Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEVG in ecma_deref_bigint #4402

Closed
owl337 opened this issue Jan 2, 2021 · 0 comments · Fixed by #4421
Closed

SEVG in ecma_deref_bigint #4402

owl337 opened this issue Jan 2, 2021 · 0 comments · Fixed by #4421
Assignees
Labels
bug Undesired behaviour ecma builtins Related to ECMA built-in routines ES.next Related to ES2015+ features

Comments

@owl337
Copy link

owl337 commented Jan 2, 2021

JerryScript revision

2faafa4

Build platform

Ubuntu 18.04.5 LTS(Linux 4.15.0-119-generic x86_64)

Build steps
./tools/build.py --clean --debug --compile-flag=-fsanitize=address \
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer \
--compile-flag=-fno-common --compile-flag=-g --strip=off \
--system-allocator=on --logging=on --linker-flag=-fuse-ld=gold \
--error-messages=on --profile=es2015-subset  --builddir=$PWD/build
Test case
var p = new Proxy(Function(), { get: function closure() { eval("o.p.y"); delete closure; return closure == arguments.callee && !(new String(undefined)); }});
Function.prototype.bind.call(p);
Output
ReferenceError: o is not defined
ASAN:DEADLYSIGNAL
=================================================================
==24756==ERROR: AddressSanitizer: SEGV on unknown address 0xbebebeb8 (pc 0x56782398 bp 0xff8c72d8 sp 0xff8c72b0 T0)
==24756==The signal is caused by a READ memory access.
    #0 0x56782397 in ecma_deref_bigint /root/jerryscript/jerry-core/ecma/base/ecma-helpers.c:1264
    #1 0x5677d2c5 in ecma_free_value /root/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:1147
    #2 0x567c10fc in ecma_gc_free_object /root/jerryscript/jerry-core/ecma/base/ecma-gc.c:1742
    #3 0x567c1e68 in ecma_gc_run /root/jerryscript/jerry-core/ecma/base/ecma-gc.c:1898
    #4 0x5678385a in ecma_finalize /root/jerryscript/jerry-core/ecma/base/ecma-init-finalize.c:83
    #5 0x567acb1d in jerry_cleanup /root/jerryscript/jerry-core/api/jerry.c:256
    #6 0x567a7a9c in main /root/jerryscript/jerry-main/main-unix.c:324
    #7 0xf774af20 in __libc_start_main (/lib32/libc.so.6+0x18f20)
    #8 0x566473d0  (/root/jerryscript/build/bin/jerry+0x1d3d0)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/jerryscript/jerry-core/ecma/base/ecma-helpers.c:1264 in ecma_deref_bigint
==24756==ABORTING

Credits: Found by chong from OWL337.

@rerobika rerobika self-assigned this Jan 5, 2021
@rerobika rerobika added the bug Undesired behaviour label Jan 5, 2021
rerobika pushed a commit to rerobika/jerryscript that referenced this issue Jan 5, 2021
This patch fixes jerryscript-project#4402.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
@akosthekiss akosthekiss added ecma builtins Related to ECMA built-in routines ES.next Related to ES2015+ features labels Jan 5, 2021
zherczeg pushed a commit that referenced this issue Jan 7, 2021
This patch fixes #4402.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Undesired behaviour ecma builtins Related to ECMA built-in routines ES.next Related to ES2015+ features
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants