Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NULL dereference in scanner_reverse_info_list #3786

Closed
nszetei opened this issue May 23, 2020 · 0 comments · Fixed by #3793
Closed

NULL dereference in scanner_reverse_info_list #3786

nszetei opened this issue May 23, 2020 · 0 comments · Fixed by #3793
Assignees
@rerobika
Labels
bug Undesired behaviour

Comments

@nszetei
Copy link

nszetei commented May 23, 2020

JerryScript revision

6cd309b

Build platform

Ubuntu 20.04 LTS (Linux 5.4.0-31-generic x86_64)

Build steps
python tools/build.py --profile=es2015-subset --lto=off --compile-flag=-g \
--error-messages=on --debug --compile-flag=-g --strip=off --logging=on \
 --compile-flag=-fsanitize=address --stack-limit=15
Test case
function main() {
var v2 = new Float64Array(63797);
var v4 = "d".constructor;
var v6 = [1337,1337,1337,1337];
var v7 = [];
var v8 = {constructor:v6,a:v7};
var v9 = v8.a;
var v12 = 0;
v9.toString = v4;
var v14 = new Int16Array();
do {
    function v16(v17,v18,v19) {
        'use strict'
        var v20 = Int16Array.toLocaleString();
        var v22 = eval(v20);
    }
    var v24 = new Promise(v16);
    var v25 = v12 + 1;
    v12 = v25;
    v7[v25] = v14;
} while (v12 < 1337);
}
main();
Output
$ build/bin/jerry test.js
AddressSanitizer:DEADLYSIGNAL
=================================================================
==434582==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x55af4dd3f2b0 bp 0x7ffc7e016ab0 sp 0x7ffc7e016a80 T0)
==434582==The signal is caused by a READ memory access.
==434582==Hint: address points to the zero page.
    #0 0x55af4dd3f2af in scanner_reverse_info_list /tmp/jerryscript/jerry-core/parser/js/js-scanner-util.c:1557
    #1 0x55af4dd5150a in scanner_scan_all /tmp/jerryscript/jerry-core/parser/js/js-scanner.c:3217
    #2 0x55af4dd34f5e in parser_parse_source /tmp/jerryscript/jerry-core/parser/js/js-parser.c:2084
    #3 0x55af4dd38d76 in parser_parse_script /tmp/jerryscript/jerry-core/parser/js/js-parser.c:2697
..
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/jerryscript/jerry-core/parser/js/js-scanner-util.c:1557 in scanner_reverse_info_list
==434582==ABORTING

$ gdb -q -nx build/bin/jerry -ex 'r test.js'

Program received signal SIGSEGV, Segmentation fault.
0x00005555556422b0 in scanner_reverse_info_list (context_p=0x7fffffffca20) at /tmp/jerryscript/jerry-core/parser/js/js-scanner-util.c:1557
1557	  if (scanner_info_p->type == SCANNER_TYPE_END)
(gdb) x/i $rip
=> 0x5555556422b0 <scanner_reverse_info_list+133>:	movzbl 0x10(%rax),%eax
(gdb) i r rax
rax            0x0                 0
rerobika added a commit to rerobika/jerryscript that referenced this issue May 25, 2020
@rerobika
Fix error handling in scanner when in case of OOM
889b576 
This patch fixes jerryscript-project#3786 and fixes jerryscript-project#3788.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
@rerobika rerobika mentioned this issue May 25, 2020
Merged
@rerobika rerobika self-assigned this May 25, 2020
rerobika added a commit to rerobika/jerryscript that referenced this issue May 26, 2020
@rerobika
Fix error handling in scanner when in case of OOM
f198b39 
This patch fixes jerryscript-project#3786 and fixes jerryscript-project#3788.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
@rerobika rerobika added the bug Undesired behaviour label May 26, 2020
rerobika added a commit to rerobika/jerryscript that referenced this issue May 26, 2020
@rerobika
Fix error handling in scanner when in case of OOM
f8cca5a 
This patch fixes jerryscript-project#3786 and fixes jerryscript-project#3788.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
rerobika added a commit to rerobika/jerryscript that referenced this issue May 27, 2020
@rerobika
Fix error handling in scanner when in case of OOM
2de1838 
This patch fixes jerryscript-project#3786 and fixes jerryscript-project#3788.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
rerobika added a commit to rerobika/jerryscript that referenced this issue May 27, 2020
@rerobika
Fix error handling in scanner when in case of OOM
b4873d0 
This patch fixes jerryscript-project#3786 and fixes jerryscript-project#3788.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
rerobika added a commit that referenced this issue May 27, 2020
@rerobika
Fix error handling in scanner when in case of OOM (#3793)
69f8e78 
This patch fixes #3786 and fixes #3788.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rerobika rerobika

Labels
bug Undesired behaviour
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix error handling in scanner in case of OOM rerobika/jerryscript
2 participants
@rerobika @nszetei