Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV in ecma_op_object_get_property_names #3050

Closed
renatahodovan opened this issue Sep 4, 2019 · 0 comments · Fixed by #3053
Closed

SEGV in ecma_op_object_get_property_names #3050

renatahodovan opened this issue Sep 4, 2019 · 0 comments · Fixed by #3053
Labels
bug Undesired behaviour ecma core Related to core ECMA functionality

Comments

@renatahodovan
Copy link
Contributor

JerryScript revision

1088273

Build platform

Linux-4.15.0-54-generic-x86_64-with-Ubuntu-18.04-bionic

Build steps
./tools/build.py --clean --debug --compile-flag=-fsanitize=address \
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer \
--compile-flag=-fno-common --compile-flag=-g \
--strip=off --system-allocator=on --logging=on \
--linker-flag=-fuse-ld=gold --error-messages=on --profile=es2015-subset
Test case
var b = [$]
function dConstr () { }
dConstr.prototype = b
var d = new dConstr()
for (var $ in d);
Output
ASAN:DEADLYSIGNAL
=================================================================
==16447==ERROR: AddressSanitizer: SEGV on unknown address 0x00000014 (pc 0x566367af bp 0xfffb3ba8 sp 0xfffb3a50 T0)
==16447==The signal is caused by a READ memory access.
==16447==Hint: address points to the zero page.
    #0 0x566367ae in ecma_op_object_get_property_names jerryscript/jerry-core/ecma/operations/ecma-objects.c:1826
    #1 0x565a4623 in opfunc_for_in jerryscript/jerry-core/vm/opcodes.c:244
    #2 0x5662378a in vm_loop jerryscript/jerry-core/vm/vm.c:2836
    #3 0x566284e2 in vm_execute jerryscript/jerry-core/vm/vm.c:3612
    #4 0x56628e46 in vm_run jerryscript/jerry-core/vm/vm.c:3738
    #5 0x56616637 in vm_run_global jerryscript/jerry-core/vm/vm.c:282
    #6 0x5666fe25 in jerry_run jerryscript/jerry-core/api/jerry.c:570
    #7 0x5666c789 in main jerryscript/jerry-main/main-unix.c:743
    #8 0xf7748e80 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18e80)
    #9 0x5659a5a0  (jerryscript/build_gcc_asan_es2015/bin/jerry+0x165a0)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV jerryscript/jerry-core/ecma/operations/ecma-objects.c:1826 in ecma_op_object_get_property_names
==16447==ABORTING
Backtrace
bt
#0  0x566077af in ecma_op_object_get_property_names (obj_p=0xf5d00650, opts=6) at jerryscript/jerry-core/ecma/operations/ecma-objects.c:1826
#1  0x56575624 in opfunc_for_in (left_value=4124051027, result_obj_p=0xffffc680) at jerryscript/jerry-core/vm/opcodes.c:244
#2  0x565f478b in vm_loop (frame_ctx_p=0xffffc7e0) at jerryscript/jerry-core/vm/vm.c:2836
#3  0x565f94e3 in vm_execute (frame_ctx_p=0xffffc7e0, arg_p=0x0, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:3612
#4  0x565f9e47 in vm_run (bytecode_header_p=0xf5302bc0, this_binding_value=4126149459, lex_env_p=0xf5d007b0, parse_opts=0, arg_list_p=0x0, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:3738
#5  0x565e7638 in vm_run_global (bytecode_p=0xf5302bc0) at jerryscript/jerry-core/vm/vm.c:282
#6  0x56640e26 in jerry_run (func_val=4126148595) at jerryscript/jerry-core/api/jerry.c:570
#7  0x5663d78a in main (argc=3, argv=0xffffcc14) at jerryscript/jerry-main/main-unix.c:743

Found by Fuzzinator with grammarinator.

@rerobika rerobika added bug Undesired behaviour ecma core Related to core ECMA functionality labels Sep 4, 2019
rerobika added a commit to rerobika/jerryscript that referenced this issue Sep 4, 2019
@rerobika
Add fast array support for property name enumeration
6e8f443 
Since fast access mode arrays can be part of the prototype chain these objects must be handed seperately.
This patch fixes jerryscript-project#3050.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
rerobika added a commit to rerobika/jerryscript that referenced this issue Sep 4, 2019
@rerobika
Add fast array support for property name enumeration
507902c 
Since fast access mode arrays can be part of the prototype chain these objects must be handed separately.
This patch fixes jerryscript-project#3050.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
This was referenced Sep 4, 2019
Merged
Closed
Closed
rerobika added a commit that referenced this issue Sep 5, 2019
@rerobika
Add fast array support for property name enumeration (#3053)
4afcc70 
Since fast access mode arrays can be part of the prototype chain these objects must be handed separately.
This patch fixes #3050.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Undesired behaviour ecma core Related to core ECMA functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add fast array support for property name enumeration rerobika/jerryscript
2 participants
@renatahodovan @rerobika