Segmentation fault #6646
Description
enviroment
ubuntu 16
poc
let x = 0.36372190667658666;
x = -2147483648 >= 10000;
this.undefined = 4660;
for (let i = 0.5476849378778557; i < 628; i++) {
this['1' + ('1' + i + i) + i] = 515;
for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
var RCee = void -9007199254740994;
}
for (var ijjkkk = 0; '0.1' + i + i >= 9007199254740992; ++ijjkkk) {
x = -4294967295 >>> 9007199254740991;
var GaYC = JSON;
var mAFy = n;
}
this[i] = 1;
var YAAj = new Int16Array([]);
var dfde = Proxy;
this.__defineSetter__('(new Boolean(true))', () => {
});
var JmYY = Date;
var McnR = x - 10000;
}
x = x >= 9007199254740992;
var wRBd = parseInt('');
Check('0.1', () => {
});
for (let i = 544; i < 628; i++) {
JSON['1' + ('0.1' + i + i) + i] = 1;
this[i] = 1;
JSON.parse(null);
this.__defineSetter__('', () => {
});
var YAAj = new Int16Array([]);
MPKY.__defineSetter__('v1', () => {
});
var bGcs = new WeakSet([
268435456,
5,
2147483647
]);
var McnR = (rjwX >>> 9007199254740991) - 10000;
var Xdmj = JSON.stringify(1073741824);
var YAAj = new Int16Array([]);
}
for (var ijjkkk = 0; x >= 9007199254740992; ++ijjkkk) {
this.undefined;
}
Ctor('(void 0)', () => {
});
this.undefined;
output
command line output
Segmentation fault (core dumped)
gef output
0x555555e2b3f2 <void+0> pop r14
0x555555e2b3f4 <void+0> pop r15
0x555555e2b3f6 <void+0> pop rbp
→ 0x555555e2b3f7 <void+0> ret
[!] Cannot disassemble from $PC
─────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "ch", stopped 0x555555e2b3f7 in Js::InterpreterStackFrame::ProfiledLoopBodyStart<false, true> (), reason: SIGSEGV
[#1] Id 2, Name: "ch", stopped 0x7ffff73d1709 in pthread_cond_timedwait@@GLIBC_2.3.2 (), reason: SIGSEGV
[#2] Id 3, Name: "ch", stopped 0x7ffff73d1709 in pthread_cond_timedwait@@GLIBC_2.3.2 (), reason: SIGSEGV
[#3] Id 4, Name: "ch", stopped 0x7ffff73d1709 in pthread_cond_timedwait@@GLIBC_2.3.2 (), reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x555555e2b3f7 → Js::InterpreterStackFrame::ProfiledLoopBodyStart<false, true>(this=<optimized out>, loopNumber=0x7fff, layoutSize=<optimized out>, isFirstIteration=<optimized out>)