quickjs icon indicating copy to clipboard operation
quickjs copied to clipboard
Published 1 month ago verified publisher icon bellard

SEGV Under OOM

Open yype opened this issue 3 years ago • 0 comments

Issue

Hi, the following test case triggers an OOM on the attached harness and the OOM gets handled correctly:

a = new Int8Array(2483647+500000)
b = {...a}

However, a slight modification will cause the harness to crash:

a = new Int8Array(2483647+100000)
b = {...a}

Reproduce

git clone https://github.com/bellard/quickjs && cd quickjs && make libquickjs.a
gcc ./harness.c -o ./harness libquickjs.a -ldl -lm -lpthread -fsanitize=address
printf "a = new Int8Array(2483647+500000)\nb = {...a}" > ./ok.js
printf "a = new Int8Array(2483647+100000)\nb = {...a}" > ./crash.js
./harness ./ok.js # ok
./harness ./crash.js
 
#ASAN:DEADLYSIGNAL
#=================================================================
#==2995007==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x5555555655ac bp 0x617000000080 sp 0x7fffffffd448 T0)
#==2995007==The signal is caused by a WRITE memory access.
#==2995007==Hint: address points to the zero page.
#    #0 0x5555555655ab in gc_scan_incref_child /root/qjs_test/quickjs/quickjs.c:5716
#    #1 0x55555556444e in mark_children /root/qjs_test/quickjs/quickjs.c:5594
#    #2 0x55555556b9bd in gc_scan /root/qjs_test/quickjs/quickjs.c:5737
#    #3 0x55555556b9bd in JS_RunGC /root/qjs_test/quickjs/quickjs.c:5803
#    #4 0x55555557e877 in js_trigger_gc /root/qjs_test/quickjs/quickjs.c:1274
#    #5 0x55555557e877 in JS_NewObjectFromShape /root/qjs_test/quickjs/quickjs.c:4727
#    #6 0x555555579fd6 in JS_ThrowError2 /root/qjs_test/quickjs/quickjs.c:6576
#    #7 0x55555557c4cb in JS_ThrowInternalError /root/qjs_test/quickjs/quickjs.c:6704
#    #8 0x55555557c592 in JS_ThrowOutOfMemory /root/qjs_test/quickjs/quickjs.c:6714
#    #9 0x55555557df47 in js_realloc /root/qjs_test/quickjs/quickjs.c:1358
#    #10 0x55555557e140 in resize_properties /root/qjs_test/quickjs/quickjs.c:4499
#    #11 0x55555557e327 in add_shape_property /root/qjs_test/quickjs/quickjs.c:4598
#    #12 0x55555557e3d8 in add_property /root/qjs_test/quickjs/quickjs.c:8013
#    #13 0x555555577aa0 in JS_CreateProperty /root/qjs_test/quickjs/quickjs.c:8914
#    #14 0x555555578ef2 in JS_DefineProperty /root/qjs_test/quickjs/quickjs.c:9284
#    #15 0x555555579995 in JS_DefinePropertyValue /root/qjs_test/quickjs/quickjs.c:9322
#    #16 0x5555555ba4d7 in JS_CopyDataProperties /root/qjs_test/quickjs/quickjs.c:15700
#    #17 0x555555573915 in JS_CallInternal /root/qjs_test/quickjs/quickjs.c:17908
#    #18 0x555555576fef in JS_CallFree /root/qjs_test/quickjs/quickjs.c:18722
#    #19 0x5555555cd2cc in JS_EvalFunctionInternal /root/qjs_test/quickjs/quickjs.c:33522
#    #20 0x5555555cd5d8 in __JS_EvalInternal /root/qjs_test/quickjs/quickjs.c:33676
#    #21 0x5555555d8186 in JS_EvalInternal /root/qjs_test/quickjs/quickjs.c:33694
#    #22 0x5555555d8186 in JS_EvalThis /root/qjs_test/quickjs/quickjs.c:33725
#    #23 0x5555555d81f1 in JS_Eval /root/qjs_test/quickjs/quickjs.c:33733
#    #24 0x55555556210b in LLVMFuzzerTestOneInput (/root/qjs_test/quickjs/harness+0xe10b)
#    #25 0x55555556229c in main (/root/qjs_test/quickjs/harness+0xe29c)
#    #26 0x7ffff6287c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#    #27 0x555555561b49 in _start (/root/qjs_test/quickjs/harness+0xdb49)
#
#AddressSanitizer can not provide additional info.
#SUMMARY: AddressSanitizer: SEGV /root/qjs_test/quickjs/quickjs.c:5716 in gc_scan_incref_child
#==2995007==ABORTING

Attachment

harness.zip (this is simply a main-wrapped version of the fuzzbench harness)

yype avatar Sep 22 '22 18:09 yype