Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV on unknown address in Escargot::ExecutionState::hasRareData() #1307

Closed
Ye0nny opened this issue Jan 22, 2024 · 0 comments · Fixed by #1329
Closed

SEGV on unknown address in Escargot::ExecutionState::hasRareData() #1307

Ye0nny opened this issue Jan 22, 2024 · 0 comments · Fixed by #1329
Labels
bug Something isn't working

Comments

@Ye0nny
Copy link

Ye0nny commented Jan 22, 2024

Escargot

  • OS: Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
  • Revision : bd95de3

Build Steps

cmake -DCMAKE_CXX_FLAGS=-fsanitize=address -DESCARGOT_MODE=debug -DESCARGOT_OUTPUT=shell -GNinja

Describe the bug
SEGV on unknown address

Test case 1

testcase 

( async ( ) => { await c ( n ), await c ( n ), await c ( n ), await c ( n ) ; } ) ( ). catch ( { } ) ; 
for ( let e = 0 ; e < 6 ; ++ e ) { 
	async function func1 ( ) { 
		throw await 0, " test could not throw " ; 
	} 
	try { await new Error ( ) ; } 
	catch { } 
	gc ( ) ; 
} 
async function func2 ( ) { 
	await Promise. all ( [ a ( ), a ( ), t ( ), t ( ) ] ) ; 
} 
async function func3 ( a ) { 
	try { await a ( ) ; } 
	catch ( a ) { if ( a ) { } } 
	if ( a instanceof Error ) { Error, a. stack ; } 
}

// poc1.js
( async ( ) => { } ) ( );
await new Error ( ) ;

Test case 2

testcase 

( async ( ) => { await c ( n ), await c ( n ), await c ( n ), await c ( n ) ; } ) ( ). then ( ) ; 
for ( let e = 0, c = await Promise. all ; e < 22 ; ++ e ) { 
	async function func1 ( ) { throw await 0, new Error ( ) ; } 
	async function func2 ( ) { await Promise. all ( [ a ( ), a ( ), t ( ), t ( ) ] ) ; } 
	async function func3 ( a ) { 
		try { await a ( ) ; } 
		catch ( a ) { Error, a. stack ; } 
	} 
}

// poc2.js
( async ( ) => { } ) ( );
await Promise. all ;

Execution steps & Output

$ ./escargot/escargot poc.js
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3427107==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x55d3f95709d3 bp 0x7fff73396510 sp 0x7fff73396500 T0)
==3427107==The signal is caused by a READ memory access.
==3427107==Hint: address points to the zero page.
    #0 0x55d3f95709d2 in Escargot::ExecutionState::hasRareData() src/runtime/ExecutionState.h:193
    #1 0x55d3f9570ac6 in Escargot::ExecutionState::pauseSource() src/runtime/ExecutionState.h:209
    #2 0x55d3f99f0790 in Escargot::ExecutionState::executionPauser() src/runtime/ExecutionState.cpp:271
    #3 0x55d3f95a712f in Escargot::InterpreterSlowPath::executionPauseOperation(Escargot::ExecutionState&, Escargot::Value*, unsigned long&, unsigned char*) src/interpreter/ByteCodeInterpreter.cpp:4209
    #4 0x55d3f9583ad3 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) src/interpreter/ByteCodeInterpreter.cpp:1489
    #5 0x55d3f9745347 in Escargot::Script::execute(Escargot::ExecutionState&, bool, bool) src/parser/Script.cpp:499
    #6 0x55d3f933ac62 in Escargot::ScriptRef::execute(Escargot::ExecutionStateRef*) src/api/EscargotPublic.cpp:4706
    #7 0x55d3f9bd02ee in operator() src/shell/Shell.cpp:781
    #8 0x55d3f9bd0319 in _FUN src/shell/Shell.cpp:782
    #9 0x55d3f9bd9fcb in decltype (((forward<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>)({parm#1}))((forward<Escargot::ExecutionStateRef*&>)({parm#3}), (forward<Escargot::ScriptRef*&>)({parm#3}))) Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<0ul>::apply<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&, Escargot::ExecutionStateRef*&, Escargot::ScriptRef*&>(Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&, Escargot::ExecutionStateRef*&, Escargot::ScriptRef*&) src/api/EscargotPublic.h:521
    #10 0x55d3f9bd95d7 in decltype (Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<0ul>::apply((forward<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>)({parm#1}), (forward<std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&>)({parm#2}), (get<(1ul)-(1)>)((forward<std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&>)({parm#2})), (forward<Escargot::ScriptRef*&>)({parm#3}))) Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<1ul>::apply<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&, Escargot::ScriptRef*&>(Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&, Escargot::ScriptRef*&) src/api/EscargotPublic.h:510
    #11 0x55d3f9bd8a37 in decltype (Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<1ul>::apply((forward<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>)({parm#1}), (forward<std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&>)({parm#2}), (get<(2ul)-(1)>)((forward<std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&>)({parm#2})))) Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<2ul>::apply<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&>(Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&) src/api/EscargotPublic.h:510
    #12 0x55d3f9bd7aea in decltype (Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<std::tuple_size<std::decay<std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&>::type>::value>::apply((forward<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>)({parm#1}), (forward<std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&>)({parm#2}))) Escargot::EvaluatorUtil::applyTupleIntoArgumentsOfVariadicTemplateFunction<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&>(Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&) src/api/EscargotPublic.h:531
    #13 0x55d3f9bd60fe in Escargot::Evaluator::executeImpl<Escargot::ContextRef, Escargot::ScriptRef*>(Escargot::ContextRef*, Escargot::ValueRef* (*)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), Escargot::ScriptRef*)::{lambda(Escargot::ExecutionStateRef*, void*, void*)#1}::operator()(Escargot::ExecutionStateRef*, void*, void*) const src/api/EscargotPublic.h:612
    #14 0x55d3f9bd618c in Escargot::Evaluator::executeImpl<Escargot::ContextRef, Escargot::ScriptRef*>(Escargot::ContextRef*, Escargot::ValueRef* (*)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), Escargot::ScriptRef*)::{lambda(Escargot::ExecutionStateRef*, void*, void*)#1}::_FUN(Escargot::ExecutionStateRef*, void*, void*) src/api/EscargotPublic.h:606
    #15 0x55d3f9336de0 in operator() src/api/EscargotPublic.cpp:1087
    #16 0x55d3f9336e1a in _FUN src/api/EscargotPublic.cpp:1088
    #17 0x55d3f9b18b96 in Escargot::SandBox::run(Escargot::Value (*)(Escargot::ExecutionState&, void*), void*) src/runtime/SandBox.cpp:111
    #18 0x55d3f9337079 in Escargot::Evaluator::executeFunction(Escargot::ContextRef*, Escargot::ValueRef* (*)(Escargot::ExecutionStateRef*, void*, void*), void*, void*) src/api/EscargotPublic.cpp:1089
    #19 0x55d3f9bd638e in Escargot::Evaluator::EvaluatorResult Escargot::Evaluator::executeImpl<Escargot::ContextRef, Escargot::ScriptRef*>(Escargot::ContextRef*, Escargot::ValueRef* (*)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), Escargot::ScriptRef*) src/api/EscargotPublic.h:614
    #20 0x55d3f9bd4928 in execute<Escargot::ScriptRef*, evalScript(Escargot::ContextRef*, Escargot::StringRef*, Escargot::StringRef*, bool, bool)::<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)> > src/api/EscargotPublic.h:585
    #21 0x55d3f9bd0aea in evalScript src/shell/Shell.cpp:783
    #22 0x55d3f9bd358d in main src/shell/Shell.cpp:1130
    #23 0x7f29cf45b082 in __libc_start_main ../csu/libc-start.c:308
    #24 0x55d3f93187fd in _start (./escargot/escargot+0x2587fd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/runtime/ExecutionState.h:193 in Escargot::ExecutionState::hasRareData()
==3427107==ABORTING

when executed in release mode

Output

Segmentation fault

Expected behavior

SyntaxError: await is only valid in async function
await new Error ( ) ;
  ^

Credits: @Ye0nny, @EJueon
@Ye0nny Ye0nny added the bug Something isn't working label Jan 22, 2024
@clover2123 clover2123 mentioned this issue Mar 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix minor issues clover2123/escargot
1 participant
@Ye0nny