Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation fault in Escargot::Value::isString #135

Closed
renatahodovan opened this issue Mar 7, 2019 · 0 comments · Fixed by #243
Closed

Segmentation fault in Escargot::Value::isString #135

renatahodovan opened this issue Mar 7, 2019 · 0 comments · Fixed by #243

Comments

@renatahodovan
Copy link
Member

Escargot version:
Checked revision: 878482b
Build command: cmake -H. -Bout -DESCARGOT_HOST=linux -DESCARGOT_ARCH=x64 -DESCARGOT_MODE=debug -DESCARGOT_OUTPUT=bin -GNinja && ninja -C out
OS:
Linux-4.15.0-45-generic-x86_64-with-Ubuntu-18.04-bionic
Test case:
function collect(value) {
    var primitive = y(value)
    if (primitive) return
    var index = z(value)
    if (index !== -1) { return } 
    else {
        x.push({ })
        index = x.length - 1
        x[ index ].fv = value
    }

    var ps = Object.getOwnPropertyNames(value)
    for (var i = 0; i < ps.length; i++) {
        var p = ps[i]
        if (a(value, p)) {
            collect(value[p])
        }
    }
}

function y(value) {
    if (value === null)
        return "null"
    var vt = typeof value
    if (vt !== "function" && vt !== "object")
        return vt
}

function a(value, field) {
    try {
        value[field]
        return true
    } catch ( $ ) { }
}

function z(value) {
    for (var i = 0; i < x.length; i++) {
        if (value === x[ i ].fv)
             return i
    }
    return -1
}

var x = [ ];
collect(this);
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00005555555c64ce in Escargot::Value::isString (this=0x7fffffffa578) at ../src/runtime/ValueInlines.h:467
467	    return isPointerValue() && asPointerValue()->isString();
(gdb) bt
#0  0x00005555555c64ce in Escargot::Value::isString (this=0x7fffffffa578) at ../src/runtime/ValueInlines.h:467
#1  0x00005555555f5eb6 in Escargot::ByteCodeInterpreter::interpret (state=..., byteCodeBlock=0x7ffff45c4a90, programCounter=93824998871288, registerFile=0x7fffffffab60, initAddressFiller=0x7fffffffad50)
    at ../src/interpreter/ByteCodeInterpreter.cpp:780
#2  0x00005555556c12a1 in Escargot::FunctionObject::processCall (this=0x7ffff4631c20, state=..., receiverSrc=..., argc=@0x7fffffffb450: 1, argv=0x7fffffffb4e8, isNewExpression=false)
    at ../src/runtime/FunctionObject.cpp:473
#3  0x00005555555f1904 in Escargot::FunctionObject::call (state=..., callee=..., receiver=..., argc=@0x7fffffffb450: 1, argv=0x7fffffffb4e8) at ../src/runtime/FunctionObject.h:105
#4  0x00005555555f4985 in Escargot::ByteCodeInterpreter::interpret (state=..., byteCodeBlock=0x7ffff45c4cd0, programCounter=93824998877856, registerFile=0x7fffffffb4b0, initAddressFiller=0x7fffffffb6d0)
    at ../src/interpreter/ByteCodeInterpreter.cpp:513
#5  0x00005555556c12a1 in Escargot::FunctionObject::processCall (this=0x7ffff4631cd0, state=..., receiverSrc=..., argc=@0x7fffffffbdd0: 1, argv=0x7fffffffbe40, isNewExpression=false)
    at ../src/runtime/FunctionObject.cpp:473
#6  0x00005555555f1904 in Escargot::FunctionObject::call (state=..., callee=..., receiver=..., argc=@0x7fffffffbdd0: 1, argv=0x7fffffffbe40) at ../src/runtime/FunctionObject.h:105
#7  0x00005555555f4985 in Escargot::ByteCodeInterpreter::interpret (state=..., byteCodeBlock=0x7ffff45c4cd0, programCounter=93824998879984, registerFile=0x7fffffffbe30, initAddressFiller=0x7fffffffc050)
    at ../src/interpreter/ByteCodeInterpreter.cpp:513
#8  0x00005555556c12a1 in Escargot::FunctionObject::processCall (this=0x7ffff4631cd0, state=..., receiverSrc=..., argc=@0x7fffffffc750: 1, argv=0x7fffffffc7c0, isNewExpression=false)
    at ../src/runtime/FunctionObject.cpp:473
#9  0x00005555555f1904 in Escargot::FunctionObject::call (state=..., callee=..., receiver=..., argc=@0x7fffffffc750: 1, argv=0x7fffffffc7c0) at ../src/runtime/FunctionObject.h:105
#10 0x00005555555f4985 in Escargot::ByteCodeInterpreter::interpret (state=..., byteCodeBlock=0x7ffff45c4cd0, programCounter=93824998879984, registerFile=0x7fffffffc7b0, initAddressFiller=0x7fffffffc9d0)
    at ../src/interpreter/ByteCodeInterpreter.cpp:513
#11 0x00005555556c12a1 in Escargot::FunctionObject::processCall (this=0x7ffff4631cd0, state=..., receiverSrc=..., argc=@0x7fffffffd0d0: 1, argv=0x7fffffffd140, isNewExpression=false)
    at ../src/runtime/FunctionObject.cpp:473
#12 0x00005555555f1904 in Escargot::FunctionObject::call (state=..., callee=..., receiver=..., argc=@0x7fffffffd0d0: 1, argv=0x7fffffffd140) at ../src/runtime/FunctionObject.h:105
#13 0x00005555555f4985 in Escargot::ByteCodeInterpreter::interpret (state=..., byteCodeBlock=0x7ffff45c4cd0, programCounter=93824998879984, registerFile=0x7fffffffd130, initAddressFiller=0x7fffffffd350)
    at ../src/interpreter/ByteCodeInterpreter.cpp:513
#14 0x00005555556c12a1 in Escargot::FunctionObject::processCall (this=0x7ffff4631cd0, state=..., receiverSrc=..., argc=@0x7fffffffda50: 1, argv=0x7fffffffdac0, isNewExpression=false)
    at ../src/runtime/FunctionObject.cpp:473
#15 0x00005555555f1904 in Escargot::FunctionObject::call (state=..., callee=..., receiver=..., argc=@0x7fffffffda50: 1, argv=0x7fffffffdac0) at ../src/runtime/FunctionObject.h:105
#16 0x00005555555f4985 in Escargot::ByteCodeInterpreter::interpret (state=..., byteCodeBlock=0x7ffff45c4f10, programCounter=93824998869072, registerFile=0x7fffffffdab0, initAddressFiller=0x7fffffffdb28)
    at ../src/interpreter/ByteCodeInterpreter.cpp:513
#17 0x0000555555621a75 in Escargot::Script::execute (this=0x7ffff45bbc40, state=..., isEvalMode=false, needNewEnv=false, isOnGlobal=true) at ../src/parser/Script.cpp:80
#18 0x0000555555621bc7 in Escargot::Script::<lambda()>::operator()(void) const (__closure=0x7fffffffde40) at ../src/parser/Script.cpp:93
#19 0x0000555555622bde in std::_Function_handler<Escargot::Value(), Escargot::Script::sandboxExecute(Escargot::ExecutionState&)::<lambda()> >::_M_invoke(const std::_Any_data &) (__functor=...)
    at /usr/include/c++/7/bits/std_function.h:302
#20 0x00005555557a4c00 in std::function<Escargot::Value ()>::operator()() const (this=0x7fffffffde40) at /usr/include/c++/7/bits/std_function.h:706
#21 0x00005555557a36e5 in Escargot::SandBox::run(std::function<Escargot::Value ()> const&) (this=0x7fffffffddb0, scriptRunner=...) at ../src/runtime/SandBox.cpp:36
#22 0x0000555555621ca4 in Escargot::Script::sandboxExecute (this=0x7ffff45bbc40, state=...) at ../src/parser/Script.cpp:94
#23 0x00005555557c1c21 in eval (context=0x7ffff7e58ed0, str=0x7ffff4632a70, fileName=0x7ffff46329d0, shouldPrintScriptResult=false) at ../src/shell/Shell.cpp:46
#24 0x00005555557c2570 in main (argc=2, argv=0x7fffffffe168) at ../src/shell/Shell.cpp:129

Found by Fuzzinator with grammarinator.

@renatahodovan renatahodovan mentioned this issue May 6, 2019
Closed
rerobika added a commit to rerobika/escargot that referenced this issue May 9, 2019
@rerobika
Check returned ArrayBuffer in DataView buffer getter.
729cbbd 
This patch fixes Samsung#135.

Signed-off-by: Robert Fancsik [email protected]
@rerobika rerobika mentioned this issue May 9, 2019
Merged
yichoi pushed a commit that referenced this issue May 10, 2019
@rerobika @yichoi
Check returned ArrayBuffer in DataView buffer getter. (#243)
02d14ea 
This patch fixes #135.

Signed-off-by: Robert Fancsik [email protected]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Check the returned ArrayBuffer in DataView buffer getter. rerobika/escargot
1 participant
@renatahodovan