Memory corruption in ecma_gc_set_object_visited (jerry-core/ecma/base/ecma-gc.c:85) #3804
Description
JerryScript revision
Build platform
Ubuntu 18.04.4 LTS (Linux 4.15.0-91-generic x86_64)
and
ProductName: Mac OS X
ProductVersion: 10.15.4
BuildVersion: 19E287
Build steps
python tools/build.py --profile=es2015-subset --lto=off --compile-flag=-g \
--strip=off --logging=on \
--compile-flag=-fsanitize=address --stack-limit=15python tools/build.py --profile=es2015-subset --lto=off --compile-flag=-g \
--error-messages=on --debug --strip=off --logging=on \
--compile-flag=-fsanitize=address --stack-limit=15
Test case
-
to reproduce the bug for this PoC, keep the same filename length and run the interpreter providing the basename only, as in the Execution steps below.
-
filename: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.js'
function main() {
var v2 = [1337];
var v3 = [13.37,v2];
var v7 = 0;
while (v7 < 6) {
var v10 = [13.37,13.37,"object"];
var v14 = [13.37];
var v16 = [v14,v10];
var v17 = {e:1337,__proto__:v16,valueOf:-9007199254740991,toString:WeakSet};
var v19 = [Int8Array,v17];
var v21 = new Map(v19);
var v22 = v3.unshift(0);
}
}
main();Execution steps
~/jerryscript-test/build/bin/jerry xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.js
ASAN:DEADLYSIGNAL
=================================================================
==15897==ERROR: AddressSanitizer: SEGV on unknown address 0x55e63e629888 (pc 0x55e6393d7f9d bp 0x000004e7ffe3 sp 0x7fff9494ba70 T0)
==15897==The signal is caused by a READ memory access.
#0 0x55e6393d7f9c in ecma_gc_set_object_visited /home/jerryscript-test/jerry-core/ecma/base/ecma-gc.c:85
#1 0x55e6393d7707 in ecma_gc_mark_map_object /home/jerryscript-test/jerry-core/ecma/base/ecma-gc.c:330
#2 0x55e6393d7707 in ecma_gc_mark /home/jerryscript-test/jerry-core/ecma/base/ecma-gc.c:594
#3 0x55e6393d88a4 in ecma_gc_run /home/jerryscript-test/jerry-core/ecma/base/ecma-gc.c:1395
#4 0x55e6393d15bd in jmem_heap_realloc_block /home/jerryscript-test/jerry-core/jmem/jmem-heap.c:539
#5 0x55e6393d9da4 in ecma_collection_push_back /home/jerryscript-test/jerry-core/ecma/base/ecma-helpers-collection.c:140
#6 0x55e6393f13ee in ecma_op_internal_buffer_append /home/jerryscript-test/jerry-core/ecma/operations/ecma-container-object.c:71
#7 0x55e6393f13ee in ecma_op_container_set /home/jerryscript-test/jerry-core/ecma/operations/ecma-container-object.c:790
#8 0x55e6393ea3cf in ecma_builtin_dispatch_routine /home/jerryscript-test/jerry-core/ecma/builtin-objects/ecma-builtins.c:1115
#9 0x55e6393ea3cf in ecma_builtin_dispatch_call /home/jerryscript-test/jerry-core/ecma/builtin-objects/ecma-builtins.c:1139
#10 0x55e6393f6491 in ecma_op_function_call /home/jerryscript-test/jerry-core/ecma/operations/ecma-function-object.c:1085
#11 0x55e6393f0ec4 in ecma_op_container_create /home/jerryscript-test/jerry-core/ecma/operations/ecma-container-object.c:516
#12 0x55e6393ea525 in ecma_builtin_dispatch_construct /home/jerryscript-test/jerry-core/ecma/builtin-objects/ecma-builtins.c:1180
#13 0x55e63942fb2e in opfunc_construct /home/jerryscript-test/jerry-core/vm/vm.c:849
#14 0x55e63942fb2e in vm_execute /home/jerryscript-test/jerry-core/vm/vm.c:4151
#15 0x55e63942ff2c in vm_run /home/jerryscript-test/jerry-core/vm/vm.c:4232
#16 0x55e6393f4ffd in ecma_op_function_call_simple /home/jerryscript-test/jerry-core/ecma/operations/ecma-function-object.c:886
#17 0x55e6393f6491 in ecma_op_function_call /home/jerryscript-test/jerry-core/ecma/operations/ecma-function-object.c:1085
#18 0x55e63942ee5b in opfunc_call /home/jerryscript-test/jerry-core/vm/vm.c:764
#19 0x55e63942ee5b in vm_execute /home/jerryscript-test/jerry-core/vm/vm.c:4130
#20 0x55e63942ff2c in vm_run /home/jerryscript-test/jerry-core/vm/vm.c:4232
#21 0x55e6393d3b9d in jerry_run /home/jerryscript-test/jerry-core/api/jerry.c:595
#22 0x55e6393cf64d in main /home/jerryscript-test/jerry-main/main-unix.c:759
#23 0x7fa01742eb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#24 0x55e6393d1969 in _start (/home/jerryscript-test/build/bin/jerry+0x1a969)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/jerryscript-test/jerry-core/ecma/base/ecma-gc.c:85 in ecma_gc_set_object_visited
==15897==ABORTING~/jerryscript-asan-debug/build/bin/jerry xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.js
ICE: Assertion '((jmem_cpointer_t) uint_ptr) == uint_ptr' failed at /home/jerryscript-asan-debug/jerry-core/jmem/jmem-allocator.c(jmem_decompress_pointer):219.
Error: ERR_FAILED_INTERNAL_ASSERTION
Aborted (core dumped)
Backtrace
$ gdb -nx -q ~/jerryscript-test/build/bin/jerry -ex 'r xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.js'
Reading symbols from /home/jerryscript-test/build/bin/jerry...done.
Starting program: /home/jerryscript-test/build/bin/jerry xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x0000555555574f9d in ecma_gc_set_object_visited (object_p=0x55555a7c6888) at /home/jerryscript-test/jerry-core/ecma/base/ecma-gc.c:85
85 if (object_p->type_flags_refs >= ECMA_OBJECT_NON_VISITED)
(gdb) x/i $rip
=> 0x555555574f9d <ecma_gc_set_object_visited+35>: mov (%rdi),%ax
(gdb) x/g $rdi
0x55555a7c6888: Cannot access memory at address 0x55555a7c6888