You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, the following test case triggers an OOM on the attached harness and the OOM gets handled correctly:
a = new Int8Array(2483647+500000)
b = {...a}
However, a slight modification will cause the harness to crash:
a = new Int8Array(2483647+100000)
b = {...a}
Reproduce
git clone https://github.com/bellard/quickjs &&cd quickjs && make libquickjs.a
gcc ./harness.c -o ./harness libquickjs.a -ldl -lm -lpthread -fsanitize=address
printf"a = new Int8Array(2483647+500000)\nb = {...a}"> ./ok.js
printf"a = new Int8Array(2483647+100000)\nb = {...a}"> ./crash.js
./harness ./ok.js # ok
./harness ./crash.js
#ASAN:DEADLYSIGNAL#=================================================================#==2995007==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x5555555655ac bp 0x617000000080 sp 0x7fffffffd448 T0)#==2995007==The signal is caused by a WRITE memory access.#==2995007==Hint: address points to the zero page.# #0 0x5555555655ab in gc_scan_incref_child /root/qjs_test/quickjs/quickjs.c:5716# #1 0x55555556444e in mark_children /root/qjs_test/quickjs/quickjs.c:5594# #2 0x55555556b9bd in gc_scan /root/qjs_test/quickjs/quickjs.c:5737# #3 0x55555556b9bd in JS_RunGC /root/qjs_test/quickjs/quickjs.c:5803# #4 0x55555557e877 in js_trigger_gc /root/qjs_test/quickjs/quickjs.c:1274# #5 0x55555557e877 in JS_NewObjectFromShape /root/qjs_test/quickjs/quickjs.c:4727# #6 0x555555579fd6 in JS_ThrowError2 /root/qjs_test/quickjs/quickjs.c:6576# #7 0x55555557c4cb in JS_ThrowInternalError /root/qjs_test/quickjs/quickjs.c:6704# #8 0x55555557c592 in JS_ThrowOutOfMemory /root/qjs_test/quickjs/quickjs.c:6714# #9 0x55555557df47 in js_realloc /root/qjs_test/quickjs/quickjs.c:1358# #10 0x55555557e140 in resize_properties /root/qjs_test/quickjs/quickjs.c:4499# #11 0x55555557e327 in add_shape_property /root/qjs_test/quickjs/quickjs.c:4598# #12 0x55555557e3d8 in add_property /root/qjs_test/quickjs/quickjs.c:8013# #13 0x555555577aa0 in JS_CreateProperty /root/qjs_test/quickjs/quickjs.c:8914# #14 0x555555578ef2 in JS_DefineProperty /root/qjs_test/quickjs/quickjs.c:9284# #15 0x555555579995 in JS_DefinePropertyValue /root/qjs_test/quickjs/quickjs.c:9322# #16 0x5555555ba4d7 in JS_CopyDataProperties /root/qjs_test/quickjs/quickjs.c:15700# #17 0x555555573915 in JS_CallInternal /root/qjs_test/quickjs/quickjs.c:17908# #18 0x555555576fef in JS_CallFree /root/qjs_test/quickjs/quickjs.c:18722# #19 0x5555555cd2cc in JS_EvalFunctionInternal /root/qjs_test/quickjs/quickjs.c:33522# #20 0x5555555cd5d8 in __JS_EvalInternal /root/qjs_test/quickjs/quickjs.c:33676# #21 0x5555555d8186 in JS_EvalInternal /root/qjs_test/quickjs/quickjs.c:33694# #22 0x5555555d8186 in JS_EvalThis /root/qjs_test/quickjs/quickjs.c:33725# #23 0x5555555d81f1 in JS_Eval /root/qjs_test/quickjs/quickjs.c:33733# #24 0x55555556210b in LLVMFuzzerTestOneInput (/root/qjs_test/quickjs/harness+0xe10b)# #25 0x55555556229c in main (/root/qjs_test/quickjs/harness+0xe29c)# #26 0x7ffff6287c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)# #27 0x555555561b49 in _start (/root/qjs_test/quickjs/harness+0xdb49)##AddressSanitizer can not provide additional info.#SUMMARY: AddressSanitizer: SEGV /root/qjs_test/quickjs/quickjs.c:5716 in gc_scan_incref_child#==2995007==ABORTING
Issue
Hi, the following test case triggers an OOM on the attached harness and the OOM gets handled correctly:
However, a slight modification will cause the harness to crash:
Reproduce
Attachment
harness.zip (this is simply a main-wrapped version of the fuzzbench harness)
The text was updated successfully, but these errors were encountered: