AddressSanitizer: stack-overflow at ast_selectors.cpp:1473

[hongxuchen]

input.scss

0000,:G(:G(*))[e=""]{g:0;l:0;@extend*,0000}

Actual results

sassc crashes with segfault (regular compilation) or stack-overflow messages (AddressSanitizer).

AddressSanitizer:DEADLYSIGNAL
=================================================================
==25779==ERROR: AddressSanitizer: stack-overflow on address 0x7fffff7feff8 (pc 0x0000004cf941 bp 0x000000000028 sp 0x7fffff7ff000 T0)
    #0 0x4cf940 in __asan::GetCurrentThread() (/home/hongxu/FOT/libsass/sassc-fuzz/install/bin/sassc+0x4cf940)
    #1 0x41d2c4 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (/home/hongxu/FOT/libsass/sassc-fuzz/install/bin/sassc+0x41d2c4)
    #2 0x41de49 in __asan::asan_memalign(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) (/home/hongxu/FOT/libsass/sassc-fuzz/install/bin/sassc+0x41de49)
    #3 0x4f2d4c in operator new(unsigned long) (/home/hongxu/FOT/libsass/sassc-fuzz/install/bin/sassc+0x4f2d4c)
    #4 0x7ffff6de37e7 in __gnu_cxx::new_allocator<Sass::SharedImpl<Sass::Complex_Selector> >::allocate(unsigned long, void const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/ext/new_allocator.h:111:27
    #5 0x7ffff6de37e7 in std::allocator_traits<std::allocator<Sass::SharedImpl<Sass::Complex_Selector> > >::allocate(std::allocator<Sass::SharedImpl<Sass::Complex_Selector> >&, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/alloc_traits.h:436
    #6 0x7ffff6de37e7 in std::_Vector_base<Sass::SharedImpl<Sass::Complex_Selector>, std::allocator<Sass::SharedImpl<Sass::Complex_Selector> > >::_M_allocate(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_vector.h:172
    #7 0x7ffff6de37e7 in std::_Vector_base<Sass::SharedImpl<Sass::Complex_Selector>, std::allocator<Sass::SharedImpl<Sass::Complex_Selector> > >::_M_create_storage(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_vector.h:187
    #8 0x7ffff6de37e7 in std::_Vector_base<Sass::SharedImpl<Sass::Complex_Selector>, std::allocator<Sass::SharedImpl<Sass::Complex_Selector> > >::_Vector_base(unsigned long, std::allocator<Sass::SharedImpl<Sass::Complex_Selector> > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_vector.h:138
    #9 0x7ffff6de37e7 in std::vector<Sass::SharedImpl<Sass::Complex_Selector>, std::allocator<Sass::SharedImpl<Sass::Complex_Selector> > >::vector(std::vector<Sass::SharedImpl<Sass::Complex_Selector>, std::allocator<Sass::SharedImpl<Sass::Complex_Selector> > > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_vector.h:327
    #10 0x7ffff6de37e7 in Sass::Vectorized<Sass::SharedImpl<Sass::Complex_Selector> >::Vectorized(Sass::Vectorized<Sass::SharedImpl<Sass::Complex_Selector> > const&) /home/hongxu/FOT/libsass/libsass-fuzz/src/./ast.hpp:222
    #11 0x7ffff6de37e7 in Sass::Selector_List::Selector_List(Sass::Selector_List const*) /home/hongxu/FOT/libsass/libsass-fuzz/src/ast_selectors.cpp:1266
    #12 0x7ffff6d79fff in Sass::Selector_List::copy() const /home/hongxu/FOT/libsass/libsass-fuzz/src/ast_selectors.cpp:1473:3
    #13 0x7ffff6d79fff in Sass::Selector_List::clone() const /home/hongxu/FOT/libsass/libsass-fuzz/src/ast_selectors.cpp:1473
...
...
...
    #399 0x7ffff6d7a007 in Sass::Selector_List::clone() const /home/hongxu/FOT/libsass/libsass-fuzz/src/ast_selectors.cpp:1473:3
    #400 0x7ffff6d7a007 in Sass::Wrapped_Selector::cloneChildren() /home/hongxu/FOT/libsass/libsass-fuzz/src/ast_selectors.cpp:394
    #401 0x7ffff6def2f9 in Sass::Wrapped_Selector::clone() const /home/hongxu/FOT/libsass/libsass-fuzz/src/ast_selectors.cpp:1472:3
    #402 0x7ffff6d82385 in Sass::Compound_Selector::cloneChildren() /home/hongxu/FOT/libsass/libsass-fuzz/src/ast_selectors.cpp:458:15
    #403 0x7ffff6ddfc67 in Sass::Compound_Selector::clone() const /home/hongxu/FOT/libsass/libsass-fuzz/src/ast_selectors.cpp:1466:3
    #404 0x7ffff6ddfc67 in Sass::Complex_Selector::cloneChildren() /home/hongxu/FOT/libsass/libsass-fuzz/src/ast_selectors.cpp:1240
    #405 0x7ffff6de05da in Sass::Complex_Selector::clone() const /home/hongxu/FOT/libsass/libsass-fuzz/src/ast_selectors.cpp:1467:3
    #406 0x7ffff6de05da in Sass::Complex_Selector::cloneChildren() /home/hongxu/FOT/libsass/libsass-fuzz/src/ast_selectors.cpp:1241
    #407 0x7ffff6de6626 in Sass::Complex_Selector::clone() const /home/hongxu/FOT/libsass/libsass-fuzz/src/ast_selectors.cpp:1467:3
    #408 0x7ffff6de6626 in Sass::Selector_List::cloneChildren() /home/hongxu/FOT/libsass/libsass-fuzz/src/ast_selectors.cpp:1303
    #409 0x7ffff6d7a007 in Sass::Selector_List::clone() const /home/hongxu/FOT/libsass/libsass-fuzz/src/ast_selectors.cpp:1473:3
    #410 0x7ffff6d7a007 in Sass::Wrapped_Selector::cloneChildren() /home/hongxu/FOT/libsass/libsass-fuzz/src/ast_selectors.cpp:394
    #411 0x7ffff6def2f9 in Sass::Wrapped_Selector::clone() const /home/hongxu/FOT/libsass/libsass-fuzz/src/ast_selectors.cpp:1472:3

SUMMARY: AddressSanitizer: stack-overflow (/home/hongxu/FOT/libsass/sassc-fuzz/install/bin/sassc+0x4cf940) in __asan::GetCurrentThread()
==25779==ABORTING

version info:

$ sassc --version
sassc: 3.4.8-14-g3f84
libsass: 3.5.2-192-gf2db
sass2scss: 1.1.1
sass: 3.5

More detailed information is available here.

[nschonni]

Maybe this is still reproducable, but you're running this against older versions of both SassC and libsass that wouldn't be patched if it's not reproducable against the current master version

[hongxuchen]

@nschonni I think I was using the HEAD versions of both sassc and libsass, as the git HEAD commits are f2db0488 and https://github.com/sass/sassc/commit/3f84e2358019dab2fdba5fe1fc0ecff23aa24608 which match gf2db and g3f84 suffixes however I'm not sure why the exact versions are reported differently as 3.5.2-192-gf2db and 3.4.8-14-g3f84.

[glebm]

Reproducible on master

[glebm]

Minimal example:

a, :b(:b(*)) {
  v: 1;
  @extend *;
}

[hongxuchen]

@glebm I added some more POC files here; most of them crashes with different backtraces.

[glebm]

Unfortunately I don't understand the extend / weave code at all so I can't fix these. I think that part of libsass may need a complete rewrite (perhaps using the Dart implementation as reference).

@mgreter had a work-in-progress rewrite for the extend / weave stuff but it's not complete (I "rebased" (manually forward-ported) his WIP branch in #2877).