00007fff6c9f7956 chakra!Js::JavascriptString::EntryRepeat+0x272974
09 0000008c3be7a4b0 00007fff6c8af86c chakra!amd64_CallFunction+0x86
0a 0000008c3be7a500 00007fff6c8afac8 chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > > >+0x18c
0b 0000008c3be7a5c0 00007fff6c8afd41 chakra!Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > >+0xb8
0c 0000008c3be7a630 00007fff6c898a21 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x161
0d 0000008c3be7a690 00007fff6c99a3ca chakra!Js::InterpreterStackFrame::Process+0xe1
0e 0000008c3be7a6e0 00007fff6c8b0b24 chakra!Js::InterpreterStackFrame::OP_TryCatch+0xda
0f 0000008c3be7a760 00007fff6c898a21 chakra!Js::InterpreterStackFrame::ProcessProfiled+0xf44
10 0000008c3be7a7c0 00007fff6c8986ff chakra!Js::InterpreterStackFrame::Process+0xe1
11 0000008c3be7a810 00007fff6c89775e chakra!Js::InterpreterStackFrame::InterpreterHelper+0x88f
12 0000008c3be7ac60 000001d2f0fa0fa2 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x4e
13 0000008c3be7acb0 00007fff6c9f7956 0x000001d2f0fa0fa2 14 0000008c3be7ace0 00007fff6c9873ca chakra!amd64_CallFunction+0x86 15 0000008c3be7ad30 00007fff6c987077 chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<0> > > >+0x2fa 16 0000008c3be7ae00 00007fff6c8aff8c chakra!Js::InterpreterStackFrame::OP_ProfiledCallI<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<0> > >+0xb7 17 0000008c3be7ae70 00007fff6c898a21 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x3ac 18 0000008c3be7aed0 00007fff6c99a3ca chakra!Js::InterpreterStackFrame::Process+0xe1 19 0000008c3be7af20 00007fff6c8b0b24 chakra!Js::InterpreterStackFrame::OP_TryCatch+0xda 1a 0000008c3be7afa0 00007fff6c898a21 chakra!Js::InterpreterStackFrame::ProcessProfiled+0xf44 1b 0000008c3be7b000 00007fff6c8986ff chakra!Js::InterpreterStackFrame::Process+0xe1 1c 0000008c3be7b050 00007fff6c89775e chakra!Js::InterpreterStackFrame::InterpreterHelper+0x88f 1d 0000008c3be7b3c0 000001d2f0fa0faa chakra!Js::InterpreterStackFrame::InterpreterThunk+0x4e 1e 0000008c3be7b410 00007fff6c9f7956 0x000001d2f0fa0faa
1f 0000008c3be7b440 00007fff6c8af9d0 chakra!amd64_CallFunction+0x86
20 0000008c3be7b4b0 00007fff6c8afac8 chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > > >+0x2f0
21 0000008c3be7b570 00007fff6c8afd41 chakra!Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > >+0xb8
22 0000008c3be7b5e0 00007fff6c898a21 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x161
23 0000008c3be7b640 00007fff6c8986ff chakra!Js::InterpreterStackFrame::Process+0xe1
24 0000008c3be7b690 00007fff6c89775e chakra!Js::InterpreterStackFrame::InterpreterHelper+0x88f
25 0000008c3be7b9b0 000001d2f0fa0f72 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x4e
26 0000008c3be7ba00 00007fff6c9f7956 0x000001d2f0fa0f72 27 0000008c3be7ba30 00007fff6c8af9d0 chakra!amd64_CallFunction+0x86 28 0000008c3be7ba80 00007fff6c8afac8 chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > > >+0x2f0 29 0000008c3be7bb40 00007fff6c8afd41 chakra!Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > >+0xb8 2a 0000008c3be7bbb0 00007fff6c898a21 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x161 2b 0000008c3be7bc10 00007fff6c8986ff chakra!Js::InterpreterStackFrame::Process+0xe1 2c 0000008c3be7bc60 00007fff6c89775e chakra!Js::InterpreterStackFrame::InterpreterHelper+0x88f 2d 0000008c3be7bfd0 000001d2f0fa0fba chakra!Js::InterpreterStackFrame::InterpreterThunk+0x4e 2e 0000008c3be7c020 00007fff6c9f7956 0x000001d2f0fa0fba
2f 0000008c3be7c050 00007fff6c8af9d0 chakra!amd64_CallFunction+0x86
30 0000008c3be7c0a0 00007fff6c8afac8 chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > > >+0x2f0
31 0000008c3be7c160 00007fff6c8afd41 chakra!Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > >+0xb8
32 0000008c3be7c1d0 00007fff6c898a21 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x161
33 0000008c3be7c230 00007fff6c8986ff chakra!Js::InterpreterStackFrame::Process+0xe1
34 0000008c3be7c280 00007fff6c89775e chakra!Js::InterpreterStackFrame::InterpreterHelper+0x88f
35 0000008c3be7c5a0 000001d2f0fa0fc2 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x4e
36 0000008c3be7c5f0 00007fff6c9f7956 0x000001d2f0fa0fc2 37 0000008c3be7c620 00007fff6c87b687 chakra!amd64_CallFunction+0x86 38 0000008c3be7c670 00007fff6c87b3ac chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x2a7 39 0000008c3be7c7b0 00007fff6c87b2ea chakra!Js::JavascriptFunction::CallRootFunction+0x7c 3a 0000008c3be7c840 00007fff6c87b1c9 chakra!ScriptSite::CallRootFunction+0x6a 3b 0000008c3be7c8a0 00007fff6c87a2ce chakra!ScriptSite::Execute+0x179 3c 0000008c3be7c930 00007fff6c879b98 chakra!ScriptEngine::ExecutePendingScripts+0x1b2 3d 0000008c3be7ca10 00007fff6c878913 chakra!ScriptEngine::ParseScriptTextCore+0x464 3e 0000008c3be7cb50 00007fff6d349f50 chakra!ScriptEngine::ParseScriptText+0xd3 3f 0000008c3be7cc40 00007fff6d349dbc edgehtml!CJScript9Holder::ParseScriptText+0x124 40 0000008c3be7cce0 00007fff6d349966 edgehtml!CScriptCollection::ParseScriptText+0x20c 41 0000008c3be7cdc0 00007fff6d373e07 edgehtml!CScriptData::CommitCode+0x366 42 0000008c3be7cf90 00007fff6d498403 edgehtml!CScriptData::Execute+0x237 43 0000008c3be7d040 00007fff6d2fbde5 edgehtml!CHtmScriptParseCtx::Execute+0xb3 44 0000008c3be7d070 00007fff6d2faa22 edgehtml!CHtmParseBase::Execute+0x175 45 0000008c3be7d100 00007fff6d2fa28d edgehtml!CHtmPost::Broadcast+0x32 46 0000008c3be7d140 00007fff6d409b67 edgehtml!CHtmPost::Exec+0x17d 47 0000008c3be7d320 00007fff6d409a43 edgehtml!CHtmPost::Run+0x2f 48 0000008c3be7d350 00007fff6d4098e6 edgehtml!PostManExecute+0x63 49 0000008c3be7d390 00007fff6d40973d edgehtml!PostManResume+0xa6 4a 0000008c3be7d3d0 00007fff6d449a53 edgehtml!CHtmPost::OnDwnChanCallback+0x3d 4b 0000008c3be7d420 00007fff6d40897b edgehtml!CDwnChan::OnMethodCall+0x23 4c 0000008c3be7d450 00007fff6d26a2c9 edgehtml!GWndAsyncTask::Run+0x1b 4d 0000008c3be7d480 00007fff6d25cdb5 edgehtml!HTML5TaskScheduler::RunReadiedTask+0x289 4e 0000008c3be7d550 00007fff6d269f63 edgehtml!HTML5TaskScheduler::RunReadiedTasks+0x1a5 4f 0000008c3be7d690 00007fff6d297607 edgehtml!NormalPriorityAtInputEventLoopDriver::DriveRegularPriorityTaskExecution+0x153 50 0000008c3be7d6d0 00007fff93c3b412 edgehtml!GlobalWndProc+0x1b7 51 0000008c3be7d760 00007fff93c3ca66 user32!FilteredProcessRedirectingWndProcW+0x62 52 0000008c3be7d7a0 00007fff93c3c582 user32!UserCallWinProcCheckWow+0x266 53 0000008c3be7d920 00007fff6a316aaf user32!DispatchMessageWorker+0x1b2 54 0000008c3be7d9a0 00007fff6a2e3ab0 EdgeContent!CBrowserTab::_TabWindowThreadProc+0x4ef 55 0000008c3be7fc50 00007fff6c089016 EdgeContent!LCIETab_ThreadProc+0x2b0 56 0000008c3be7fd80 00007fff93b881f4 edgeIso!_IsoThreadProc_WrapperToReleaseScope+0x16 57 0000008c3be7fdb0 00007fff969aa251 KERNEL32!BaseThreadInitThunk+0x14 58 0000008c3be7fde0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

file repro.js:

var gint = 0;

function _gc() {

for (let i = 0; i < 20; i++){

    new ArrayBuffer(0x1000000);}

}

function f0(arr,idx) { try{ ((arr.length === 0x7ffffff0 && arr[0x7ffffff0]) || false) && (arr.length === 0x7ffffff0 && arr[0x7ffffff1]) || (arr[0x11111111] = 0x1234);}catch(e){}}

function f1(array,offset, oob_byte) { try{ var base = -0x7FFFFFC1 + offset; array[base - (-0x80000000)] = 0x4B; array[base + 0x7FFFFFE1] = 0x4B; array[base + 0x7FFFFFC1] = oob_byte;}catch(e){}}

function opt2(i_, v_, q_){

 //fbody

//

try { q_.valueOf = 0x12; } catch(e) { } try { v_.x = 2.3023e-320; } catch(e) { } try { i_ >> 1000; } catch(e) { } try { v_.valueOf = 0; } catch(e) { }
//

//fbodyend





function foo(arr) {

try{         let r = /a/; }catch(e){}

try{         let o = i_; }catch(e){}



try{         arr[q_].charAt(v_); }catch(e){}

try{         arr[123456789].charAt(0x2); }catch(e){}

try{         arr[v_].charAt(q_); }catch(e){}

try{         arr[i_].charAt(v_); }catch(e){}

try{         arr[0x23].charAt(4.4); }catch(e){}

try{         arr[v_].charAt(i_); }catch(e){}

try{         arr[0x40000].charAt(i_); }catch(e){}

try{         arr[39].charAt(q_); }catch(e){}

try{         arr[v_].charAt(i_); }catch(e){}

try{         arr[q_].charAt(q_); }catch(e){}

try{         arr[i_].charAt(v_); }catch(e){}



try{         o.x = 'a'.match(r); }catch(e){}



try{         return o; }catch(e){}

}



function main() {

    for (let i = 0; i < 100; i++) {

try{             foo(['a' + i, 'b' + i, 'c' + i, 'd' + i, 'e' + i, 'f' + i, 'g' + i, 'h' + i, 'i' + i, 'j' + i]); }catch(e){}

    }



try{         let a = 'a'.repeat(52 * 122 * i_); }catch(e){}

try{         let b = 'a'.repeat(i_ * 0x313131 * v_); }catch(e){}



try{         let arr = new Array(f0(0x100000)); }catch(e){}

    for (let i = 0; i < 10; i++) {

try{             arr[i] = a + b; }catch(e){}

    }



try{         _gc(); }catch(e){}



try{         let o = foo(arr); }catch(e){}



try{         _gc(); }catch(e){}



try{         let tmp = [0x12121212]; }catch(e){}



try{         print(o.x);   }catch(e){}

}



try{     main(); }catch(e){}

}

function opt(){

opt2(0x12345678, new Uint32Array(0x40), new Float32Array(0x40));

}

function gogogogo() {

var a = () => {};

var b = 0x7fffffff;



var c = null;

try { var xyz = function(){var ret = { w: { w : { o : { k : { m : { w: { k : { o : { l: f1, u: JSON } }}, u: { l : { o : { w : { o : { w: "k", u: { w: f1 } } }} }} } }} }}, o: { l: {}, o: {} } }; return ret;}; b = xyz(xyz); } catch(e) { }

opt2(a, b, c);



for (let i = 0; i < 500; i++) {

    opt();

}



opt2(a, b, c);

}

gogogogo();
@MikeHolman
Copy link
Contributor

By default, we trigger fatal error on OOM. However, you can pass JsRuntimeAttributeDisableFatalOnOOM flag to JsCreateRuntime which should give you the behavior you want.

@ghost ghost closed this as completed Mar 21, 2019
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Answered Question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MikeHolman