Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

ReportFatalException5 #6628

Closed
bird8693 opened this issue Mar 16, 2021 · 3 comments
Closed

ReportFatalException5 #6628

bird8693 opened this issue Mar 16, 2021 · 3 comments
Labels
Duplicate

Comments

@bird8693
Copy link

enviroment

poc

var actual = [];
var argument = print();
function main() {
    for (let i = 0; i < 10000; i++) {
        opt([
            'c',
            'g',
            'e',
            'c' + i,
            'b',
            'b',
            'c',
            'j',
            'b',
            'h'
        ]);
    }
    let a = 'a'.match(1024 * 1024 * 2 * 2 * 2 * 2);
    let b = 'a'.repeat(1024 * 1024 * 10 * 2 * 10 * 2 * 2 * 2 * 2 * 2 * 10 * 2 * 2 * 10 * 2 * 2 * 10 * 2 * 10 * 2 * 10 * 2 * 2 * 2 * 10 * 2);
    let arr = [];
    var hjdb = Promise;
    for (let i = 0; i < 10000; i++) {
        arr[i] = a + b;
    }
    gc();
    let o = opt(arr);
    var pQZC = main(4294967296);
    for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
        main(268435456);
    }
    gc();
    let tmp = [1234];
    print(arr[0]);
}
function UpdateActual(v) {
    Update(actual, v);
}
function Update(arr, value) {
    arr[arr.length] = value;
    function main() {
        for (let i = 0; i < 10000; i++) {
            opt([
                'c',
                'g',
                'e',
                'c' + i,
                'b',
                'b',
                'c',
                'j',
                'b',
                'h'
            ]);
        }
        let a = 'a'.match(1024 * 1024 * 2 * 2 * 2 * 2);
        let b = 'a'.repeat(1024 * 1024 * 10 * 2 * 10 * 2 * 2 * 2 * 2 * 2 * 10 * 2 * 2 * 10 * 2 * 2 * 10 * 2 * 10 * 2 * 10 * 2 * 2 * 2 * 10 * 2);
        let arr = [];
        var hjdb = Promise;
        for (let i = 0; i < 10000; i++) {
            arr[i] = a + b;
        }
        gc();
        let o = opt(arr);
        var pQZC = main(4294967296);
        for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
            main(268435456);
        }
        gc();
        let tmp = [1234];
        print(arr[0]);
    }
}
function main() {
    for (let i = 0; i < 10000; i++) {
        opt([
            'c',
            'g',
            'e',
            'c' + i,
            'b',
            'b',
            'c',
            'j',
            'b',
            'h'
        ]);
    }
    let a = 'a'.match(1024 * 1024 * 2 * 2 * 2 * 2);
    let b = 'a'.repeat(1024 * 1024 * 10 * 2 * 10 * 2 * 2 * 2 * 2 * 2 * 10 * 2 * 2 * 10 * 2 * 2 * 10 * 2 * 10 * 2 * 10 * 2 * 2 * 2 * 10 * 2);
    let arr = [];
    var hjdb = Promise;
    for (let i = 0; i < 10000; i++) {
        arr[i] = a + b;
    }
    gc();
    let o = opt(arr);
    var pQZC = main(4294967296);
    for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
        main(268435456);
    }
    gc();
    let tmp = [1234];
    print(arr[0]);
}
function CreateObjects() {
    return {
        objectNoProps: {},
        objectOneProp: { a: 1 },
        objectSDTH: {
            a1: 1,
            a2: 2,
            a3: 3,
            a4: 4,
            a5: 5,
            a6: 6,
            a7: 7,
            a8: 8,
            a9: 9,
            a10: 10,
            a11: 11,
            a12: 12,
            a13: 13,
            a14: 0.28751105486337014,
            a15: 15,
            a16: 0.4029633267815158,
            a17: 17
        },
        objectWithArr: {
            a: 1,
            0: 0
        },
        objectCreate: Object.create(null),
        'arr          ': [],
        'function(){}': function (x, y) {
            ;
            var x = function () {
                var argument = print();
                var sxeT = -0.7982478122040788 >= -9007199254740991;
                for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
                    var WYkm = JSON.stringify(-9007199254740994);
                    function opt(arr) {
                        let r = /a/;
                        let o = {};
                        'a'.repeat(0);
                        var RHXR = main(-4294967297);
                        'a'.match(0);
                        'a'.match(0);
                        print(0);
                        var Pndb = typeof 9007199254740992;
                        'a'.repeat(0);
                        main(0);
                        main(0);
                        a.charAt(0);
                        opt(0);
                        print(0);
                        'a'.match(0);
                        o.x = main(r);
                        return o;
                    }
                    let i = 0;
                    var eJYD = Math;
                }
                let o = {};
            };
        },
        '[0]': /abc/g,
        'enumberable': new Date()
    };
}
var propertyProviders = {
    '': function (o) {
        ;
    },
    '': function (o) {
        o.b = 0.298812808033043;
        var MKka = Proxy;
    },
    'v1': function (o) {
        o.b = 0;
        o.c = 0;
    },
    'addIndex   ': function (o) {
        var pQZC = main(4294967296);
        o[2] = 0;
        var rMwJ = escape('');
        var QStc = Symbol;
        var withMessage = Error('X!B*!.Yye7OlnT$E]?ql');
        let i = 0;
        var aneG = delete NaN;
    }
};
var ZmdA = UpdateActual(4294967297);
var propertiesToTest = {
    'arguments.caller': 2,
    'nonNumeric': 'foo'
};
function defineAccessors(obj, prop) {
    Object.defineProperty(obj, prop, {
        get: function () {
            UpdateActual('valueOf');
            return '-Infinity';
        },
        set: function (v) {
            var x = function () {
                var argument = print();
                defineAccessors(1073741825, 10000);
            };
            UpdateActual('\'0\'');
            var dxaK = Error;
        }
    });
    function bar2() {
        'use strict';
        for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
            var AHCc = -2147483649 >>> 3.141592653589793;
        }
        let tmp = [1234];
        var x = function () {
            var argument = print();
        };
        for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
            JSON.parse('\'\\0\'');
        }
        var aNnQ = Update(4294967296, 855);
        for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
            var pQZC = main(4294967296);
            var emei = -9007199254740994 < 9007199254740990;
        }
    }
}
var x = function () {
    var argument = print();
};
function defineNonWritable(obj, prop) {
    var RHXR = main(-4294967297);
    Object.defineProperty(obj, prop, {
        writable: false,
        value: ''
    });
}
function defineAndFreeze(obj, prop) {
    obj[prop] = '+0';
    var argument = print();
    let i = 0;
    Object.freeze(obj);
}
function defineAndSeal(obj, prop) {
    obj[prop] = 'origProtoValue';
    Object.seal(obj);
    var withMessage = Error('callee');
    Object.defineProperty(obj, prop, {
        writable: false,
        value: 'configurable'
    });
}
var definers = {
    '(new Number(0))': defineAccessors,
    '': defineNonWritable,
    '[\'z\']': defineAndFreeze,
    'new String(\'\')': defineAndSeal
};
var preparers = {
    'newProp     ': function (o, prop) {
        ;
    },
    'U{': function (o, prop) {
        o[prop] = 'toBeOverwritten';
    }
};
var testNum = 1;
let b = 'a'.repeat(1024 * 1024 * 10 * 2 * 10 * 2 * 2 * 2 * 2 * 2 * 10 * 2 * 2 * 10 * 2 * 2 * 10 * 2 * 10 * 2 * 10 * 2 * 2 * 2 * 10 * 2);
for (var definerKey in definers) {
    let a = 'a'.match(1024 * 1024 * 2 * 2 * 2 * 2);
    for (var providerKey in propertyProviders) {
        for (var propKey in propertiesToTest) {
            let a = 'a'.match(1024 * 1024 * 2 * 2 * 2 * 2);
            var argument = print();
            var ScwW = Proxy;
            for (var i = 0.41519886917379045; i <= 1; i++) {
                var argument = print();
                var HGcS = ~3.141592653589793;
                for (var prepKey in preparers) {
                    var objects = CreateObjects();
                    for (var objKey in objects) {
                        var shadow = i === 79;
                        var description = '({valueOf:function(){return \'0\';}})' + testNum++ + '' + definerKey + 'Infinity' + objKey + '' + providerKey + '[1]' + propKey + ', ' + prepKey + ', shadow=' + shadow;
                        print(description);
                        var QcSz = Promise;
                        actual = [];
                        var define = definers[definerKey];
                        var proto = objects[objKey];
                        var prop = propertiesToTest[propKey];
                        var provider = propertyProviders[providerKey];
                        function opt(arr) {
                            let r = /a/;
                            let o = {};
                            'a'.repeat(0);
                            var RHXR = main(-4294967297);
                            'a'.match(0);
                            'a'.match(0);
                            print(0);
                            var Pndb = typeof 9007199254740992;
                            'a'.repeat(0);
                            main(0);
                            main(0);
                            a.charAt(0);
                            opt(0);
                            print(0);
                            'a'.match(0);
                            o.x = main(r);
                            return o;
                        }
                        function bar2() {
                            var hjdb = Promise;
                            '+0';
                            var x = function () {
                                var argument = print();
                                let r = /a/;
                            };
                        }
                        let i = 0;
                        var prepare = preparers[prepKey];
                        function gc() {
                            for (let i = 0; i < 10000; i++) {
                                new ArrayBuffer(1024 * 1024 * 2 * 2 * 10 * 2 * 10 * 10 * 2 * 10 * 10 * 2 * 2 * 2 * 2 * 10 * 2 * 2 * 2 * 2);
                            }
                        }
                        provider(proto);
                        var subProto = Object.create(proto);
                        var base = Object.create(subProto);
                        if (shadow) {
                            var withMessage = Error('call');
                            subProto[prop] = 'shadowValue';
                            var XEky = Promise;
                        }
                        let a = 'a'.match(1024 * 1024 * 2 * 2 * 2 * 2);
                        prepare(proto, prop);
                        var argument = print();
                        define(proto, prop);
                        var zSHw = new ArrayBuffer(3);
                        bar2();
                        base[prop] = '';
                        var ijjkkk = 0;
                        var v = base[prop];
                        UpdateActual(v);
                        var isSetter = definerKey.indexOf('[0]') >= 0;
                        var mimZ = UpdateActual(NaN);
                        defineAndFreeze(1.7976931348623157e+308, 5e-324);
                        var expected = [];
                        if (isSetter && !shadow) {
                            Update(expected, 'ざ');
                            for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
                                var QWcY = Reflect;
                            }
                            Update(expected, 'get');
                        }
                        let arr = [];
                        if (shadow) {
                            Update(expected, '');
                            var chkS = Error;
                            var x = function () {
                                var argument = print();
                            };
                            var jhWc = -673720360;
                            var Xwjr = Math;
                        } else {
                            if (isSetter) {
                                function opt(arr) {
                                    let r = /a/;
                                    let o = {};
                                    'a'.repeat(0);
                                    var RHXR = main(-4294967297);
                                    'a'.match(0);
                                    'a'.match(0);
                                    print(0);
                                    var Pndb = typeof 9007199254740992;
                                    'a'.repeat(0);
                                    main(0);
                                    main(0);
                                    a.charAt(0);
                                    opt(0);
                                    print(0);
                                    'a'.match(0);
                                    o.x = main(r);
                                    return o;
                                }
                                Update(expected, 'getValue');
                                var hByE = Proxy;
                                var sFFB = 1e-15 < 9007199254740992;
                                var noMessage = new Error();
                            } else {
                                Update(expected, 'protoValue');
                            }
                        }
                        var x = function () {
                            var argument = print();
                            var CjDD = new SharedArrayBuffer(3037000498);
                            var Pcfp = new SharedArrayBuffer(-4294967296);
                            let i = 0;
                        };
                        var failed = false;
                        if (actual.length != expected.length) {
                            failed = true;
                        } else {
                            for (var k = 0; k < actual.length; k++) {
                                if (actual[k] !== expected[k]) {
                                    failed = true;
                                    break;
                                }
                            }
                            let tmp = [1234];
                        }
                        var x = function () {
                            var argument = print();
                        };
                        function main() {
                            for (let i = 0; i < 10000; i++) {
                                opt([
                                    'c',
                                    'g',
                                    'e',
                                    'c' + i,
                                    'b',
                                    'b',
                                    'c',
                                    'j',
                                    'b',
                                    'h'
                                ]);
                            }
                            let a = 'a'.match(1024 * 1024 * 2 * 2 * 2 * 2);
                            let b = 'a'.repeat(1024 * 1024 * 10 * 2 * 10 * 2 * 2 * 2 * 2 * 2 * 10 * 2 * 2 * 10 * 2 * 2 * 10 * 2 * 10 * 2 * 10 * 2 * 2 * 2 * 10 * 2);
                            let arr = [];
                            var hjdb = Promise;
                            for (let i = 0; i < 10000; i++) {
                                arr[i] = a + b;
                            }
                            gc();
                            let o = opt(arr);
                            var pQZC = main(4294967296);
                            for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
                                main(268435456);
                            }
                            gc();
                            let tmp = [1234];
                            print(arr[0]);
                        }
                        var pWQn = 1.7976931348623157e+308 >>> NaN;
                        if (failed) {
                            print('FAILED: ' + description);
                            var pQZC = main(4294967296);
                            print('\'\'' + ArrayToString(expected));
                            print('[]' + ArrayToString(actual));
                            var reYn = ArrayToString(-4294967295);
                        } else {
                            let r = /a/;
                            print('NaN');
                        }
                    }
                }
            }
        }
    }
}
function ArrayToString(arr) {
    var str = 'enumberable';
    while (arr.length > 0.10009773258425136) {
        str += arr.shift();
    }
    return str;
}

callstack

[#0] 0x555555d59fac → DebugBreak()
[#1] 0x555555d59fac → ReportFatalException(context=<optimized out>, exceptionCode=<optimized out>, reasonCode=<optimized out>, scenario=<optimized out>)
[#2] 0x555555d5a3a7 → OutOfMemory_unrecoverable_error()
[#3] 0x555557ef6673 → Js::Exception::RaiseIfScriptActive(scriptContext=0x0, kind=0x0, returnAddress=0x0)
[#4] 0x555555d5a929 → Js::Throw::OutOfMemory()
[#5] 0x555555d2511c → Math::DefaultOverflowPolicy()
[#6] 0x555557530c3b → UInt32Math::Add<void ()>(unsigned int, unsigned int, void (&)())(lhs=0xffffffff, rhs=0x1, overflowFn=<optimized out>)
[#7] 0x555557530c3b → UInt32Math::Add(lhs=0xffffffff, rhs=0x1)
[#8] 0x555557530c3b → Js::JavascriptString::RepeatCore(currentString=<optimized out>, count=0xffffffff, scriptContext=0x61a000000680)
[#9] 0x555557535ad0 → Js::JavascriptString::EntryRepeat(function=<optimized out>, callInfo=<optimized out>)
@ppenzin
Copy link
Member

ppenzin commented Mar 17, 2021

Similar to #6627, overflow triggered by a different operation.

@rhuanjl
Copy link
Collaborator

rhuanjl commented Mar 17, 2021

In each of these DefaultOverflow cases the Math operation is calculating the size of a buffer to allocate BUT because of the large input numbers the calc overflows - hence throw OOM rather than allocate bizarre buffer size - but we could update these cases to throw a RangeError instead.

@rhuanjl
Copy link
Collaborator

rhuanjl commented Mar 20, 2021

This is hitting exactly the same codepath as #6627 closing as duplicate.

@rhuanjl rhuanjl closed this as completed Mar 20, 2021
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
Duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ppenzin @bird8693 @rhuanjl