jerryscript-project / jerryscript

Ultra-lightweight JavaScript engine for the Internet of Things.
https://jerryscript.net
Apache License 2.0
6.95k stars 672 forks source link

AddressSanitizer: heap-use-after-free jerry-core/ecma/base/ecma-gc.c:90 in ecma_gc_set_object_visited #4870

Open eternalsakura opened 2 years ago

eternalsakura commented 2 years ago

JerryScript commit hash

55acdf2048b390d0f56f12e64dbfb2559f0e70ad

Build platform

Ubuntu 20.04 LTS

Build steps

./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --profile=es2015-subset --stack-limit=20

poc

async function f() {
    let arr = [0.000000];
    let fuzz_v152 = arr;
    let fuzz_v159 = fuzz_v152.__proto__;
    fuzz_v152.valueOf = function* (fuzz_v166, fuzz_v167) {
        while (arr) {
        }
        var fuzz_v172 = ~f;
        arr >>= [1.100000];
        return fuzz_v167;
    };
    arr.includes(arr, [340282346638528859811704183484516925440.000000], arr);
    delete [10];
    let fuzz_v253 = f.__proto__;
    let fuzz_v256 = {
        "D5FP8": f
    };
    arr["map"](f, new Object(true));
    arr.flat();
    let fuzz_v69 = false;
    await this;
    await f;
    var fuzz_v43 = arr -= new Date(new String({
        "findIndex": arr
    }));
    await this;
    let fuzz_v286 = Symbol.reject();
    await f;
    await new Promise(f);
    await new Promise(async function* (fuzz_v80) {
        var fuzz_v82 = new Uint32Array(fuzz_v80, arr, [1.100000], fuzz_v80, fuzz_v80);
        let fuzz_v96 = fuzz_v82.__proto__;
        this.length = 4;
    });
    await new Promise(async function* (fuzz_v138, fuzz_v139) {
        fuzz_v138.__proto__ = fuzz_v139;
        let fuzz_v147 = function* (fuzz_v149, fuzz_v150, fuzz_v151, fuzz_v152) {
            let fuzz_v165 = Reflect.apply(fuzz_v152, {
                "findIndex": fuzz_v150
            }, [{}]);
            switch ({
                    includes: fuzz_v138,
                    set valueOf(fuzz_v175) {
                        fuzz_v150.valueOf = fuzz_v175;
                        return;
                    }
                }) {
            case [1.100000]:
                throw arr;
                break;
            case 5643033980980220.000000:
                let fuzz_v203 = String.prototype.trim.call(new String());
                break;
            default:
                fuzz_v43.valueOf = fuzz_v150;
            }
            let fuzz_v214 = fuzz_v69;
            let fuzz_v223 = Number.isInteger(2147483648);
        };
        var fuzz_v228 = f;
        delete f.__proto__;
        let fuzz_v237 = {};
    });
    await new Promise(f);
    await new Promise(async function* (fuzz_v269, fuzz_v270, fuzz_v271) {
        class fuzz_class273 extends f {

        }
        return arr;
    });
    await new Promise(fuzz_v286);
}
f(f, f);

asan log

=================================================================
==2066102==ERROR: AddressSanitizer: heap-use-after-free on address 0xf4e01ba0 at pc 0x565c19c2 bp 0xffdeb558 sp 0xffdeb548
READ of size 4 at 0xf4e01ba0 thread T0
    #0 0x565c19c1 in ecma_gc_set_object_visited /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:90
    #1 0x565c474d in ecma_gc_mark_executable_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:698
    #2 0x565c5bc0 in ecma_gc_mark /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:1007
    #3 0x565c9a46 in ecma_gc_run /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:2209
    #4 0x565ca303 in ecma_free_unused_memory /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:2321
    #5 0x5666230f in jmem_heap_gc_and_alloc_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:285
    #6 0x566623b8 in jmem_heap_alloc_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:324
    #7 0x566d4ed5 in ecma_alloc_extended_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-alloc.c:111
    #8 0x565e5af2 in ecma_create_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-helpers.c:94
    #9 0x56628895 in ecma_op_create_native_handler /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:716
    #10 0x56641987 in ecma_promise_create_resolving_function /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:425
    #11 0x56641aa5 in ecma_promise_run_executor /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:446
    #12 0x56641df2 in ecma_op_create_promise_object /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:516
    #13 0x56642f01 in ecma_promise_new_capability /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:766
    #14 0x56643310 in ecma_promise_reject_or_resolve /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:844
    #15 0x566442cc in ecma_promise_async_await /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:1183
    #16 0x566c2274 in vm_loop /home/sakura/jerryscript/jerry-core/vm/vm.c:2742
    #17 0x566d4684 in vm_execute /home/sakura/jerryscript/jerry-core/vm/vm.c:5260
    #18 0x566a8627 in opfunc_resume_executable_object /home/sakura/jerryscript/jerry-core/vm/opcodes.c:777
    #19 0x56630503 in ecma_process_promise_async_reaction_job /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:365
    #20 0x566311f0 in ecma_process_all_enqueued_jobs /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:569
    #21 0x565b1569 in jerry_run_jobs /home/sakura/jerryscript/jerry-core/api/jerryscript.c:1064
    #22 0x565a899d in main /home/sakura/jerryscript/jerry-main/main-jerry.c:326
    #23 0xf75ecee4 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1eee4)
    #24 0x565a6b04 in _start (/home/sakura/jerryscript/build2/bin/jerry+0x22b04)

0xf4e01ba0 is located 0 bytes inside of 24-byte region [0xf4e01ba0,0xf4e01bb8)
freed by thread T0 here:
    #0 0xf79d5814 in __interceptor_free (/lib32/libasan.so.5+0x113814)
    #1 0x566625d9 in jmem_heap_free_block_internal /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:477
    #2 0x56662a7d in jmem_heap_free_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:691
    #3 0x566d4f02 in ecma_dealloc_extended_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-alloc.c:125
    #4 0x565c9451 in ecma_gc_free_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:2150
    #5 0x565ca0cb in ecma_gc_run /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:2277
    #6 0x565ca303 in ecma_free_unused_memory /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:2321
    #7 0x5666230f in jmem_heap_gc_and_alloc_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:285
    #8 0x566623b8 in jmem_heap_alloc_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:324
    #9 0x566d4ed5 in ecma_alloc_extended_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-alloc.c:111
    #10 0x565e5af2 in ecma_create_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-helpers.c:94
    #11 0x56642ca0 in ecma_promise_new_capability /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:742
    #12 0x56643310 in ecma_promise_reject_or_resolve /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:844
    #13 0x566442cc in ecma_promise_async_await /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:1183
    #14 0x566c2274 in vm_loop /home/sakura/jerryscript/jerry-core/vm/vm.c:2742
    #15 0x566d4684 in vm_execute /home/sakura/jerryscript/jerry-core/vm/vm.c:5260
    #16 0x566a8627 in opfunc_resume_executable_object /home/sakura/jerryscript/jerry-core/vm/opcodes.c:777
    #17 0x56630503 in ecma_process_promise_async_reaction_job /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:365
    #18 0x566311f0 in ecma_process_all_enqueued_jobs /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:569
    #19 0x565b1569 in jerry_run_jobs /home/sakura/jerryscript/jerry-core/api/jerryscript.c:1064
    #20 0x565a899d in main /home/sakura/jerryscript/jerry-main/main-jerry.c:326
    #21 0xf75ecee4 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1eee4)

previously allocated by thread T0 here:
    #0 0xf79d5c17 in __interceptor_malloc (/lib32/libasan.so.5+0x113c17)
    #1 0x5666221f in jmem_heap_alloc /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:254
    #2 0x5666231d in jmem_heap_gc_and_alloc_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:291
    #3 0x566623b8 in jmem_heap_alloc_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:324
    #4 0x566d4ed5 in ecma_alloc_extended_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-alloc.c:111
    #5 0x565e5af2 in ecma_create_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-helpers.c:94
    #6 0x56622394 in ecma_op_to_object /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-conversion.c:581
    #7 0x566fc246 in ecma_builtin_object_dispatch_call /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-object.c:116
    #8 0x566fc375 in ecma_builtin_object_dispatch_construct /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-object.c:144
    #9 0x56604101 in ecma_builtin_dispatch_construct /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1603
    #10 0x5662b36d in ecma_op_function_construct_built_in /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1585
    #11 0x5662b9ba in ecma_op_function_construct /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1773
    #12 0x566b454b in opfunc_construct /home/sakura/jerryscript/jerry-core/vm/vm.c:845
    #13 0x566d472a in vm_execute /home/sakura/jerryscript/jerry-core/vm/vm.c:5287
    #14 0x566d4d4f in vm_run /home/sakura/jerryscript/jerry-core/vm/vm.c:5363
    #15 0x5662a0e2 in ecma_op_function_call_simple /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1203
    #16 0x5662af15 in ecma_op_function_call /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1439
    #17 0x566dc7b8 in ecma_builtin_array_prototype_object_map /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:1979
    #18 0x566e0794 in ecma_builtin_array_prototype_dispatch_routine /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:3006
    #19 0x56603c36 in ecma_builtin_dispatch_routine /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1543
    #20 0x56603e53 in ecma_builtin_dispatch_call /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1574
    #21 0x5662a353 in ecma_op_function_call_native_built_in /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1244
    #22 0x5662af31 in ecma_op_function_call /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1444
    #23 0x5662ada6 in ecma_op_function_validated_call /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1402
    #24 0x566b3fb3 in opfunc_call /home/sakura/jerryscript/jerry-core/vm/vm.c:763
    #25 0x566d46e9 in vm_execute /home/sakura/jerryscript/jerry-core/vm/vm.c:5266
    #26 0x566d4d4f in vm_run /home/sakura/jerryscript/jerry-core/vm/vm.c:5363
    #27 0x5662a0e2 in ecma_op_function_call_simple /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1203
    #28 0x5662af15 in ecma_op_function_call /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1439
    #29 0x566dc7b8 in ecma_builtin_array_prototype_object_map /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:1979

SUMMARY: AddressSanitizer: heap-use-after-free /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:90 in ecma_gc_set_object_visited
Shadow bytes around the buggy address:
  0x3e9c0320: 00 00 00 fa fa fa fd fd fd fd fa fa fd fd fd fa
  0x3e9c0330: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x3e9c0340: fd fd fa fa fd fd fd fa fa fa 00 00 00 fa fa fa
  0x3e9c0350: 00 00 00 fa fa fa fd fd fd fd fa fa 00 00 00 fa
  0x3e9c0360: fa fa 00 00 00 fa fa fa fd fd fd fd fa fa fd fd
=>0x3e9c0370: fd fa fa fa[fd]fd fd fa fa fa 00 00 00 fa fa fa
  0x3e9c0380: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
  0x3e9c0390: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x3e9c03a0: fd fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x3e9c03b0: fd fd fd fd fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x3e9c03c0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2066102==ABORTING
eternalsakura commented 2 years ago

Can you confirm if this is a valid issue? thanks :)

rerobika commented 2 years ago

Yep, that's a valid issue.

rerobika commented 2 years ago

However, this test is a nightmare to debug. I'd definitely recommend some kind of test reduction. Please check https://github.com/renatahodovan/picire or https://github.com/renatahodovan/picireny. @hope-fly PTAL as well.

eternalsakura commented 2 years ago

However, this test is a nightmare to debug. I'd definitely recommend some kind of test reduction. Please check https://github.com/renatahodovan/picire or https://github.com/renatahodovan/picireny. @hope-fly PTAL as well.

In fact, I tried to reduce this poc, but it did not work well.

I will think of some other ways, and I will communicate with you if I have gained something.

hope-fly commented 2 years ago

@rerobika ok,I'll TAL tomorrow