search

oven-sh / bun

Incredibly fast JavaScript runtime, bundler, test runner, and package manager – all in one
https://bun.sh
Other
71.09k stars 2.47k forks source link

Valid but unusual console.log arguments can cause segmentation fault #10898

Closed michael-nestler closed 1 week ago

michael-nestler commented 1 week ago

How can we reproduce the crash?

Reproducing the crash on bun 1.1.7 is as simple as running

bun --run --print "console.log('%i %i', [1,2,3,4,5])"

Note: the crash does not occur with minor changes, e.g. console.log('%s %i', [1,2,3,4,5]) or console.log('%i %i', 1) I noticed this crash when trying to output a non-JS format string with the corresponding arguments raw

JavaScript/TypeScript code that reproduces the crash?

console.log('%i %i', [1,2,3,4,5])

Relevant log output

============================================================
Bun v1.1.7 (b0b7db5c) Linux x64
Args: "bun", "--run", "--print", "console.log('%i %i', [1,2,3,4,5])"
Features: jsc tsconfig 
Builtins: "bun:main" 
Elapsed: 17ms | User: 21ms | Sys: 0ms
RSS: 1.07GB | Peak: 56.47MB | Commit: 1.07GB | Faults: 0

panic(main thread): Segmentation fault at address 0x5
oh no: Bun has crashed. This indicates a bug in Bun, not your code.

To send a redacted crash report to Bun's team,
please file a GitHub issue using the link below:

 https://bun.report/1.1.7/la1b0b7db5AiggggE+0kw+DA2AK

[1]    32044 illegal hardware instruction  bun --run --print "console.log('%i %i', [1,2,3,4,5])"

Stack Trace (bun.report)

Bun v1.1.7 (b0b7db5) on linux x86_64 [AutoCommand]

Segmentation fault at address 0x00000011

Features: jsc, fetch, tsconfig

Jarred-Sumner commented 1 week ago

Looks like we are accessing remaining_values[0] when remaining_values.len == 0

Debug stack trace:

https://github.com/oven-sh/bun/blob/288b540621467f5ce03f405b56c72909de88a76a/src/bun.js/ConsoleObject.zig#L1272-L1284

Debug logs:

src.bun.js.ConsoleObject.Formatter.writeWithFormatting__anon_197969 (/Users/jarred/Code/bun/src/bun.js/ConsoleObject.zig:1278)
src.bun.js.ConsoleObject.Formatter.printAs__anon_160628 (/Users/jarred/Code/bun/src/bun.js/ConsoleObject.zig:1873)
src.bun.js.ConsoleObject.Formatter.format__anon_124340 (/Users/jarred/Code/bun/src/bun.js/ConsoleObject.zig:3115)
src.bun.js.ConsoleObject.format2__anon_124341 (/Users/jarred/Code/bun/src/bun.js/ConsoleObject.zig:805)
Bun__ConsoleObject__messageWithTypeAndLevel (/Users/jarred/Code/bun/src/bun.js/ConsoleObject.zig:200)
Bun::ConsoleObject::messageWithTypeAndLevel(JSC::MessageType, JSC::MessageLevel, JSC::JSGlobalObject*, WTF::Ref<Inspector::ScriptArguments, WTF::RawPtrTraits<Inspector::ScriptArguments>, WTF::DefaultRefDerefTraits<Inspector::ScriptArguments>>&&) (/Users/jarred/Code/bun/src/bun.js/bindings/ConsoleObject.cpp:59)
JSC::ConsoleClient::internalMessageWithTypeAndLevel(JSC::MessageType, JSC::MessageLevel, JSC::JSGlobalObject*, WTF::Ref<Inspector::ScriptArguments, WTF::RawPtrTraits<Inspector::ScriptArguments>, WTF::DefaultRefDerefTraits<Inspector::ScriptArguments>>&&, JSC::ConsoleClient::ArgumentRequirement) (@JSC::consoleLogWithLevel(JSC::JSGlobalObject*, JSC::CallFrame*, JSC::MessageLevel):33)
JSC::ConsoleClient::logWithLevel(JSC::JSGlobalObject*, WTF::Ref<Inspector::ScriptArguments, WTF::RawPtrTraits<Inspector::ScriptArguments>, WTF::DefaultRefDerefTraits<Inspector::ScriptArguments>>&&, JSC::MessageLevel) (@JSC::consoleLogWithLevel(JSC::JSGlobalObject*, JSC::CallFrame*, JSC::MessageLevel):25)
JSC::consoleLogWithLevel(JSC::JSGlobalObject*, JSC::CallFrame*, JSC::MessageLevel) (@JSC::consoleLogWithLevel(JSC::JSGlobalObject*, JSC::CallFrame*, JSC::MessageLevel):25)
11589C03C (@11589c03c..11589c0bc:3)