search

chakra-core / ChakraCore

ChakraCore is an open source Javascript engine with a C API.
MIT License
9.1k stars 1.19k forks source link

ReportFatalException15 #6638

Open bird8693 opened 3 years ago

bird8693 commented 3 years ago

enviroment

ubuntu18

poc

unction maybeSetLength(arr, b) {
    if (b) {
        arr.length = 2147483647;
    }   
}
var arr = []; 
maybeSetLength(arr, arr);
for (var i = 0; i < 2000; i++) {
    maybeSetLength(arr, i > 1500);
    var res = arr.push(0.017453);
    res = NaN >>> res;
    JSON.stringify(arr);
}

callstack

[#0] 0x555555d59fac → DebugBreak()
[#1] 0x555555d59fac → ReportFatalException(context=<optimized out>, exceptionCode=<optimized out>, reasonCode=<optimized out>, scenario=<optimized out>)
[#2] 0x555555d5a3a7 → OutOfMemory_unrecoverable_error()
[#3] 0x555557ef6673 → Js::Exception::RaiseIfScriptActive(scriptContext=0x0, kind=0x0, returnAddress=0x0)
[#4] 0x555555d5a929 → Js::Throw::OutOfMemory()
[#5] 0x555555e6ccae → Memory::Recycler::OutOfMemory(this=0x631000014800)
[#6] 0x555555e6ccae → Memory::Recycler::LargeAlloc<false>(this=0x631000014800, heap=0x6310000181a8, size=0xc00000008, attributes=Memory::ObjectInfoBits::WithBarrierBit)
[#7] 0x555555bed949 → Memory::Recycler::RealAlloc<(Memory::ObjectInfoBits)256, false>(this=0x631000014800, heap=0x6310000181a8, size=0xc00000008)
[#8] 0x555555ca338b → Memory::Recycler::AllocWithAttributesInlined<(Memory::ObjectInfoBits)256, false>(this=0x631000014800, size=0xc00000008)
[#9] 0x5555580d2f9f → Memory::Recycler::AllocZeroWithAttributesInlined<(Memory::ObjectInfoBits)256, false>(this=<optimized out>, size=0xc00000008)
ppenzin commented 3 years ago

Are you sure you are not running out of memory? The test is interacting with a large array. (Edit) and the exception is thrown by the memory management system after it failed to allocate.

ppenzin commented 3 years ago

This is also a situation when debug build would catch an abort while release should report OOM more gracefully.

rhuanjl commented 3 years ago

This is also a situation when debug build would catch an abort while release should report OOM more gracefully.

I think a release build will abort here - it's attempting to allocate about 4gb of ram in one go - which is a somewhat obscene thing to try and do, we could perhaps have a non-fatal error for absurdly large memory operations.