search

chakra-core / ChakraCore

ChakraCore is an open source Javascript engine with a C API.
MIT License
9.1k stars 1.19k forks source link

Address misalignment causes futex error #6971

Closed coolboy43 closed 5 months ago

coolboy43 commented 6 months ago

commit

c3ead3f8a6e0bb8e32e043adc091c68cba5935e9

bug

Address misalignment causes futex error

build and run

os: Ubuntu 22.04.2 LTS build: ./build.sh --debug --static -j=8
run: ./DebugBuild/Debug/ch this.js Run 10 times, 3 crashes

POC

function classOf(object) {
   var string = Object.prototype.toString.call(object);
   return string.substring(8, string.length - 1);
}
function deepObjectEquals(a, b) {
  var aProps = Object.keys(a);
  aProps.sort();
  var bProps = Object.keys(b);
  bProps.sort();
  if (!deepEquals(aProps, bProps)) {
    return false;
  }
  for (var i = 0; i < aProps.length; i++) {
    if (!deepEquals(a[aProps[i]], b[aProps[i]])) {
      return false;
    }
  }
  return true;
}
function deepEquals(a, b) {
  if (a === b) {
    if (a === 0) return (1 / a) === (1 / b);
    return true;
  }
  if (typeof a != typeof b) return false;
  if (typeof a == 'number') return (isNaN(a) && isNaN(b)) || (a===b);
  if (typeof a !== 'object' && typeof a !== 'function' && typeof a !== 'symbol') return false;
  var objectClass = classOf(a);
  if (objectClass === 'Array') {
    if (a.length != b.length) {
      return false;
    }
    for (var i = 0; i < a.length; i++) {
      if (!deepEquals(a[i], b[i])) return false;
    }
    return true;
  }                
  if (objectClass !== classOf(b)) return false;
  if (objectClass === 'RegExp') {
    return (a.toString() === b.toString());
  }
  if (objectClass === 'Function') return true;

  if (objectClass == 'String' || objectClass == 'Number' ||
      objectClass == 'Boolean' || objectClass == 'Date') {
    if (a.valueOf() !== b.valueOf()) return false;
  }
  return deepObjectEquals(a, b);
}
function opt(opt_param){
const v0 = {};
const v1 = [v0,v0,v0,v0,v0];
const v2 = v0[v0];
const v3 = class V3 {
    constructor(v5,v6,v7) {
        ({"MAX_SAFE_INTEGER":v4,"dotAll":v6,} = v2);
        function v8(v9,v10,v11,v12) {
            const v13 = {"get":v10,"set":v6};
        }
    }
    get(v15,v16,v17) {
        const v18 = v3 >>> v16;
    }
    pop(v20,v21,v22,v23) {
        let {"NEGATIVE_INFINITY":v24,"byteLength":v25,"source":v26,"split":v27,...v28} = v22;
    }
};
return v3;
}
function main(){
    let gflag = true;
    let jit_a0 = opt(true);
    let jit_a0_0 = opt(false);
    for(let i=0;i<0x10;i++){opt(false);}
    let jit_a2 = opt(true);
    if (jit_a0 === undefined && jit_a2 === undefined) {
        opt(true);
    } else {
        if (jit_a0_0===jit_a0 && !deepEquals(jit_a0, jit_a2)) {
            gflag = false;
        }
    }
    for(let i=0;i<0x200;i++){opt(false);}
    let jit_a4 = opt(true);
    if (jit_a0 === undefined && jit_a4 === undefined) {
        opt(true);
    } else {
        if (gflag && jit_a0_0===jit_a0 && !deepEquals(jit_a0, jit_a4)) {
            fuzzilli('FUZZILLI_CRASH', 0);
        }
    }
}
main();

fix suggestions

old in cclock.hpp line 12-16: 

#if defined(_M_ARM64)
#define CCLOCK_ALIGN __declspec(align(8))
#else
#define CCLOCK_ALIGN 
#endif

new in cclock.hpp: 

#define CCLOCK_ALIGN __declspec(align(8))
ppenzin commented 6 months ago

I just ran into this, it breaks tests and bytecode regeneration. Testing your fix - I'd wrap the define in additional AMD64 macro check, similar to old ARM64 check.

coolboy43 commented 6 months ago

我已收到您的邮件,并尽快回复您。。

rhuanjl commented 5 months ago

Same idea as #6931 and #6932 I tried putting a fix with a CI update in #6975 but for getting Ubuntu 22 fully working it's not enough - the debug build seems good but not the Release with Debug Info build.

@ppenzin did you get anywhere looking at it?

coolboy43 commented 5 months ago

我已收到您的邮件,并尽快回复您。。

ppenzin commented 5 months ago

I've started looking at it, responded on the PR, will report back if I find out what is going on. There might be other spaces with missed alignment or something very similar. This kind of fragility in PAL makes me a bit nervous actually, though it has worked this far.

rhuanjl commented 5 months ago

I've started looking at it, responded on the PR, will report back if I find out what is going on. There might be other spaces with missed alignment or something very similar. This kind of fragility in PAL makes me a bit nervous actually, though it has worked this far.

I'd really like to delete most of PAL but it's a big job - if we ever advance CC far I consider it one of our goals... For now as of #6932 this specific matter seems fixed