jerryscript
jerryscript copied to clipboard
jerryscript-project
AddressSanitizer: heap-use-after-free jerry-core/ecma/base/ecma-gc.c:90 in ecma_gc_set_object_visited
JerryScript commit hash
55acdf2048b390d0f56f12e64dbfb2559f0e70ad
Build platform
Ubuntu 20.04 LTS
Build steps
./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --profile=es2015-subset --stack-limit=20
poc
async function f() {
let arr = [0.000000];
let fuzz_v152 = arr;
let fuzz_v159 = fuzz_v152.__proto__;
fuzz_v152.valueOf = function* (fuzz_v166, fuzz_v167) {
while (arr) {
}
var fuzz_v172 = ~f;
arr >>= [1.100000];
return fuzz_v167;
};
arr.includes(arr, [340282346638528859811704183484516925440.000000], arr);
delete [10];
let fuzz_v253 = f.__proto__;
let fuzz_v256 = {
"D5FP8": f
};
arr["map"](f, new Object(true));
arr.flat();
let fuzz_v69 = false;
await this;
await f;
var fuzz_v43 = arr -= new Date(new String({
"findIndex": arr
}));
await this;
let fuzz_v286 = Symbol.reject();
await f;
await new Promise(f);
await new Promise(async function* (fuzz_v80) {
var fuzz_v82 = new Uint32Array(fuzz_v80, arr, [1.100000], fuzz_v80, fuzz_v80);
let fuzz_v96 = fuzz_v82.__proto__;
this.length = 4;
});
await new Promise(async function* (fuzz_v138, fuzz_v139) {
fuzz_v138.__proto__ = fuzz_v139;
let fuzz_v147 = function* (fuzz_v149, fuzz_v150, fuzz_v151, fuzz_v152) {
let fuzz_v165 = Reflect.apply(fuzz_v152, {
"findIndex": fuzz_v150
}, [{}]);
switch ({
includes: fuzz_v138,
set valueOf(fuzz_v175) {
fuzz_v150.valueOf = fuzz_v175;
return;
}
}) {
case [1.100000]:
throw arr;
break;
case 5643033980980220.000000:
let fuzz_v203 = String.prototype.trim.call(new String());
break;
default:
fuzz_v43.valueOf = fuzz_v150;
}
let fuzz_v214 = fuzz_v69;
let fuzz_v223 = Number.isInteger(2147483648);
};
var fuzz_v228 = f;
delete f.__proto__;
let fuzz_v237 = {};
});
await new Promise(f);
await new Promise(async function* (fuzz_v269, fuzz_v270, fuzz_v271) {
class fuzz_class273 extends f {
}
return arr;
});
await new Promise(fuzz_v286);
}
f(f, f);
asan log
=================================================================
==2066102==ERROR: AddressSanitizer: heap-use-after-free on address 0xf4e01ba0 at pc 0x565c19c2 bp 0xffdeb558 sp 0xffdeb548
READ of size 4 at 0xf4e01ba0 thread T0
#0 0x565c19c1 in ecma_gc_set_object_visited /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:90
#1 0x565c474d in ecma_gc_mark_executable_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:698
#2 0x565c5bc0 in ecma_gc_mark /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:1007
#3 0x565c9a46 in ecma_gc_run /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:2209
#4 0x565ca303 in ecma_free_unused_memory /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:2321
#5 0x5666230f in jmem_heap_gc_and_alloc_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:285
#6 0x566623b8 in jmem_heap_alloc_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:324
#7 0x566d4ed5 in ecma_alloc_extended_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-alloc.c:111
#8 0x565e5af2 in ecma_create_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-helpers.c:94
#9 0x56628895 in ecma_op_create_native_handler /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:716
#10 0x56641987 in ecma_promise_create_resolving_function /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:425
#11 0x56641aa5 in ecma_promise_run_executor /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:446
#12 0x56641df2 in ecma_op_create_promise_object /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:516
#13 0x56642f01 in ecma_promise_new_capability /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:766
#14 0x56643310 in ecma_promise_reject_or_resolve /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:844
#15 0x566442cc in ecma_promise_async_await /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:1183
#16 0x566c2274 in vm_loop /home/sakura/jerryscript/jerry-core/vm/vm.c:2742
#17 0x566d4684 in vm_execute /home/sakura/jerryscript/jerry-core/vm/vm.c:5260
#18 0x566a8627 in opfunc_resume_executable_object /home/sakura/jerryscript/jerry-core/vm/opcodes.c:777
#19 0x56630503 in ecma_process_promise_async_reaction_job /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:365
#20 0x566311f0 in ecma_process_all_enqueued_jobs /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:569
#21 0x565b1569 in jerry_run_jobs /home/sakura/jerryscript/jerry-core/api/jerryscript.c:1064
#22 0x565a899d in main /home/sakura/jerryscript/jerry-main/main-jerry.c:326
#23 0xf75ecee4 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1eee4)
#24 0x565a6b04 in _start (/home/sakura/jerryscript/build2/bin/jerry+0x22b04)
0xf4e01ba0 is located 0 bytes inside of 24-byte region [0xf4e01ba0,0xf4e01bb8)
freed by thread T0 here:
#0 0xf79d5814 in __interceptor_free (/lib32/libasan.so.5+0x113814)
#1 0x566625d9 in jmem_heap_free_block_internal /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:477
#2 0x56662a7d in jmem_heap_free_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:691
#3 0x566d4f02 in ecma_dealloc_extended_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-alloc.c:125
#4 0x565c9451 in ecma_gc_free_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:2150
#5 0x565ca0cb in ecma_gc_run /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:2277
#6 0x565ca303 in ecma_free_unused_memory /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:2321
#7 0x5666230f in jmem_heap_gc_and_alloc_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:285
#8 0x566623b8 in jmem_heap_alloc_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:324
#9 0x566d4ed5 in ecma_alloc_extended_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-alloc.c:111
#10 0x565e5af2 in ecma_create_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-helpers.c:94
#11 0x56642ca0 in ecma_promise_new_capability /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:742
#12 0x56643310 in ecma_promise_reject_or_resolve /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:844
#13 0x566442cc in ecma_promise_async_await /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:1183
#14 0x566c2274 in vm_loop /home/sakura/jerryscript/jerry-core/vm/vm.c:2742
#15 0x566d4684 in vm_execute /home/sakura/jerryscript/jerry-core/vm/vm.c:5260
#16 0x566a8627 in opfunc_resume_executable_object /home/sakura/jerryscript/jerry-core/vm/opcodes.c:777
#17 0x56630503 in ecma_process_promise_async_reaction_job /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:365
#18 0x566311f0 in ecma_process_all_enqueued_jobs /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:569
#19 0x565b1569 in jerry_run_jobs /home/sakura/jerryscript/jerry-core/api/jerryscript.c:1064
#20 0x565a899d in main /home/sakura/jerryscript/jerry-main/main-jerry.c:326
#21 0xf75ecee4 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1eee4)
previously allocated by thread T0 here:
#0 0xf79d5c17 in __interceptor_malloc (/lib32/libasan.so.5+0x113c17)
#1 0x5666221f in jmem_heap_alloc /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:254
#2 0x5666231d in jmem_heap_gc_and_alloc_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:291
#3 0x566623b8 in jmem_heap_alloc_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:324
#4 0x566d4ed5 in ecma_alloc_extended_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-alloc.c:111
#5 0x565e5af2 in ecma_create_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-helpers.c:94
#6 0x56622394 in ecma_op_to_object /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-conversion.c:581
#7 0x566fc246 in ecma_builtin_object_dispatch_call /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-object.c:116
#8 0x566fc375 in ecma_builtin_object_dispatch_construct /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-object.c:144
#9 0x56604101 in ecma_builtin_dispatch_construct /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1603
#10 0x5662b36d in ecma_op_function_construct_built_in /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1585
#11 0x5662b9ba in ecma_op_function_construct /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1773
#12 0x566b454b in opfunc_construct /home/sakura/jerryscript/jerry-core/vm/vm.c:845
#13 0x566d472a in vm_execute /home/sakura/jerryscript/jerry-core/vm/vm.c:5287
#14 0x566d4d4f in vm_run /home/sakura/jerryscript/jerry-core/vm/vm.c:5363
#15 0x5662a0e2 in ecma_op_function_call_simple /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1203
#16 0x5662af15 in ecma_op_function_call /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1439
#17 0x566dc7b8 in ecma_builtin_array_prototype_object_map /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:1979
#18 0x566e0794 in ecma_builtin_array_prototype_dispatch_routine /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:3006
#19 0x56603c36 in ecma_builtin_dispatch_routine /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1543
#20 0x56603e53 in ecma_builtin_dispatch_call /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1574
#21 0x5662a353 in ecma_op_function_call_native_built_in /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1244
#22 0x5662af31 in ecma_op_function_call /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1444
#23 0x5662ada6 in ecma_op_function_validated_call /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1402
#24 0x566b3fb3 in opfunc_call /home/sakura/jerryscript/jerry-core/vm/vm.c:763
#25 0x566d46e9 in vm_execute /home/sakura/jerryscript/jerry-core/vm/vm.c:5266
#26 0x566d4d4f in vm_run /home/sakura/jerryscript/jerry-core/vm/vm.c:5363
#27 0x5662a0e2 in ecma_op_function_call_simple /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1203
#28 0x5662af15 in ecma_op_function_call /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1439
#29 0x566dc7b8 in ecma_builtin_array_prototype_object_map /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:1979
SUMMARY: AddressSanitizer: heap-use-after-free /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:90 in ecma_gc_set_object_visited
Shadow bytes around the buggy address:
0x3e9c0320: 00 00 00 fa fa fa fd fd fd fd fa fa fd fd fd fa
0x3e9c0330: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x3e9c0340: fd fd fa fa fd fd fd fa fa fa 00 00 00 fa fa fa
0x3e9c0350: 00 00 00 fa fa fa fd fd fd fd fa fa 00 00 00 fa
0x3e9c0360: fa fa 00 00 00 fa fa fa fd fd fd fd fa fa fd fd
=>0x3e9c0370: fd fa fa fa[fd]fd fd fa fa fa 00 00 00 fa fa fa
0x3e9c0380: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
0x3e9c0390: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x3e9c03a0: fd fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
0x3e9c03b0: fd fd fd fd fa fa 00 00 00 fa fa fa 00 00 00 fa
0x3e9c03c0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2066102==ABORTING
However, this test is a nightmare to debug. I'd definitely recommend some kind of test reduction. Please check https://github.com/renatahodovan/picire or https://github.com/renatahodovan/picireny. @hope-fly PTAL as well.
However, this test is a nightmare to debug. I'd definitely recommend some kind of test reduction. Please check https://github.com/renatahodovan/picire or https://github.com/renatahodovan/picireny. @hope-fly PTAL as well.
In fact, I tried to reduce this poc, but it did not work well.
I will think of some other ways, and I will communicate with you if I have gained something.
