Segmentation fault in jerry

[marckwei]

JerryScript revision

1a2c047

Build platform

Ubuntu 20.04.2 LTS (Linux 5.15.0-67-generic x86_64)

Build steps

Describe how to build JerryScript. Give all the necessary details of the build
(e.g., environment variables, command(s), profile, command line options, etc.).

E.g.:

tools/build.py --compile-flag=-fsanitize=address --compile-flag=-g

Build log

Test case

function i(a,b=eval()){eval()}
i(i("a"),eval("var a")) 

Execution platform

same as the build platform.

Execution steps

build/bin/jerry testcase.js

Output

Segmentation fault (core dumped)

Backtrace

=================================================================
==167385==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x562a05bd8581 bp 0x7fffdc027800 sp 0x7fffdc027790 T0)
==167385==The signal is caused by a READ memory access.
==167385==Hint: address points to the zero page.
#0 0x562a05bd8580 (/data/jerryscript/asan/bin/jerry+0xd0580)
#1 0x562a05b8051c (/data/jerryscript/asan/bin/jerry+0x7851c)
#2 0x562a05b9069f (/data/jerryscript/asan/bin/jerry+0x8869f)
#3 0x562a05b919b9 (/data/jerryscript/asan/bin/jerry+0x899b9)
#4 0x562a05b6b6d8 (/data/jerryscript/asan/bin/jerry+0x636d8)
#5 0x562a05bc14cd (/data/jerryscript/asan/bin/jerry+0xb94cd)
#6 0x562a05bc696a (/data/jerryscript/asan/bin/jerry+0xbe96a)
#7 0x562a05b9085b (/data/jerryscript/asan/bin/jerry+0x8885b)
#8 0x562a05b919b9 (/data/jerryscript/asan/bin/jerry+0x899b9)
#9 0x562a05bf8576 (/data/jerryscript/asan/bin/jerry+0xf0576)
#10 0x562a05b25dac (/data/jerryscript/asan/bin/jerry+0x1ddac)
#11 0x7f32bb095082 in __libc_start_main ../csu/libc-start.c:308
#12 0x562a05b26cfd (/data/jerryscript/asan/bin/jerry+0x1ecfd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/data/jerryscript/asan/bin/jerry+0xd0580)
==167385==ABORTING

Expected behavior

[aksdfauytv]

It doesn't crash for me. Did you give it enough RAM/stack?

[marckwei]

It doesn't crash for me. Did you give it enough RAM/stack?

To reproduce，you should use the same build args as me

[aksdfauytv]

Indeed it crashes on PC (I was testing on esp32). You should use --strip=OFF build option, you get a better backtrace:

ASAN:SIGSEGV
=================================================================
==28181==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x000000423a68 bp 0x0000006eddc0 sp 0x7ffe1ba87990 T0)
    #0 0x423a67 in ecma_find_named_property /home/maciek/jerryscript/jerry-core/ecma/base/ecma-helpers.c:625
    #1 0x414560 in vm_loop.lto_priv.126 /home/maciek/jerryscript/jerry-core/vm/vm.c:1445
    #2 0x4ae08f in vm_execute /home/maciek/jerryscript/jerry-core/vm/vm.c:5211
    #3 0x4af362 in vm_run /home/maciek/jerryscript/jerry-core/vm/vm.c:5312
    #4 0x4835c4 in vm_run_eval /home/maciek/jerryscript/jerry-core/vm/vm.c:374
    #5 0x4835c4 in ecma_op_eval_chars_buffer /home/maciek/jerryscript/jerry-core/ecma/operations/ecma-eval.c:93
    #6 0x4835c4 in ecma_op_eval /home/maciek/jerryscript/jerry-core/ecma/operations/ecma-eval.c:56
    #7 0x4835c4 in ecma_builtin_global_object_eval /home/maciek/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-global.c:109
    #8 0x4835c4 in ecma_builtin_global_dispatch_routine /home/maciek/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-global.c:594
    #9 0x4396d2 in ecma_builtin_dispatch_routine.isra.0 /home/maciek/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
    #10 0x4396d2 in ecma_builtin_dispatch_call /home/maciek/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
    #11 0x4396d2 in ecma_op_function_call_native_built_in /home/maciek/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1216
    #12 0x43c87b in ecma_op_function_call /home/maciek/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
    #13 0x4ae237 in ecma_op_function_validated_call /home/maciek/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1371
    #14 0x4ae237 in opfunc_call /home/maciek/jerryscript/jerry-core/vm/vm.c:757
    #15 0x4ae237 in vm_execute /home/maciek/jerryscript/jerry-core/vm/vm.c:5217
    #16 0x4af362 in vm_run /home/maciek/jerryscript/jerry-core/vm/vm.c:5312
    #17 0x411983 in vm_run_global /home/maciek/jerryscript/jerry-core/vm/vm.c:286
    #18 0x411983 in jerry_run /home/maciek/jerryscript/jerry-core/api/jerryscript.c:548
    #19 0x4054f7 in jerryx_source_exec_script /home/maciek/jerryscript/jerry-ext/util/sources.c:68
    #20 0x4054f7 in main /home/maciek/jerryscript/jerry-main/main-desktop.c:156
    #21 0x7fd447a9383f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #22 0x406448 in _start (/home/maciek/jerryscript/build/bin/jerry+0x406448)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/maciek/jerryscript/jerry-core/ecma/base/ecma-helpers.c:625 ecma_find_named_property
==28181==ABORTING

[aksdfauytv]

actually, if you build with debug enabled, you get an assert earlier:

ICE: Assertion 'ecma_get_lex_env_type (lex_env_p) == ECMA_LEXICAL_ENVIRONMENT_DECLARATIVE' failed at /home/maciek/jerryscript/jerry-core/vm/vm.c(vm_loop):1441.

(lex_env_p has env type ECMA_LEXICAL_ENVIRONMENT_THIS_OBJECT_BOUND)

[carnil]

CVE-2023-30406 seems to have been assigned for this issue.

[happy-boy-maker]

For this problem, I turned on debug. We do get 'ecma_get_lex_env_type (lex_env_p) == ECMA_LEXICAL_ENVIRONMENT_DECLARATIVE' failed. I look at the condition that this assertion is triggered by. It seems that he is looking for a value in the external lexical environment and will look for an attribute in the final lexical environment. Can any failure in this process be a default that the developer's code has a syntax error? I encountered a case where lex_env_p->u2.outer_reference_cp was finally empty on jerry2.3. The check seems to be caused by OOM (stack overflow). I wonder if anyone knows why this happens and how stack overflow affects the empty pointer. And I hope the official can give a clear reply whether this is a bug?