search

Samsung / escargot

Escargot is a lightweight JavaScript engine designed specifically for resource-constrained environments.
GNU Lesser General Public License v2.1
261 stars 43 forks source link

SEGV Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) #1377

Open 7331akasokoan opened 2 weeks ago

7331akasokoan commented 2 weeks ago

commit: d398f1ece3bae25c00465aea7f00b548d1131241

build setting: 

cmake -DCMAKE_CXX_FLAGS=-fsanitize=address -DESCARGOT_MODE=debug -DESCARGOT_OUTPUT=shell -GNinja

poc.js:

(function() {
var v0;
var v1 = { 'a' : 5 };
for(const { x = x } in v1)
x();
})();

ASAN report:

==34821==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x55b2efbc915c bp 0x7ffdf1d8c640 sp 0x7ffdf1d8b830 T0)
==34821==The signal is caused by a READ memory access.
==34821==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
    #0 0x55b2efbc915c in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:770
    #1 0x55b2f01a183e in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
    #2 0x55b2f019fd38 in Escargot::ScriptFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptFunctionObject.cpp:108
    #3 0x55b2efbc92f4 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:770
    #4 0x55b2efda896e in Escargot::Script::execute(Escargot::ExecutionState&, bool, bool) /home/fuzzer/escargot/src/parser/Script.cpp:499
    #5 0x55b2ef97087e in Escargot::ScriptRef::execute(Escargot::ExecutionStateRef*) /home/fuzzer/escargot/src/api/EscargotPublic.cpp:4722
    #6 0x55b2f024c6cc in operator() /home/fuzzer/escargot/src/shell/Shell.cpp:790
    #7 0x55b2f024c6f7 in _FUN /home/fuzzer/escargot/src/shell/Shell.cpp:791
    #8 0x55b2f02564b3 in decltype (((forward<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>)({parm#1}))((forward<Escargot::ExecutionStateRef*&>)({parm#3}), (forward<Escargot::ScriptRef*&>)({parm#3}))) Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<0ul>::apply<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&, Escargot::ExecutionStateRef*&, Escargot::ScriptRef*&>(Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&, Escargot::ExecutionStateRef*&, Escargot::ScriptRef*&) /home/fuzzer/escargot/src/api/EscargotPublic.h:521
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer: nested bug in the same thread, aborting.