Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Memory corruption in parser_parse_class #5117

Open
anbu1024 opened this issue Dec 1, 2023 · 0 comments · May be fixed by #5140
Open

Memory corruption in parser_parse_class #5117

anbu1024 opened this issue Dec 1, 2023 · 0 comments · May be fixed by #5140

Comments

@anbu1024
Copy link

anbu1024 commented Dec 1, 2023

jerryScript version 3.0.0:
commit 05dbbd1

Build platform:
Ubuntu 20.04

Build cmd:

python tools/build.py --debug --profile=es.next --lto=off --compile-flag=-D_POSIX_C_SOURCE=200809 --compile-flag=-Wno-strict-prototypes --stack-limit=15

Test case

function foo() {
    class Bar {
        static {
            var x = `
                for (let i = 0, j = 10; i < j;) {
                }
                function baz() {
                    return arguments;
                }
                class Proto {
                }
            `;
            eval(x);
        }
    }
    return foo;
}

new Promise(foo);

Error message:

SEGV on debug version

Segmentation fault (core dumped)

Error messages in ASAN version:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3670588==ERROR: AddressSanitizer: SEGV on unknown address 0x00000008 (pc 0x5671dd80 bp 0xffa2bf18 sp 0xffa2be60 T0)
==3670588==The signal is caused by a READ memory access.
==3670588==Hint: address points to the zero page.
    #0 0x5671dd7f in parser_parse_class jerry-core/parser/js/js-parser-expr.c:1107
    #1 0x567421af in parser_parse_statements jerry-core/parser/js/js-parser-statm.c:2787
    #2 0x56662c82 in parser_parse_source jerry-core/parser/js/js-parser.c:2280
    #3 0x56668fb5 in parser_parse_script jerry-core/parser/js/js-parser.c:3326
    #4 0x56614236 in ecma_op_eval_chars_buffer jerry-core/ecma/operations/ecma-eval.c:86
    #5 0x5661415b in ecma_op_eval jerry-core/ecma/operations/ecma-eval.c:56
    #6 0x566d8c14 in ecma_builtin_global_object_eval jerry-core/ecma/builtin-objects/ecma-builtin-global.c:109
    #7 0x566da71e in ecma_builtin_global_dispatch_routine jerry-core/ecma/builtin-objects/ecma-builtin-global.c:594
    #8 0x565f26de in ecma_builtin_dispatch_routine jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
    #9 0x565f28fb in ecma_builtin_dispatch_call jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
    #10 0x566184a8 in ecma_op_function_call_native_built_in jerry-core/ecma/operations/ecma-function-object.c:1217
    #11 0x56618e8c in ecma_op_function_call jerry-core/ecma/operations/ecma-function-object.c:1411
    #12 0x56618d91 in ecma_op_function_validated_call jerry-core/ecma/operations/ecma-function-object.c:1371
    #13 0x566a03a5 in opfunc_call jerry-core/vm/vm.c:758
    #14 0x566c08fe in vm_execute jerry-core/vm/vm.c:5217
    #15 0x566c0f17 in vm_run jerry-core/vm/vm.c:5312
    #16 0x566182ba in ecma_op_function_call_simple jerry-core/ecma/operations/ecma-function-object.c:1176
    #17 0x56618e70 in ecma_op_function_call jerry-core/ecma/operations/ecma-function-object.c:1406
    #18 0x566a7707 in vm_loop jerry-core/vm/vm.c:1794
    #19 0x566c0899 in vm_execute jerry-core/vm/vm.c:5211
    #20 0x566c0f17 in vm_run jerry-core/vm/vm.c:5312
    #21 0x566967f4 in opfunc_init_static_class_fields jerry-core/vm/opcodes.c:1081
    #22 0x566a9f4a in vm_loop jerry-core/vm/vm.c:2150
    #23 0x566c0899 in vm_execute jerry-core/vm/vm.c:5211
    #24 0x566c0f17 in vm_run jerry-core/vm/vm.c:5312
    #25 0x566182ba in ecma_op_function_call_simple jerry-core/ecma/operations/ecma-function-object.c:1176
    #26 0x56618e70 in ecma_op_function_call jerry-core/ecma/operations/ecma-function-object.c:1406
    #27 0x5662f276 in ecma_promise_run_executor jerry-core/ecma/operations/ecma-promise-object.c:447
    #28 0x5662f4dc in ecma_op_create_promise_object jerry-core/ecma/operations/ecma-promise-object.c:514
    #29 0x566ec87f in ecma_builtin_promise_dispatch_construct jerry-core/ecma/builtin-objects/ecma-builtin-promise.c:476
    #30 0x565f2ba9 in ecma_builtin_dispatch_construct jerry-core/ecma/builtin-objects/ecma-builtins.c:1518
    #31 0x56619172 in ecma_op_function_construct_built_in jerry-core/ecma/operations/ecma-function-object.c:1537
    #32 0x566196cf in ecma_op_function_construct jerry-core/ecma/operations/ecma-function-object.c:1717
    #33 0x566a08f1 in opfunc_construct jerry-core/vm/vm.c:840
    #34 0x566c093c in vm_execute jerry-core/vm/vm.c:5236
    #35 0x566c0f17 in vm_run jerry-core/vm/vm.c:5312
    #36 0x5669e5a3 in vm_run_global jerry-core/vm/vm.c:286
    #37 0x565a2753 in jerry_run jerry-core/api/jerryscript.c:548
    #38 0x5674f754 in jerryx_source_exec_script jerry-ext/util/sources.c:68
    #39 0x5659d688 in main jerry-main/main-desktop.c:156
    #40 0xf7653ed4 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1aed4)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix arguments object in eval-ed functions in static class initializers matetokodi/jerryscript
1 participant
@anbu1024