Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap buffer overflow at moddable/xs/sources/xsDebug.c:784 #433

Closed
kvenux opened this issue Aug 31, 2020 · 8 comments
Closed

Heap buffer overflow at moddable/xs/sources/xsDebug.c:784 #433

kvenux opened this issue Aug 31, 2020 · 8 comments
Labels
cannot reproduce

Comments

@kvenux
Copy link

kvenux commented Aug 31, 2020

Build environment:

Ubuntu 16.04
gcc 5.4.0
xst version: de64c70 (git hash)
build command:
cd /path/to/moddable/xs/makefiles/lin
make
test command: ./xst poc

Target device:

Desktop Linux

POC

000523.txt

Description

Below is the ASAN outputs. Heap buffer overflow at /moddable/xs/sources/xsDebug.c:784

=================================================================
==118435==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc129d737ea at pc 0x00000062bd16 bp 0x7ffccdfbfe90 sp 0x7ffccdfbfe80
READ of size 2 at 0x7fc129d737ea thread T0
#0 0x62bd15 in fxDebugThrow /home/keven/Fuzzing/moddable/xs/sources/xsDebug.c:784
#1 0x441af0 in fxThrowMessage /home/keven/Fuzzing/moddable/xs/sources/xsAPI.c:1257
#2 0xa526d8 in fxAbort /home/keven/Fuzzing/moddable/xs/tools/xst.c:1378
#3 0x93fb78 in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:253
#4 0x4432c0 in fxToString /home/keven/Fuzzing/moddable/xs/sources/xsAPI.c:312
#5 0x477f02 in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1549
#6 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#7 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#8 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#9 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#10 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#11 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#12 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#13 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#14 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#15 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#16 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#17 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#18 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#19 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#20 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#21 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#22 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#23 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#24 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#25 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#26 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#27 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#28 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#29 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#30 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#31 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#32 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#33 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#34 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#35 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#36 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#37 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#38 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#39 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#40 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#41 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#42 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#43 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#44 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#45 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#46 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#47 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#48 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#49 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#50 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#51 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#52 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#53 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#54 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#55 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#56 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#57 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#58 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#59 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#60 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#61 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#62 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#63 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#64 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#65 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#66 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#67 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#68 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#69 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#70 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#71 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#72 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#73 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#74 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#75 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#76 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#77 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#78 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#79 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#80 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#81 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#82 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#83 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#84 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#85 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#86 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#87 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#88 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#89 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#90 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#91 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#92 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#93 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#94 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#95 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#96 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#97 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#98 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#99 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#100 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#101 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#102 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#103 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#104 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#105 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#106 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#107 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#108 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#109 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#110 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#111 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#112 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#113 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#114 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#115 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#116 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#117 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#118 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#119 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#120 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#121 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#122 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#123 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#124 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#125 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#126 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#127 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#128 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#129 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#130 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#131 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#132 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#133 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#134 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#135 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#136 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#137 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#138 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#139 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#140 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#141 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#142 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#143 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#144 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#145 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#146 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#147 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#148 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#149 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#150 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#151 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#152 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#153 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#154 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#155 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#156 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#157 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#158 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#159 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#160 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#161 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#162 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#163 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#164 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#165 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#166 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#167 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#168 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#169 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#170 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#171 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#172 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#173 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#174 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#175 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#176 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#177 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#178 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#179 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#180 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#181 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#182 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#183 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#184 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#185 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#186 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#187 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#188 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#189 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#190 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#191 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#192 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#193 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#194 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#195 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#196 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#197 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#198 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#199 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#200 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#201 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#202 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#203 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#204 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#205 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#206 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#207 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#208 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#209 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#210 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#211 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#212 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#213 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#214 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#215 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#216 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#217 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#218 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#219 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#220 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#221 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#222 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#223 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#224 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#225 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#226 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#227 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#228 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#229 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#230 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#231 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#232 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#233 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#234 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#235 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#236 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#237 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#238 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#239 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#240 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#241 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#242 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#243 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#244 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#245 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#246 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#247 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#248 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#249 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#250 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#251 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#252 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#253 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#254 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#255 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#256 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#257 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#258 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#259 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#260 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#261 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#262 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#263 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#264 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#265 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#266 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#267 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#268 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#269 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336
#270 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#271 0x9400ae in fxToPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsType.c:268
#272 0x7fe37f in fxToNumericNumber /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4464
#273 0x7fe37f in fxToNumericNumberBinary /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:4483
#274 0x82c555 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:3337
#275 0x477e6e in fx_Array_prototype_join /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:1546
#276 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#277 0x468e7c in fx_Array_prototype_toString /home/keven/Fuzzing/moddable/xs/sources/xsArray.c:2333
#278 0x7ffe39 in fxRunID /home/keven/Fuzzing/moddable/xs/sources/xsRun.c:767
#279 0x77270c in fx_Object_prototype_toPrimitive /home/keven/Fuzzing/moddable/xs/sources/xsObject.c:336

image
@phoddie
Copy link
Collaborator

phoddie commented Sep 1, 2020

I'd like to understand how you are using the address-sanitizer here to ensure we are looking at the same thing. The notes at the top suggest the report is based on running an unmodified copy of xst. However, in my experience, using address-sanitizer requires changes to build flags. Would you please provide in the missing detail? Thank you.

@kvenux
Copy link
Author

kvenux commented Sep 2, 2020
edited

I'd like to understand how you are using the address-sanitizer here to ensure we are looking at the same thing. The notes at the top suggest the report is based on running an unmodified copy of xst. However, in my experience, using address-sanitizer requires changes to build flags. Would you please provide in the missing detail? Thank you.

I added the following in xs/makefiles/lin/xst.mk:
CC=/path/to/afl-gcc
CXX=/path/to/afl-g++
C_OPTIONS += -fsanitize=address

Is this unreproducible problem caused by afl-gcc?

Btw, I have some other similar POCs.

xs-000404.txt

@phoddie
Copy link
Collaborator

phoddie commented Sep 2, 2020

Running on macOS with ASAN enabled. I cannot reproduce a crash with 000523.txt or xs-000404.txt. I'm not using alf-gcc. I don't know if alf-gcc explains that or not.

FWIW - I am able to reproduce the problem in #431 - but only if the debugger is running. In "build environment" above, you don't note whether xsbug is running or not.

@kvenux
Copy link
Author

kvenux commented Sep 3, 2020

@phoddie I have reproduced 000523.txt on MacOS.

Platform:
ProductName: Mac OS X
ProductVersion: 10.14.6
BuildVersion: 18G6020

gcc version:
Configured with: --prefix=/Library/Developer/CommandLineTools/usr --with-gxx-include-dir=/Library/Developer/CommandLineTools/SDKs/MacOSX10.14.sdk/usr/include/c++/4.2.1
Apple LLVM version 10.0.1 (clang-1001.0.46.4)
Target: x86_64-apple-darwin18.7.0
Thread model: posix
InstalledDir: /Library/Developer/CommandLineTools/usr/bin

compile setting:
I added the following in xs/makefiles/lin/xst.mk
C_OPTIONS += -fsanitize=address
LINK_OPTIONS += -fsanitize=address

test cmd:
./build/bin/mac/release/xst 000523.txt

ASAN outputs:

=================================================================
==64588==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x00010d9797ea at pc 0x0001079bb261 bp 0x7ffee83059d0 sp 0x7ffee83059c8
READ of size 2 at 0x00010d9797ea thread T0
#0 0x1079bb260 in fxDebugThrow (xst:x86_64+0x10013d260)
#1 0x107880f12 in fxThrowMessage (xst:x86_64+0x100002f12)
#2 0x107c007a5 in fxAbort (xst:x86_64+0x1003827a5)
#3 0x107b620bd in fxToPrimitive (xst:x86_64+0x1002e40bd)
#4 0x107881a8f in fxToString (xst:x86_64+0x100003a8f)
#5 0x10789e9d2 in fx_Array_prototype_join (xst:x86_64+0x1000209d2)
#6 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#7 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#8 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#9 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#10 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#11 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#12 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#13 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#14 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#15 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#16 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#17 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#18 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#19 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#20 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#21 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#22 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#23 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#24 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#25 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#26 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#27 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#28 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#29 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#30 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#31 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#32 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#33 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#34 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#35 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#36 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#37 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#38 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#39 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#40 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#41 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#42 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#43 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#44 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#45 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#46 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#47 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#48 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#49 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#50 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#51 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#52 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#53 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#54 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#55 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#56 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#57 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#58 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#59 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#60 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#61 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#62 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#63 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#64 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#65 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#66 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#67 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#68 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#69 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#70 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#71 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#72 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#73 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#74 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#75 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#76 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#77 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#78 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#79 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#80 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#81 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#82 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#83 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#84 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#85 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#86 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#87 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#88 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#89 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#90 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#91 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#92 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#93 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#94 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#95 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#96 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#97 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#98 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#99 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#100 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#101 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#102 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#103 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#104 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#105 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#106 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#107 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#108 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#109 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#110 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#111 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#112 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#113 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#114 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#115 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#116 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#117 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#118 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#119 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#120 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#121 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#122 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#123 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#124 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#125 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#126 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#127 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#128 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#129 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#130 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#131 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#132 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#133 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#134 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#135 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#136 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#137 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#138 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#139 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#140 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#141 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#142 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#143 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#144 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#145 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#146 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#147 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#148 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#149 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#150 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#151 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#152 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#153 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#154 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#155 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#156 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#157 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#158 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#159 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#160 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#161 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#162 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#163 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#164 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#165 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#166 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#167 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#168 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#169 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#170 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#171 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#172 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#173 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#174 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#175 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#176 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#177 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#178 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#179 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#180 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#181 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#182 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#183 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#184 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#185 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#186 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#187 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#188 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#189 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#190 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#191 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#192 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#193 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#194 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#195 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#196 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#197 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#198 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#199 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#200 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#201 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#202 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#203 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#204 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#205 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#206 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#207 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#208 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#209 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#210 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#211 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#212 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#213 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#214 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#215 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#216 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#217 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#218 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#219 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#220 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#221 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#222 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#223 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#224 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#225 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#226 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#227 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#228 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#229 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#230 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#231 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#232 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#233 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#234 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#235 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#236 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#237 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#238 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#239 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#240 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#241 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#242 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#243 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#244 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#245 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#246 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#247 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)
#248 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#249 0x107a7f828 in fx_Object_prototype_toPrimitive (xst:x86_64+0x100201828)
#250 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#251 0x107b6251c in fxToPrimitive (xst:x86_64+0x1002e451c)
#252 0x107ad2ecc in fxRunID (xst:x86_64+0x100254ecc)
#253 0x10789e979 in fx_Array_prototype_join (xst:x86_64+0x100020979)
#254 0x107adce54 in fxRunID (xst:x86_64+0x10025ee54)
#255 0x1078abac7 in fx_Array_prototype_toString (xst:x86_64+0x10002dac7)

0x00010d9797ea is located 22 bytes to the left of 131072-byte region [0x00010d979800,0x00010d999800)
allocated by thread T0 here:
#0 0x107d77053 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5c053)
#1 0x107a5a33c in fxAllocate (xst:x86_64+0x1001dc33c)
#2 0x107889cc3 in fxCreateMachine (xst:x86_64+0x10000bcc3)
#3 0x107bfe37c in main (xst:x86_64+0x10038037c)
#4 0x10787ef43 in start (xst:x86_64+0x100000f43)

SUMMARY: AddressSanitizer: heap-buffer-overflow (xst:x86_64+0x10013d260) in fxDebugThrow
Shadow bytes around the buggy address:
0x100021b2f2a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x100021b2f2b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x100021b2f2c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x100021b2f2d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x100021b2f2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x100021b2f2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
0x100021b2f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100021b2f310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100021b2f320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100021b2f330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100021b2f340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==64588==ABORTING

@phoddie
Copy link
Collaborator

phoddie commented Sep 3, 2020

Thank you very much for trying this on macOS and for providing the additional build details.

I'm not seeing the problem, but... now I'm running a more recent version of the code. We just pushed an update that contains fixes for a couple issues you reported that we could reproduce. Would you retry this one to see if it was resolved as part of that? If not, we'll need to sort out why I'm still unable to reproduce this one.

@kvenux
Copy link
Author

kvenux commented Sep 4, 2020

@phoddie It's my pleasure. Hunting for bugs is fun

I have tried on the latest version 5639abb. 000523.txt can still trigger a crash but turns out to be another one (stack overflow). That's weird.
Can you check this again? Any contributor can check this one too?

xst version: 5639abb

Platform:
ProductName: Mac OS X
ProductVersion: 10.14.6
BuildVersion: 18G6020

gcc version:
Configured with: --prefix=/Library/Developer/CommandLineTools/usr --with-gxx-include-dir=/Library/Developer/CommandLineTools/SDKs/MacOSX10.14.sdk/usr/include/c++/4.2.1
Apple LLVM version 10.0.1 (clang-1001.0.46.4)
Target: x86_64-apple-darwin18.7.0
Thread model: posix
InstalledDir: /Library/Developer/CommandLineTools/usr/bin

compile setting:
I added the following in xs/makefiles/lin/xst.mk
C_OPTIONS += -fsanitize=address
LINK_OPTIONS += -fsanitize=address

test cmd:
./build/bin/mac/release/xst 000523.txt

ASAN outputs:

AddressSanitizer:DEADLYSIGNAL

==79835==ERROR: AddressSanitizer: stack-overflow on address 0x7ffee1458f98 (pc 0x00010e251f42 bp 0x7ffee1468090 sp 0x7ffee1458fa0 T0)
#0 0x10e251f41 in fxRunID xsRun.c:767
#1 0x10e348e16 in fxToPrimitive xsType.c:268
#2 0x10dfaaf65 in fxToString xsAPI.c:312
#3 0x10dfdf247 in fx_Array_prototype_join xsArray.c:1549
#4 0x10e251f43 in fxRunID xsRun.c:767
#5 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#6 0x10e251f43 in fxRunID xsRun.c:767
#7 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#8 0x10e251f43 in fxRunID xsRun.c:767
#9 0x10e348e16 in fxToPrimitive xsType.c:268
#10 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#11 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#12 0x10e2a3eb8 in fxRunID xsRun.c:3337
#13 0x10dfb3724 in fxGetAll xsAPI.c:891
#14 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#15 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#16 0x10e251f43 in fxRunID xsRun.c:767
#17 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#18 0x10e251f43 in fxRunID xsRun.c:767
#19 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#20 0x10e251f43 in fxRunID xsRun.c:767
#21 0x10e348e16 in fxToPrimitive xsType.c:268
#22 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#23 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#24 0x10e2a3eb8 in fxRunID xsRun.c:3337
#25 0x10dfb3724 in fxGetAll xsAPI.c:891
#26 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#27 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#28 0x10e251f43 in fxRunID xsRun.c:767
#29 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#30 0x10e251f43 in fxRunID xsRun.c:767
#31 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#32 0x10e251f43 in fxRunID xsRun.c:767
#33 0x10e348e16 in fxToPrimitive xsType.c:268
#34 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#35 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#36 0x10e2a3eb8 in fxRunID xsRun.c:3337
#37 0x10dfb3724 in fxGetAll xsAPI.c:891
#38 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#39 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#40 0x10e251f43 in fxRunID xsRun.c:767
#41 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#42 0x10e251f43 in fxRunID xsRun.c:767
#43 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#44 0x10e251f43 in fxRunID xsRun.c:767
#45 0x10e348e16 in fxToPrimitive xsType.c:268
#46 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#47 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#48 0x10e2a3eb8 in fxRunID xsRun.c:3337
#49 0x10dfb3724 in fxGetAll xsAPI.c:891
#50 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#51 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#52 0x10e251f43 in fxRunID xsRun.c:767
#53 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#54 0x10e251f43 in fxRunID xsRun.c:767
#55 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#56 0x10e251f43 in fxRunID xsRun.c:767
#57 0x10e348e16 in fxToPrimitive xsType.c:268
#58 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#59 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#60 0x10e2a3eb8 in fxRunID xsRun.c:3337
#61 0x10dfb3724 in fxGetAll xsAPI.c:891
#62 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#63 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#64 0x10e251f43 in fxRunID xsRun.c:767
#65 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#66 0x10e251f43 in fxRunID xsRun.c:767
#67 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#68 0x10e251f43 in fxRunID xsRun.c:767
#69 0x10e348e16 in fxToPrimitive xsType.c:268
#70 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#71 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#72 0x10e2a3eb8 in fxRunID xsRun.c:3337
#73 0x10dfb3724 in fxGetAll xsAPI.c:891
#74 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#75 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#76 0x10e251f43 in fxRunID xsRun.c:767
#77 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#78 0x10e251f43 in fxRunID xsRun.c:767
#79 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#80 0x10e251f43 in fxRunID xsRun.c:767
#81 0x10e348e16 in fxToPrimitive xsType.c:268
#82 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#83 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#84 0x10e2a3eb8 in fxRunID xsRun.c:3337
#85 0x10dfb3724 in fxGetAll xsAPI.c:891
#86 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#87 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#88 0x10e251f43 in fxRunID xsRun.c:767
#89 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#90 0x10e251f43 in fxRunID xsRun.c:767
#91 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#92 0x10e251f43 in fxRunID xsRun.c:767
#93 0x10e348e16 in fxToPrimitive xsType.c:268
#94 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#95 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#96 0x10e2a3eb8 in fxRunID xsRun.c:3337
#97 0x10dfb3724 in fxGetAll xsAPI.c:891
#98 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#99 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#100 0x10e251f43 in fxRunID xsRun.c:767
#101 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#102 0x10e251f43 in fxRunID xsRun.c:767
#103 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#104 0x10e251f43 in fxRunID xsRun.c:767
#105 0x10e348e16 in fxToPrimitive xsType.c:268
#106 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#107 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#108 0x10e2a3eb8 in fxRunID xsRun.c:3337
#109 0x10dfb3724 in fxGetAll xsAPI.c:891
#110 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#111 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#112 0x10e251f43 in fxRunID xsRun.c:767
#113 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#114 0x10e251f43 in fxRunID xsRun.c:767
#115 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#116 0x10e251f43 in fxRunID xsRun.c:767
#117 0x10e348e16 in fxToPrimitive xsType.c:268
#118 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#119 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#120 0x10e2a3eb8 in fxRunID xsRun.c:3337
#121 0x10dfb3724 in fxGetAll xsAPI.c:891
#122 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#123 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#124 0x10e251f43 in fxRunID xsRun.c:767
#125 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#126 0x10e251f43 in fxRunID xsRun.c:767
#127 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#128 0x10e251f43 in fxRunID xsRun.c:767
#129 0x10e348e16 in fxToPrimitive xsType.c:268
#130 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#131 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#132 0x10e2a3eb8 in fxRunID xsRun.c:3337
#133 0x10dfb3724 in fxGetAll xsAPI.c:891
#134 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#135 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#136 0x10e251f43 in fxRunID xsRun.c:767
#137 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#138 0x10e251f43 in fxRunID xsRun.c:767
#139 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#140 0x10e251f43 in fxRunID xsRun.c:767
#141 0x10e348e16 in fxToPrimitive xsType.c:268
#142 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#143 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#144 0x10e2a3eb8 in fxRunID xsRun.c:3337
#145 0x10dfb3724 in fxGetAll xsAPI.c:891
#146 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#147 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#148 0x10e251f43 in fxRunID xsRun.c:767
#149 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#150 0x10e251f43 in fxRunID xsRun.c:767
#151 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#152 0x10e251f43 in fxRunID xsRun.c:767
#153 0x10e348e16 in fxToPrimitive xsType.c:268
#154 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#155 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#156 0x10e2a3eb8 in fxRunID xsRun.c:3337
#157 0x10dfb3724 in fxGetAll xsAPI.c:891
#158 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#159 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#160 0x10e251f43 in fxRunID xsRun.c:767
#161 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#162 0x10e251f43 in fxRunID xsRun.c:767
#163 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#164 0x10e251f43 in fxRunID xsRun.c:767
#165 0x10e348e16 in fxToPrimitive xsType.c:268
#166 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#167 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#168 0x10e2a3eb8 in fxRunID xsRun.c:3337
#169 0x10dfb3724 in fxGetAll xsAPI.c:891
#170 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#171 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#172 0x10e251f43 in fxRunID xsRun.c:767
#173 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#174 0x10e251f43 in fxRunID xsRun.c:767
#175 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#176 0x10e251f43 in fxRunID xsRun.c:767
#177 0x10e348e16 in fxToPrimitive xsType.c:268
#178 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#179 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#180 0x10e2a3eb8 in fxRunID xsRun.c:3337
#181 0x10dfb3724 in fxGetAll xsAPI.c:891
#182 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#183 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#184 0x10e251f43 in fxRunID xsRun.c:767
#185 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#186 0x10e251f43 in fxRunID xsRun.c:767
#187 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#188 0x10e251f43 in fxRunID xsRun.c:767
#189 0x10e348e16 in fxToPrimitive xsType.c:268
#190 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#191 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#192 0x10e2a3eb8 in fxRunID xsRun.c:3337
#193 0x10dfb3724 in fxGetAll xsAPI.c:891
#194 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#195 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#196 0x10e251f43 in fxRunID xsRun.c:767
#197 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#198 0x10e251f43 in fxRunID xsRun.c:767
#199 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#200 0x10e251f43 in fxRunID xsRun.c:767
#201 0x10e348e16 in fxToPrimitive xsType.c:268
#202 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#203 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#204 0x10e2a3eb8 in fxRunID xsRun.c:3337
#205 0x10dfb3724 in fxGetAll xsAPI.c:891
#206 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#207 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#208 0x10e251f43 in fxRunID xsRun.c:767
#209 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#210 0x10e251f43 in fxRunID xsRun.c:767
#211 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#212 0x10e251f43 in fxRunID xsRun.c:767
#213 0x10e348e16 in fxToPrimitive xsType.c:268
#214 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#215 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#216 0x10e2a3eb8 in fxRunID xsRun.c:3337
#217 0x10dfb3724 in fxGetAll xsAPI.c:891
#218 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#219 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#220 0x10e251f43 in fxRunID xsRun.c:767
#221 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#222 0x10e251f43 in fxRunID xsRun.c:767
#223 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#224 0x10e251f43 in fxRunID xsRun.c:767
#225 0x10e348e16 in fxToPrimitive xsType.c:268
#226 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#227 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#228 0x10e2a3eb8 in fxRunID xsRun.c:3337
#229 0x10dfb3724 in fxGetAll xsAPI.c:891
#230 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#231 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#232 0x10e251f43 in fxRunID xsRun.c:767
#233 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#234 0x10e251f43 in fxRunID xsRun.c:767
#235 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#236 0x10e251f43 in fxRunID xsRun.c:767
#237 0x10e348e16 in fxToPrimitive xsType.c:268
#238 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#239 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#240 0x10e2a3eb8 in fxRunID xsRun.c:3337
#241 0x10dfb3724 in fxGetAll xsAPI.c:891
#242 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#243 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546
#244 0x10e251f43 in fxRunID xsRun.c:767
#245 0x10dff8dfc in fx_Array_prototype_toString xsArray.c:2333
#246 0x10e251f43 in fxRunID xsRun.c:767
#247 0x10e1cb46e in fx_Object_prototype_toPrimitive xsObject.c:336
#248 0x10e251f43 in fxRunID xsRun.c:767
#249 0x10e348e16 in fxToPrimitive xsType.c:268
#250 0x10e2c2e8f in fxToNumericNumber xsRun.c:4464
#251 0x10e2c2b07 in fxToNumericNumberBinary xsRun.c:4483
#252 0x10e2a3eb8 in fxRunID xsRun.c:3337
#253 0x10dfb3724 in fxGetAll xsAPI.c:891
#254 0x10dfb3b4e in fxGetIndex xsAPI.c:919
#255 0x10dfdf067 in fx_Array_prototype_join xsArray.c:1546

SUMMARY: AddressSanitizer: stack-overflow xsRun.c:767 in fxRunID
==79835==ABORTING

@phoddie
Copy link
Collaborator

phoddie commented Sep 4, 2020

Thanks for working through this.

That's a native stack overflow. On macOS, I don't see that. I see the XS stack overflowi, and XS cleanly exit the virtual machine.

However, if the XS stack is increased, then something similar to your report above happens. To increase the XS stack increase stackCount here:

moddable/xs/tools/xst.c

Lines 284 to 286 in 5639abb

1 * 1024 * 1024, /* incrementalHeapCount */
4096, /* stackCount */
4096*3, /* keyCount */

by 100x:

	4096 * 100, 		/* stackCount */

With that change, here's the output:

> xst ~/test.js 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==6854==ERROR: AddressSanitizer: stack-overflow on address 0x7ffeec86ed48 (pc 0x000102deae36 bp 0x7ffeec86f5c0 sp 0x7ffeec86ed50 T0)
    #0 0x102deae35 in wrap_memmove (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1de35)
    #1 0x7fff6d00512d in __sfvwrite (libsystem_c.dylib:x86_64+0x3d12d)
    #2 0x7fff6d00e636 in __vfprintf (libsystem_c.dylib:x86_64+0x46636)
    #3 0x7fff6d0331c2 in __v2printf (libsystem_c.dylib:x86_64+0x6b1c2)
    #4 0x7fff6d018b02 in _vsnprintf (libsystem_c.dylib:x86_64+0x50b02)
    #5 0x7fff6d018ba9 in vsnprintf (libsystem_c.dylib:x86_64+0x50ba9)
    #6 0x102df654a in wrap_vsnprintf (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x2954a)
    #7 0x102df74d5 in wrap_snprintf (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x2a4d5)
    #8 0x102c7aae0 in fxIntegerToString (xst:x86_64+0x1000e9ae0)
    #9 0x102b9394a in fxToString (xst:x86_64+0x10000294a)
    #10 0x102b9c87b in fx_Array_prototype_join (xst:x86_64+0x10000b87b)
    #11 0x102c32137 in fxRunID (xst:x86_64+0x1000a1137)
    #12 0x102ba0c98 in fx_Array_prototype_toString (xst:x86_64+0x10000fc98)
    #13 0x102c32137 in fxRunID (xst:x86_64+0x1000a1137)
...
    #255 0x102c32137 in fxRunID (xst:x86_64+0x1000a1137)

SUMMARY: AddressSanitizer: stack-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1de35) in wrap_memmove
==6854==ABORTING
Abort trap: 6

Without ASAN enabled, the output is just:

Segmentation fault: 11

I don't think there's anything here to fix. XS isn't going to check the stack on every function call. The host OS catches the stack overflow and kills the process.

@kvenux
Copy link
Author

kvenux commented Sep 4, 2020

Confirmed. This is a naive stack overflow. Not a bug.

@kvenux kvenux closed this as completed Sep 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cannot reproduce
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@phoddie @kvenux