Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEGV in ecma_ref_object_inline of ecma-gc.c #4871

Closed
hope-fly opened this issue Dec 9, 2021 · 0 comments · Fixed by #4885
Closed

SEGV in ecma_ref_object_inline of ecma-gc.c #4871

hope-fly opened this issue Dec 9, 2021 · 0 comments · Fixed by #4885
Assignees
Labels
bug Undesired behaviour

Comments

@hope-fly
Copy link

hope-fly commented Dec 9, 2021

JerryScript revision

Commit: 51da1551 Version: v3.0.0

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps
./tools/build.py --clean --debug --profile=es2015-subset --compile-flag=-fsanitize=address --compile-flag=-m32 --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20
Test case
function echo(str) {
  console.log(str);
}

function T(p, r, u) {
  return Object.assign(p, {
    then(onFulfilled, onRejected) {
      if (u) {
        onFulfilled(r);
      } else {
        onFulfilled();
      }

      return Promise.prototype.then.call(this, onFulfilled, onRejected);
    }
  });
}

function JSEtest(i) {
  var ps = [T(Promise.resolve('success'))];
  Promise.all(ps).then(res => {
    echo(`Test #${i} - Success with '${res}' (length = ${res.length}) (isArray = ${Array.isArray(res)})`);
  }).catch(err => {
    echo(`Test #${i} - Catch with ${err}`);
  });
}

JSEtest(1);

Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js

ASAN:DEADLYSIGNAL
=================================================================
==95503==ERROR: AddressSanitizer: SEGV on unknown address 0x41b58ab0 (pc 0x566075cf bp 0x1ff7c4b0 sp 0xffbe2500 T0)
==95503==The signal is caused by a READ memory access.
    #0 0x566075ce in ecma_ref_object_inline /root/jerryscript/jerry-core/ecma/base/ecma-gc.c:136
    #1 0x56639c0c in ecma_copy_value /root/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:913
    #2 0x56639c0c in ecma_fast_copy_value /root/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:940
    #3 0x566cdd0b in ecma_op_object_find_own /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:647
    #4 0x566d2ea0 in ecma_op_object_find_own /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:494
    #5 0x566d2ea0 in ecma_op_object_get_with_receiver /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:879
    #6 0x567ef0cf in ecma_op_array_get_to_string_at_index /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:273
    #7 0x567ef0cf in ecma_builtin_array_prototype_join /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:322
    #8 0x567ef0cf in ecma_builtin_array_prototype_dispatch_routine /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2940
    #9 0x566731f1 in ecma_builtin_dispatch_routine /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1543
    #10 0x566731f1 in ecma_builtin_dispatch_call /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1574
    #11 0x566b48b4 in ecma_op_function_call_native_built_in /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1243
    #12 0x566bae4d in ecma_op_function_call /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1444
    #13 0x5668d365 in ecma_array_object_to_string /root/jerryscript/jerry-core/ecma/operations/ecma-array-object.c:1228
    #14 0x5681e945 in ecma_builtin_intrinsic_dispatch_routine /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-intrinsic.c:201
    #15 0x566731f1 in ecma_builtin_dispatch_routine /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1543
    #16 0x566731f1 in ecma_builtin_dispatch_call /root/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1574
    #17 0x566b48b4 in ecma_op_function_call_native_built_in /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1243
    #18 0x566bae4d in ecma_op_function_call /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1444
    #19 0x566c9572 in ecma_op_general_object_ordinary_value /root/jerryscript/jerry-core/ecma/operations/ecma-objects-general.c:319
    #20 0x566c976b in ecma_op_general_object_default_value /root/jerryscript/jerry-core/ecma/operations/ecma-objects-general.c:284
    #21 0x566d6875 in ecma_op_object_default_value /root/jerryscript/jerry-core/ecma/operations/ecma-objects.c:1780
    #22 0x566a905a in ecma_op_to_string /root/jerryscript/jerry-core/ecma/operations/ecma-conversion.c:456
    #23 0x567b3433 in vm_loop /root/jerryscript/jerry-core/vm/vm.c:2820
    #24 0x567e21da in vm_execute /root/jerryscript/jerry-core/vm/vm.c:5260
    #25 0x567e7e7c in vm_run /root/jerryscript/jerry-core/vm/vm.c:5363
    #26 0x566b4101 in ecma_op_function_call_simple /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1203
    #27 0x566bae25 in ecma_op_function_call /root/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1439
    #28 0x566c495e in ecma_process_promise_reaction_job /root/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:221
    #29 0x566c495e in ecma_process_all_enqueued_jobs /root/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:563
    #30 0x565d4dbc in jerry_run_jobs /root/jerryscript/jerry-core/api/jerryscript.c:1064
    #31 0x565c004b in main /root/jerryscript/jerry-main/main-jerry.c:326
    #32 0xf76f1f20 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18f20)
    #33 0x565c9359  (/root/jerryscript/build/bin/jerry+0x3b359)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/jerryscript/jerry-core/ecma/base/ecma-gc.c:136 in ecma_ref_object_inline
==95503==ABORTING

Credits: Found by OWL337 team.

@rerobika rerobika added the bug Undesired behaviour label Dec 9, 2021
@rerobika rerobika self-assigned this Dec 9, 2021
rerobika pushed a commit to rerobika/jerryscript that referenced this issue Dec 9, 2021
This patch fixes jerryscript-project#4871.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik robert.fancsik@h-lab.eu
ossy-szeged pushed a commit that referenced this issue Dec 15, 2021
This patch fixes #4871.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik robert.fancsik@h-lab.eu
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Undesired behaviour
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants