Open YiWen-y opened 2 years ago
I debugged this issue further using GBD, it appears to be a null pointer issue, here is the detailed debug info:
(gdb) set disassembly-flavor intel
(gdb) info r
rax 0x42 66
rbx 0x7fffffffb3d8 140737488335832
rcx 0x7fffffffb528 140737488336168
rdx 0x0 0
rsi 0x0 0
rdi 0x7fffffffb598 140737488336280
rbp 0x7fffffff9ba0 0x7fffffff9ba0
rsp 0x7fffffff9ad0 0x7fffffff9ad0
r8 0x7ff7f0b74800 140702872193024
r9 0x1 1
r10 0x0 0
r11 0x0 0
r12 0x7ffff43d3f80 140737291042688
r13 0x140 320
r14 0x7fffffffb9f0 140737488337392
r15 0x7fffffffc5d8 140737488340440
rip 0x7ffff34dcc75 0x7ffff34dcc75 <EmitBooleanExpression(ParseNode*, int, int, ByteCodeGenerator*, FuncInfo*, bool, bool)+229>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
k0 0x0 0
k1 0x0 0
k2 0x0 0
k3 0x0 0
k4 0x0 0
k5 0x0 0
k6 0x0 0
k7 0x0 0
(gdb) x/i $pc
=> 0x7ffff34dcc75 <EmitBooleanExpression(ParseNode*, int, int, ByteCodeGenerator*, FuncInfo*, bool, bool)+229>: movzx eax,BYTE PTR [rsi]
Combine the above stack information#0 0x00007ffff34dcc75 in EmitBooleanExpression (expr=0x0, trueLabel=10, falseLabel=4, byteCodeGenerator=0x7fffffffb4e0, funcInfo=0x7ff7f0b74800, trueFallthrough=true, falseFallthrough=false) at ~/ChakraCore-1.11.24/lib/Runtime/ByteCode/ByteCodeEmitter.cpp:8835
, we can know that the pointer expr
value is 0x0
, so this is a null pointer problem.
This passes with development version.
This passes with development version.
Thanks for your reply. We tested the latest development version and found this bug has been fixed. I will close this issue soon :)
By the way, I have a few additional findngs summaried as follows: Firstly, I found this security bug has been exposed by a previous issue report #5532 back in 2018, and was quickly fixed. I just wonder why this bug still exits after fixed.
Secondly, through the detailed annalysis, I think this bug is caused due to the incomplete repair of #5332.
Version:
chakra-1.11.24.0
Description:
For the TestCase below, after judging that
!p
istrue
in line 2, the function shouldreturn
directly, but chakra terminates the program abnormally. Through the stack information of the program#1 0x00007ffff34ddece in ByteCodeGenerator::EmitInvertedLoop ( this=0x7fffffffb4e0, outerLoop=0x7ff7f0b72da0, invertedLoop=0x7ff7f0b75030, funcInfo=0x7ff7f0b74800)
, maybe there is a problem in optimizing thefor
loop.TestCase:
Command:
Output:
Backtrace (using gdb debugging) :
Using ASAN: