search

chakra-core / ChakraCore

ChakraCore is an open source Javascript engine with a C API.
MIT License
9.12k stars 1.2k forks source link

Aborted in ReportFatalException (Js::ConcatStringBase::GetSzImpl<Js::ConcatStringN<2> >) #6921

Open Ye0nny opened 1 year ago

Ye0nny commented 1 year ago

Version

Branch : master Version : https://github.com/chakra-core/ChakraCore/commit/c3ead3f8a6e0bb8e32e043adc091c68cba5935e9

Platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build

PoC

testcase

```javascript var r = 32 ; var n = 8 ; var a = " " ; while ( a . length < r % 8 << 8 ) { a += " x " ; } a . replace ( / ^ ( .* ) / , " _ " ) ; for ( var e = 0 ; e < 8 ; e ++ ) { var v = " " ; for ( var l = 0 ; l < r ; a . lastIndexOf ( ) , l ++ ) { v += n ; n += " $1 " ; a . replace ( / ^ ( .* ) / , v ) ; n += v ; a . lastIndexOf ( ) ; r ++ ; } } ``` 

// poc.js
var r = 32 ;
var n = 8 ;
var a = " " ;

for ( var e = 0 ; e < 8 ; e ++ ) {
        var v = " " ;
        for ( var l = 0 ; l < r ; l ++ ) {
                v += n ;
                a . replace ( / / , v ) ;
                n += v ;
        }
}

Execution steps & Output

$ ./ch poc.js
Aborted

Backtrace

Debug (ASAN)

(gdb) r poc.js
Starting program: ./ChakraCore/out/Debug/ch poc.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ff7f1915700 (LWP 2064680)]
[New Thread 0x7ff7f1114700 (LWP 2064681)]
[New Thread 0x7ff7f0913700 (LWP 2064682)]

Thread 1 "ch" received signal SIGILL, Illegal instruction.
0x0000555556a35e09 in DebugBreak () at ./ChakraCore/lib/Common/CommonPal.h:161
161     __builtin_trap();
(gdb) bt
#0  0x0000555556a35e09 in DebugBreak () at ./ChakraCore/lib/Common/CommonPal.h:161
#1  ReportFatalException (context=<optimized out>, exceptionCode=<optimized out>, reasonCode=<optimized out>, scenario=<optimized out>)
    at ./ChakraCore/lib/Common/Exceptions/ReportError.cpp:20
#2  0x0000555556a36247 in RecyclerSingleAllocationLimit_unrecoverable_error ()
    at ./ChakraCore/lib/Common/Exceptions/ReportError.cpp:151
#3  0x0000555556deecba in Memory::Recycler::LargeAlloc<false> (this=0x632000000858, heap=0x6320000052b8, size=2269806342,
    attributes=Memory::LeafBit) at ./ChakraCore/lib/Common/Memory/Recycler.cpp:1380
#4  0x00005555567fd87f in Memory::Recycler::RealAlloc<(Memory::ObjectInfoBits)32, false> (this=0x632000000858, heap=0x6320000052b8,
    size=2269806342) at ./ChakraCore/lib/Common/Memory/Recycler.inl:384
#5  0x00005555567fcb24 in Memory::Recycler::AllocWithAttributesInlined<(Memory::ObjectInfoBits)32, false> (this=<optimized out>,
    size=<optimized out>) at ./ChakraCore/lib/Common/Memory/HeapInfoManager.h:18
#6  0x00005555567fbce9 in operator new[]<Memory::Recycler> (byteSize=2269806342, alloc=<optimized out>, AllocFunc=<optimized out>)
    at ./ChakraCore/lib/Common/DataStructures/../Memory/Allocator.h:498
#7  0x00005555588af4c8 in Memory::AllocateArray<Memory::Recycler, char16_t, false> (allocator=0x632000000858,
    AllocFunc=<optimized out>, count=<optimized out>)
    at ./ChakraCore/lib/Common/DataStructures/../Memory/Allocator.h:348
#8  Js::ConcatStringBase::GetSzImpl<Js::ConcatStringN<2> > (this=<optimized out>)
    at ./ChakraCore/lib/Runtime/./Library/ConcatString.inl:36
#9  0x00005555588ad44a in Js::ConcatStringN<2>::GetSz (this=0x7ffff26a9fc0)
    at ./ChakraCore/lib/Runtime/./Library/ConcatString.inl:89
#10 0x00005555593ceff8 in Js::JavascriptString::GetString (this=0x7ffff26a9fc0)
    at ./ChakraCore/lib/Runtime/Library/JavascriptString.cpp:2850
#11 0x0000555559506661 in Js::RegexHelper::RegexEs5ReplaceImpl (scriptContext=<optimized out>, regularExpression=0x7ffff26a8f40,
    input=<optimized out>, replace=<optimized out>, noResult=<optimized out>)
    at ./ChakraCore/lib/Runtime/Library/RegexHelper.cpp:1127
#12 0x0000555559501f59 in Js::RegexHelper::RegexReplaceImpl (scriptContext=0x622000000158, thisObj=0x7ffff26a8f40,
    input=0x7ffff2842480, replace=0x7ffff26a9fc0, noResult=true)
    at ./ChakraCore/lib/Runtime/Library/RegexHelper.cpp:908
#13 0x000055555951a9cf in Js::RegexHelper::RegexReplace (entryFunctionContext=0x622000000158, thisObj=0x0, input=0x10007fff7e00,
    replace=0x10007fff7e00, noResult=false) at ./ChakraCore/lib/Runtime/Library/RegexHelper.cpp:2308
#14 0x00005555593f2bf3 in Js::JavascriptString::DoStringReplace (args=..., callInfo=..., input=<optimized out>,
    scriptContext=<optimized out>) at ./ChakraCore/lib/Runtime/Library/JavascriptString.cpp:1695
#15 0x00005555593f1da2 in Js::JavascriptString::EntryReplace(Js::RecyclableObject*, Js::CallInfo, ...)::$_2::operator()(Js::JavascriptString*) const (this=<optimized out>, stringObj=0x7ffff2842480)
    at ./ChakraCore/lib/Runtime/Library/JavascriptString.cpp:1667
#16 Js::JavascriptString::DelegateToRegExSymbolFunction<2, Js::JavascriptString::EntryReplace(Js::RecyclableObject*, Js::CallInfo, ...)::$_2>(Js::ArgumentReader&, int, Js::JavascriptString::EntryReplace(Js::RecyclableObject*, Js::CallInfo, ...)::$_2, char16_t const*, Js::ScriptContext*) (args=..., symbolPropertyId=22, fallback=..., scriptContext=0x622000000158, varName=<optimized out>)
    at ./ChakraCore/lib/Runtime/Library/JavascriptString.cpp:1809
#17 Js::JavascriptString::EntryReplace (function=0x7ffff2842880, callInfo=...)
    at ./ChakraCore/lib/Runtime/Library/JavascriptString.cpp:1669
#18 0x0000555559723c4e in amd64_CallFunction ()
    at ./ChakraCore/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100
#19 0x000055555843ceef in Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (this=0x7fffffffca40,
    playout=<optimized out>, function=<optimized out>, flags=<optimized out>, spreadIndices=<optimized out>)
    at ./ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:3973
#20 0x000055555843bae9 in Js::InterpreterStackFrame::OP_ProfileCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) (this=0x7fffffffca40, playout=0x7ffff28eb1b4, function=<optimized out>, flags=0, profileId=<optimized out>,
    inlineCacheIndex=0, spreadIndices=0x0)
    at ./ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:4016
#21 0x0000555557df8817 in Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > >(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > const __unaligned*) (this=0x7fffffffca40, playout=0x7ffff28eb1b4)
    at ./ChakraCore/lib/Runtime/./Language/InterpreterStackFrame.h:520
#22 Js::InterpreterStackFrame::ProcessProfiled (this=<optimized out>)
    at ./ChakraCore/lib/Runtime/Language/InterpreterHandler.inl:91
#23 0x0000555557c426df in Js::InterpreterStackFrame::Process (this=0x7fffffffca40)
    at ./ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:3472
#24 0x0000555557c3d150 in Js::InterpreterStackFrame::InterpreterHelper (function=<optimized out>,
    args=<error reading variable: Cannot access memory at address 0x0>, returnAddress=<optimized out>,
    addressOfReturnAddress=<optimized out>, asmJsReturn=<optimized out>)
    at ./ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:2153
#25 0x0000555557c3a80d in Js::InterpreterStackFrame::InterpreterThunk (layout=0x7ffff26c0fa2)
    at ./ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:1833
#26 0x00007ffff26c0fa2 in ?? ()
#27 0x00007fffffffd010 in ?? ()
#28 0x0000555559723c4e in amd64_CallFunction ()
    at ./ChakraCore/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100
Backtrace stopped: frame did not save the PC
(gdb)

Credits: @Ye0nny, @EJueon of the seclab-yonsei.

ppenzin commented 1 year ago

@Ye0nny thank you for the report! Note it is not an asan error, just adding asan flags enables more robust reporting.

ppenzin commented 1 year ago

The question here is whether this should fail (more) gracefully.