search

Samsung / escargot

Escargot is a lightweight JavaScript engine designed specifically for resource-constrained environments.
GNU Lesser General Public License v2.1
261 stars 43 forks source link

SEGV Escargot::PointerValue::getTypeTag() #1376

Closed 7331akasokoan closed 1 day ago

7331akasokoan commented 2 weeks ago

commit: d398f1ece3bae25c00465aea7f00b548d1131241

build setting: 

cmake -DCMAKE_CXX_FLAGS=-fsanitize=address -DESCARGOT_MODE=debug -DESCARGOT_OUTPUT=shell -GNinja

poc.js:

var v9 = class v9 {
};
var v10 = class v10 extends v9 {
constructor (v1) {
var v7 = () => eval('(() => this.x)()');
super();
let v6= v7();
v4(v6, v2, "AAA");
}
};
var v12 = new v10()

ASAN report:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==13706==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x563991b1dd11 bp 0x7fff5cb9acf0 sp 0x7fff5cb9ace0 T0)
==13706==The signal is caused by a READ memory access.
==13706==Hint: address points to the zero page.
    #0 0x563991b1dd11 in Escargot::PointerValue::getTypeTag() const /home/fuzzer/escargot/src/runtime/PointerValue.h:1097
    #1 0x563991b1c35f in Escargot::PointerValue::isObject() const /home/fuzzer/escargot/src/runtime/PointerValue.h:169
    #2 0x563991b26a73 in Escargot::Value::isObject() const /home/fuzzer/escargot/src/runtime/ValueInlines.h:558
    #3 0x563991da2a8e in Escargot::InterpreterSlowPath::getObjectPrecomputedCaseOperation(Escargot::ExecutionState&, Escargot::GetObjectPreComputedCase*, Escargot::Value*, Escargot::ByteCodeBlock*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:2374
    #4 0x563991d94556 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:657
    #5 0x56399235d697 in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptArrowFunctionObject, false, false, false, Escargot::ScriptArrowFunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptArrowFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #6 0x56399235cace in Escargot::ScriptArrowFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptArrowFunctionObject.cpp:37
    #7 0x563991d952f4 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:770
    #8 0x563991f766af in Escargot::Script::executeLocal(Escargot::ExecutionState&, Escargot::Value, Escargot::InterpretedCodeBlock*, bool, bool) /home/fuzzer/escargot/src/parser/Script.cpp:628
    #9 0x56399224b811 in Escargot::GlobalObject::evalLocal(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value, Escargot::InterpretedCodeBlock*, bool) /home/fuzzer/escargot/src/runtime/GlobalObject.cpp:222
    #10 0x563991dbc58a in Escargot::InterpreterSlowPath::callFunctionComplexCase(Escargot::ExecutionState&, Escargot::CallComplexCase*, Escargot::Value*, Escargot::ByteCodeBlock*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:4095
    #11 0x563991d99507 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1428
    #12 0x56399235d697 in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptArrowFunctionObject, false, false, false, Escargot::ScriptArrowFunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptArrowFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #13 0x56399235cace in Escargot::ScriptArrowFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptArrowFunctionObject.cpp:37
    #14 0x563991d952f4 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:770
    #15 0x563991db9164 in Escargot::InterpreterSlowPath::blockOperation(Escargot::ExecutionState*&, Escargot::BlockOperation*, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3895
    #16 0x563991d99de6 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1500
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer: nested bug in the same thread, aborting.