Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation fault in Escargot::SmallValue::operator= #132

Closed
renatahodovan opened this issue Mar 6, 2019 · 0 comments · Fixed by #252
Closed

Segmentation fault in Escargot::SmallValue::operator= #132

renatahodovan opened this issue Mar 6, 2019 · 0 comments · Fixed by #252

Comments

@renatahodovan
Copy link
Member

Escargot version:
Checked revision: bfb1b7d
Build command: cmake -H. -Bout -DESCARGOT_HOST=linux -DESCARGOT_ARCH=x64 -DESCARGOT_MODE=debug -DESCARGOT_OUTPUT=bin -GNinja && ninja -C out
OS:
Linux-4.15.0-45-generic-x86_64-with-Ubuntu-18.04-bionic
Test case:
var arr = [ ];
Array.prototype[Object.defineProperty(arr, 0, {get: function() {Object.defineProperty(Array.prototype, 0, {}); return  0}})] = 0
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00005555555c4917 in Escargot::SmallValue::operator= (this=0x0, from=...) at ../src/runtime/SmallValue.h:270
270             m_data.payload = SmallValueImpl::PlatformSmiTagging::IntToSmi(i32);
(gdb) bt
#0  0x00005555555c4917 in Escargot::SmallValue::operator= (this=0x0, from=...) at ../src/runtime/SmallValue.h:270
#1  0x00005555555f441b in Escargot::ByteCodeInterpreter::interpret (state=..., byteCodeBlock=0x7ffff7e672b0, programCounter=93824998871624, registerFile=0x7fffffffdae0, initAddressFiller=0x7fffffffdb98)
    at ../src/interpreter/ByteCodeInterpreter.cpp:439
#2  0x0000555555621911 in Escargot::Script::execute (this=0x7ffff462b3d0, state=..., isEvalMode=false, needNewEnv=false, isOnGlobal=true) at ../src/parser/Script.cpp:80
#3  0x0000555555621a63 in Escargot::Script::<lambda()>::operator()(void) const (__closure=0x7fffffffdeb0) at ../src/parser/Script.cpp:93
#4  0x0000555555622a7a in std::_Function_handler<Escargot::Value(), Escargot::Script::sandboxExecute(Escargot::ExecutionState&)::<lambda()> >::_M_invoke(const std::_Any_data &) (__functor=...)
    at /usr/include/c++/7/bits/std_function.h:302
#5  0x00005555557a4a9c in std::function<Escargot::Value ()>::operator()() const (this=0x7fffffffdeb0) at /usr/include/c++/7/bits/std_function.h:706
#6  0x00005555557a3581 in Escargot::SandBox::run(std::function<Escargot::Value ()> const&) (this=0x7fffffffde20, scriptRunner=...) at ../src/runtime/SandBox.cpp:36
#7  0x0000555555621b40 in Escargot::Script::sandboxExecute (this=0x7ffff462b3d0, state=...) at ../src/parser/Script.cpp:94
#8  0x00005555557c1abd in eval (context=0x7ffff7e58ed0, str=0x7ffff4632a70, fileName=0x7ffff46329d0, shouldPrintScriptResult=false) at ../src/shell/Shell.cpp:46
#9  0x00005555557c240c in main (argc=2, argv=0x7fffffffe1d8) at ../src/shell/Shell.cpp:129

Found by Fuzzinator with grammarinator.

@pmarkee pmarkee mentioned this issue May 14, 2019
Merged
yichoi pushed a commit that referenced this issue May 14, 2019
@yichoi
Eliminate segfault when array changes to non-fast mode (#252)
4e1d74c 
Fixes #132

Signed-off-by: Peter Marki marpeter@inf.u-szeged.hu
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Eliminate segfault when array changes to non-fast mode
1 participant
@renatahodovan