Integer overflow for vector capacity in Hermes #1033
Labels
bug
Something isn't working
Comments
|
Thank you for reporting this. The correct behavior would indeed be to throw a JS range exception. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug Description
When hermes run test.js, it crashed.
In hermes/external/llvh/lib/Support/SmallVector.cpp:43 SmallVectorBase::grow_pod, capacity is overflowed and caught by LLVM.
This bug is in both debug or release mode, and hermes crashed on both Linux and MacOS.
Hermes version: 6c52709
React Native version (if any):
OS version (if any): MacOS, Linux
Platform: x64
Steps To Reproduce
code example:
========test.js==========
var largeNum = 500000;
var summary = 'I once was lost but now I am found.';
var replaceValue = function (matchStr, matchStart) {
return "$`".repeat(largeNum).padEnd(largeNum * matchStart, summary);
};
var result = summary.replace('found', replaceValue);
result = result.replace('found', result);
=======================
The Expected Behavior
Throw an exception instead of crashing.
Backtrace:
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140064841960320) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=140064841960320) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=140064841960320, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x00007f6364ecc476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x00007f6364eb27f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00005598c75cb2c9 in llvh::report_bad_alloc_error (Reason=0x5598c7cad220 "SmallVector capacity overflow during allocation", GenCrashDiag=true) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/external/llvh/lib/Support/ErrorHandling.cpp:174
#6 0x00005598c75e4c04 in llvh::SmallVectorBase::grow_pod (this=0x7ffd8d632470, FirstEl=0x7ffd8d632480, MinCapacity=4097237655, TSize=2) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/external/llvh/lib/Support/SmallVector.cpp:54
#7 0x00005598c7630228 in llvh::SmallVectorTemplateCommon<char16_t, void>::grow_pod (this=0x7ffd8d632470, MinCapacity=4097237655, TSize=2) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/external/llvh/include/llvh/ADT/SmallVector.h:105
#8 0x00005598c762c37a in llvh::SmallVectorTemplateBase<char16_t, true>::grow (this=0x7ffd8d632470, MinSize=4097237655) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/external/llvh/include/llvh/ADT/SmallVector.h:317
#9 0x00005598c76f2c0f in llvh::SmallVectorImpl<char16_t>::append<char16_t const*, void> (this=0x7ffd8d632470, in_start=0x7f635e92a010 u"I once was lost but now I am ..., in_end=0x7f635eb12504 u"found.I once was lost but now I am found.I once was lost but now I am found.I once was lost but now I am found.I once was lost but now I am found.I once was lost but now I am found.I once was lost but"...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/external/llvh/include/llvh/ADT/SmallVector.h:408
#10 0x00005598c77c3e8b in hermes::vm::StringView::getUTF16Ref (this=0x7ffd8d6324c0, allocator=..., alwaysCopy=true) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/VM/StringView.cpp:29
#11 0x00005598c783615e in hermes::vm::StringView::appendUTF16String (this=0x7ffd8d6324c0, allocator=...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/include/hermes/VM/StringView.h:338
#12 0x00005598c786c345 in hermes::vm::getSubstitution (runtime=..., matched=..., str=..., position=1000058, captures=..., namedCaptures=..., replacement=...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/VM/JSLib/RegExp.cpp:988
#13 0x00005598c785add9 in hermes::vm::stringPrototypeReplace (runtime=..., args=...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/VM/JSLib/String.cpp:2069
#14 0x00005598c761fae9 in hermes::vm::NativeFunction::_nativeCall (self=0x34fe827f3850, runtime=...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/include/hermes/VM/Callable.h:507
#15 0x00005598c768f100 in hermes::vm::Interpreter::handleCallSlowPath (runtime=..., callTarget=0x7f6362265058) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/VM/Interpreter.cpp:274
#16 0x00005598c7695683 in hermes::vm::Interpreter::interpretFunction<false, false> (runtime=..., state=...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/VM/Interpreter.cpp:1600
#17 0x00005598c76919e0 in hermes::vm::Runtime::interpretFunctionImpl (this=0x34fe81c00000, newCodeBlock=0x5598c8af5810) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/VM/Interpreter.cpp:825
#18 0x00005598c7691a68 in hermes::vm::Runtime::interpretFunction (this=0x34fe81c00000, newCodeBlock=0x5598c8af5810) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/VM/Interpreter.cpp:833
#19 0x00005598c776c813 in hermes::vm::Runtime::runBytecode (this=0x34fe81c00000, bytecode=..., flags=..., sourceURL=..., environment=..., thisArg=...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/VM/Runtime.cpp:1064
#20 0x00005598c7764852 in hermes::vm::Runtime::runBytecode (this=0x34fe81c00000, bytecode=..., runtimeModuleFlags=..., sourceURL=..., environment=...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/include/hermes/VM/Runtime.h:277
#21 0x00005598c7928a98 in hermes::(anonymous namespace)::executeHBCBytecodeImpl (bytecode=..., options=..., filename=0x7ffd8d633d98) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/ConsoleHost/ConsoleHost.cpp:331
#22 0x00005598c7928fa9 in operator() (__closure=0x7ffd8d6335c0) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/ConsoleHost/ConsoleHost.cpp:417
#23 0x00005598c7929664 in hermes::(anonymous namespace)::maybeCatchException<hermes::executeHBCBytecode(std::shared_ptrhermes::hbc::BCProviderBase&&, const hermes::ExecuteOptions&, const string*)::<lambda()> >(const struct {...} &) (f=...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/ConsoleHost/ConsoleHost.cpp:253
#24 0x00005598c7928ffd in hermes::executeHBCBytecode (bytecode=..., options=..., filename=0x7ffd8d633d98) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/ConsoleHost/ConsoleHost.cpp:416
#25 0x00005598c7592474 in executeHBCBytecodeFromCL (bytecode=std::unique_ptrhermes::hbc::BCProviderBase = {...}, info=...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/tools/hermes/hermes.cpp:131
#26 0x00005598c7592b2c in main (argc=2, argv=0x7ffd8d634018) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/tools/hermes/hermes.cpp:204
#27 0x00007f6364eb3d90 in __libc_start_call_main (main=main@entry=0x5598c7592952 <main(int, char**)>, argc=argc@entry=2, argv=argv@entry=0x7ffd8d634018) at ../sysdeps/nptl/libc_start_call_main.h:58
#28 0x00007f6364eb3e40 in __libc_start_main_impl (main=0x5598c7592952 <main(int, char**)>, argc=2, argv=0x7ffd8d634018, init=, fini=, rtld_fini=, stack_end=0x7ffd8d634008) at ../csu/libc-start.c:392
#29 0x00005598c758f4d5 in _start ()
The text was updated successfully, but these errors were encountered: