Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

ReportFatalException4 #6627

Closed
bird8693 opened this issue Mar 16, 2021 · 1 comment · Fixed by #6664
Closed

ReportFatalException4 #6627

bird8693 opened this issue Mar 16, 2021 · 1 comment · Fixed by #6664
Labels
Needs Triage

Comments

@bird8693
Copy link

enviroment

ubuntu18

poc

let [arrFunc1 = function () {
        ;
    }] = [];
var func0 = function () {
    arrObj0[0] = 156;
    return arrObj0[0];
};
function gc() {
    for (let i = 0; i < 10; i++) {
        new ArrayBuffer(1024 * 1024 * 10);
        var xrCQ = 1518500249 < 2147483648;
    }
    let ff1 = function namedFunction1() {
        ;
    };
    var ijjkkk = 0;
}
function opt(arr) {
    let r = /a/;
    let {
        objFunc3 = () => {
            ;
        }
    } = {};
    let o = {};
    arr[0].charAt(0);
    arr[1].charAt(0);
    let func2 = function* () {
        ;
    };
    arr[2].charAt(0);
    var x = parseInt('constructor', NaN);
    arr[3].charAt(0);
    function funcName() {
        return 'func';
    }
    var yAXT = new Boolean();
    var x = parseInt('-Infinity', NaN);
    var DEZB = new ArrayBuffer(1200);
    arr[4].charAt(0);
    arr[5].charAt(0);
    var efDr = Proxy;
    arr[6].charAt(0.8197870367329501);
    arr[7].charAt(0);
    arr[8].charAt(0);
    arr[8].charAt(0);
    arr[9].charAt(0);
    function funcName() {
        return 'func';
    }
    var myrR = void 1e+400;
    o.x = 'a'.match(r);
    return o;
}
function main() {
    for (let i = 0; i < 10000; i++) {
        opt([
            'valueOf' + i,
            'b' + i,
            'c' + i,
            '' + i,
            '' + i,
            '' + i,
            'g' + i,
            '' + i,
            '0' + i,
            'j' + i
        ]);
    }
    var x = parseInt('10', true);
    let a = 'a'.repeat(1024 * 1024 * 2);
    let b = '({toString:function(){return \'0\';}})'.repeat(1024 * 1024 * 558);
    var x = parseInt(' "" ', 1);
    var njAR = Error;
    for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
        var dFAH = new BigInt64Array([
            673720360,
            153
        ]);
    }
    let arr = [];
    let {
        objClass = class {
        }
    } = {};
    for (let i = 0; i < 765; i++) {
        var func0 = function () {
            arrObj0[0.8309411855520543] = 156;
            return arrObj0[0];
        };
        arr[i] = a + b;
    }
    gc();
    for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
        var HwWN = Error;
    }
    let o = opt(arr);
    var tfyH = 5e-324 * -Infinity;
    var xZZr = 9007199254740990 / -2147483647;
    var x = parseInt('10', true);
    function assert(b) {
        ;
    }
    gc();
    let tmp = [1234];
    print(o.x);
}
main();
let func2 = function* () {
    ;
};
var iaYP = 1.7976931348623157e+308 >> -9007199254740991;

callstack

[#0] 0x555555d59fac → DebugBreak()
[#1] 0x555555d59fac → ReportFatalException(context=<optimized out>, exceptionCode=<optimized out>, reasonCode=<optimized out>, scenario=<optimized out>)
[#2] 0x555555d5a3a7 → OutOfMemory_unrecoverable_error()
[#3] 0x555557ef6673 → Js::Exception::RaiseIfScriptActive(scriptContext=0x0, kind=0x0, returnAddress=0x0)
[#4] 0x555555d5a929 → Js::Throw::OutOfMemory()
[#5] 0x555555d2511c → Math::DefaultOverflowPolicy()
[#6] 0x555557530c08 → UInt32Math::Mul<void ()>(unsigned int, unsigned int, void (&)())(lhs=<optimized out>, rhs=0x24, overflowFn=<optimized out>)
[#7] 0x555557530c08 → UInt32Math::Mul(rhs=0x24, lhs=<optimized out>)
[#8] 0x555557530c08 → Js::JavascriptString::RepeatCore(currentString=<optimized out>, count=0x22e00000, scriptContext=0x61a000000680)
[#9] 0x555557535ad0 → Js::JavascriptString::EntryRepeat(function=<optimized out>, callInfo=<optimized out>)
@bird8693 bird8693 changed the title ReportFatalException ReportFatalException4 Mar 16, 2021
@ppenzin
Copy link
Member

ppenzin commented Mar 17, 2021

I am not sure if DefaultOverFlowPolicy should be just a throw of OOM (CC @rhuanjl).

@ppenzin ppenzin mentioned this issue Mar 17, 2021
Closed
@rhuanjl rhuanjl mentioned this issue Mar 24, 2021
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
Needs Triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update String.prototype.repeat to throw non-fatal for length too big rhuanjl/ChakraCore
2 participants
@ppenzin @bird8693