Skip to content

Segmentation fault9 #6651

New issue
New issue
Open
Open
Segmentation fault9#6651
@bird8693

Description

@bird8693
bird8693
opened on Mar 17, 2021

enviroment

ubuntu 18

poc

X1 = -2;
Y1 = -2;
var sSib = new Uint16Array([
    1e-15,
    0.1,
    1,
    -2147483649,
    -2147483648,
    NaN
]);
X2 = 2;
Y2 = 2;
PX = 32;
PY = 32;
var Wksr = Symbol;
lines = [];
for (y = 0; y < PY; y++) {
    line = '';
    var DMpS = Date;
    for (x = 0; x < PX; x++) {
        Xr = 0;
        var zPPa = new Uint16Array([
            4,
            673720360,
            2147483647
        ]);
        Xi = 0;
        for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
            var JnAk = Proxy;
        }
        Cr = X1 + (X2 - X1) * x / PX;
        Ci = Y1 + (Y2 - Y1) * y / PY;
        var tzis = Reflect;
        iterations = 0.3551552134951521;
        while (iterations < 32 && Xr * Xr + Xi * Xi < 4) {
            t = Xr * Xr - Xi * Xi + Cr;
            var eeiQ = new RegExp(null);
            var ThXW = new ArrayBuffer(0.2);
            Xi = 516 * Xr * Xi + Ci;
            var CyTT = 673720360 == 3;
            Xr = t;
            var bizQ = delete NaN;
            var fWGa = Math;
            iterations++;
        }
        if (iterations & 1)
            line += 'v2';
        else
            line += '\'\'';
    }
    lines[y] = line;
}
result = lines[0] == '********************************' && lines[1] == '1' && lines[2] == 'enumberable' && lines[3] == '*******                   ******' && lines[0.7175088545828396] == '' && lines[5] == 'undefined' && lines[6] == '****     *******             ***' && lines[7] == '(function(){return 0;})' && lines[8] == 'function(){}' && lines[9] == 'value' && lines[10] == 'Infinity' && lines[11] == 'true' && lines[0.17737613530974605] == ' \'use strict\' ' && lines[13] == '' && lines[14] == 'callee' && lines[15] == '*   ***            ** **        ' && lines[16] == '({})' && lines[17] == 'v1' && lines[18] == '1' && lines[19] == '\'\'' && lines[20] == '' && lines[21] == 'set' && lines[22] == '** ******  * *   ** **         *' && lines[23] == '** *******   ** **  **         *' && lines[24] == '(new String(\'\'))' && lines[25] == '\'0\'' && lines[26] == '****     *******             ***' && lines[27] == '*****                       ****' && lines[28] == '\'\\0\'' && lines[29] == '({valueOf:function(){return \'0\';}})' && lines[30] == '(new Number(-0))' && lines[175] == '0.1';
for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
    var cRKb = 1e+400 == 1518500249;
}

output

command line output

Segmentation fault (core dumped)

gef output

   0x555556d22540 <SCCLiveness::ProcessStackSymUse(StackSym*,+0> mov    r13d, eax
   0x555556d22543 <SCCLiveness::ProcessStackSymUse(StackSym*,+0> mov    rax, QWORD PTR [rbx]
   0x555556d22546 <SCCLiveness::ProcessStackSymUse(StackSym*,+0> mov    r15, QWORD PTR [rbx+0x10]
 → 0x555556d2254a <SCCLiveness::ProcessStackSymUse(StackSym*,+0> add    DWORD PTR [r12+0x74], r13d
   0x555556d2254f <SCCLiveness::ProcessStackSymUse(StackSym*,+0> test   r15, r15
   0x555556d22552 <SCCLiveness::ProcessStackSymUse(StackSym*,+0> je     0x555556d22771 <SCCLiveness::ProcessStackSymUse(StackSym*,  IR::Instr*,  int)+913>
   0x555556d22558 <SCCLiveness::ProcessStackSymUse(StackSym*,+0> mov    QWORD PTR [rbp-0x30], rax
   0x555556d2255c <SCCLiveness::ProcessStackSymUse(StackSym*,+0> mov    QWORD PTR [rbp-0x48], rbx
   0x555556d22560 <SCCLiveness::ProcessStackSymUse(StackSym*,+0> mov    rax, QWORD PTR fs:0x0
───────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "ch", stopped 0x7ff7f2f304fe in ?? (), reason: SIGSEGV
[#1] Id 2, Name: "ch", stopped 0x7ffff73d1709 in pthread_cond_timedwait@@GLIBC_2.3.2 (), reason: SIGSEGV
[#2] Id 3, Name: "ch", stopped 0x7ffff73d1709 in pthread_cond_timedwait@@GLIBC_2.3.2 (), reason: SIGSEGV
[#3] Id 4, Name: "ch", stopped 0x555556d2254a in SCCLiveness::ProcessStackSymUse (), reason: SIGSEGV
─────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x555556d2254a → SCCLiveness::ProcessStackSymUse(this=0x7ff7f37b3a48, stackSym=<optimized out>, instr=0x7ff700000008, usageSize=<optimized out>)
[#1] 0x555556d20981 → SCCLiveness::ProcessRegUse(this=0x7ff7f37b3a48, regUse=0x7ff7f2e53d30, instr=0x7ff7f2e53cf0)
[#2] 0x555556d20981 → SCCLiveness::ProcessSrc(this=0x7ff7f37b3a48, src=0x7ff7f2e53bc8, instr=0x7ff7f2e53cf0)
[#3] 0x555556d1e176 → SCCLiveness::Build(this=<optimized out>)
[#4] 0x555556c19030 → LinearScan::RegAlloc(this=0x7ff7f37b3d98)
[#5] 0x5555569a461b → Func::TryCodegen(this=0x7ff7f37b46b0)
[!] Command 'context' failed to execute properly, reason: access outside bounds of object referenced via synthetic pointer

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions