ladybird icon indicating copy to clipboard operation
ladybird copied to clipboard

Published 20 hours ago verified publisher icon LadybirdBrowser

LibJS: Type confusion in instruction lookup caches

Open ttrssreal opened this issue 9 months ago • 1 comments

Summary

UBSAN complains about a type confusion here in the lookup caches of a few different instructions.

POC:

async function f0(a1) {
    try {
        let [] = this;
    } catch(e17) {
        a1.h = a1;
        try {
        } catch(e20) {
        }
    } finally {
        function f21() {
            a1;
        }
        f21();
    }
}

f0();
f0(f0);

(Ive tried minimizing this but its pretty sensitive to changing anything)

Operating system

Linux

Steps to reproduce

  1. Compile libjs with UBSAN
  2. Run the POC

Expected behavior

No crash

Actual behavior

UBSAN crash

URL for a reduced test case

N/A

HTML/SVG/etc. source for a reduced test case

N/A

Log output and (if possible) backtrace

/home/jess/code/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:2183:36: runtime error: member call on address 0x7fe702e75040 which does not point to an object of type 'DeclarativeEnvironment'
0x7fe702e75040: note: object is of type 'JS::GlobalEnvironment'
 00 00 00 00  20 56 e6 0d e7 7f 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'JS::GlobalEnvironment'
/home/jess/code/ladybird/Libraries/LibJS/Runtime/DeclarativeEnvironment.h:135:36: runtime error: member call on address 0x7fe702e75040 which does not point to an object of type 'DeclarativeEnvironment'
0x7fe702e75040: note: object is of type 'JS::GlobalEnvironment'
 00 00 00 00  20 56 e6 0d e7 7f 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'JS::GlobalEnvironment'

Screenshots or screen recordings

No response

Build flags or config settings

No response

Contribute a patch?

  • [ ] I’ll contribute a patch for this myself.

ttrssreal avatar Feb 18 '25 22:02 ttrssreal

This now crashes with an OOB access

WARNING: A promise was rejected without any handlers (result: [TypeError] Cannot access property "h" on undefined object "a1")
/home/jess/code/ladybird-flake/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:2222:36: runtime error: downcast of address 0x7f619a780040 which does not point to an object of type 'const DeclarativeEnvironment'
0x7f619a780040: note: object is of type 'JS::GlobalEnvironment'
 00 00 00 00  d0 a8 af 9d 61 7f 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  40 f0 77 9a
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'JS::GlobalEnvironment'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/jess/code/ladybird-flake/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:2222:36
/home/jess/code/ladybird-flake/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:2222:36: runtime error: member call on address 0x7f619a780040 which does not point to an object of type 'JS::DeclarativeEnvironment'
0x7f619a780040: note: object is of type 'JS::GlobalEnvironment'
 00 00 00 00  d0 a8 af 9d 61 7f 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  40 f0 77 9a
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'JS::GlobalEnvironment'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/jess/code/ladybird-flake/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:2222:36
/home/jess/code/ladybird-flake/ladybird/Libraries/LibJS/Runtime/DeclarativeEnvironment.h:135:12: runtime error: member call on address 0x7f619a780040 which does not point to an object of type 'JS::DeclarativeEnvironment'
0x7f619a780040: note: object is of type 'JS::GlobalEnvironment'
 00 00 00 00  d0 a8 af 9d 61 7f 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  40 f0 77 9a
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'JS::GlobalEnvironment'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/jess/code/ladybird-flake/ladybird/Libraries/LibJS/Runtime/DeclarativeEnvironment.h:135:12
/home/jess/code/ladybird-flake/ladybird/Libraries/LibJS/Runtime/DeclarativeEnvironment.h:135:41: runtime error: member access within address 0x7f619a780040 which does not point to an object of type 'const JS::DeclarativeEnvironment'
0x7f619a780040: note: object is of type 'JS::GlobalEnvironment'
 00 00 00 00  d0 a8 af 9d 61 7f 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  40 f0 77 9a
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'JS::GlobalEnvironment'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/jess/code/ladybird-flake/ladybird/Libraries/LibJS/Runtime/DeclarativeEnvironment.h:135:41
/home/jess/code/ladybird-flake/ladybird/AK/StringData.h:88:13: runtime error: load of value 127, which is not a valid value for type 'bool'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/jess/code/ladybird-flake/ladybird/AK/StringData.h:88:13
VERIFICATION FAILED: start + length <= size() at /home/jess/code/ladybird-flake/ladybird/AK/Span.h:151
Build/debug/bin/js(+0x987b9) [0x558f3e8ea7b9]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-ak.so.0(ak_trap+0x165) [0x7f619b469c8d]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-ak.so.0(ak_verification_failed+0x1e2) [0x7f619b46a7aa]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-ak.so.0(+0x8c9aa) [0x7f619b48c9aa]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-ak.so.0 AK::Formatter<AK::FlyString, void>::format(AK::FormatBuilder&, AK::FlyString const&) 0x61) [0x7f619b4a3e31]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0 AK::ErrorOr<void, AK::Error> AK::__format_value<AK::FlyString>(AK::TypeErasedFormatParams&, AK::FormatBuilder&, AK::FormatParser&, void const*) 0x142) [0x7f619ca7e2aa]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-ak.so.0(+0xb3c36) [0x7f619b4b3c36]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-ak.so.0 AK::vformat(AK::StringBuilder&, AK::StringView, AK::TypeErasedFormatParams&) 0x146) [0x7f619b4b380e]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-ak.so.0 AK::String::vformatted(AK::StringView, AK::TypeErasedFormatParams&) 0x18c) [0x7f619b51ed04]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0(+0x8b5917) [0x7f619ccb5917]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0(+0x8b556a) [0x7f619ccb556a]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_bytecode(unsigned long) 0x22f9f) [0x7f619cc07c6f]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) 0xc3c) [0x7f619cbe385c]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() 0xb20) [0x7f619d064b00]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) 0xb8d) [0x7f619d061cdd]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0(+0x8a2f4a) [0x7f619cca2f4a]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_bytecode(unsigned long) 0x13da8) [0x7f619cbf8a78]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) 0xc3c) [0x7f619cbe385c]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0 JS::GeneratorObject::execute(JS::VM&, JS::Completion const&) 0x3fb) [0x7f619d0c205b]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0 JS::GeneratorObject::resume(JS::VM&, JS::Value, AK::Optional<AK::StringView> const&) 0x327) [0x7f619d0c2df7]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0 JS::AsyncFunctionDriverWrapper::continue_async_execution(JS::VM&, JS::Value, bool) 0x25e) [0x7f619cf76aee]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0 JS::AsyncFunctionDriverWrapper::create(JS::Realm&, JS::GeneratorObject*) 0x1f6) [0x7f619cf766fe]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() 0x1058) [0x7f619d065038]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0 JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) 0xb8d) [0x7f619d061cdd]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0(+0x8a2f4a) [0x7f619cca2f4a]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_bytecode(unsigned long) 0x13da8) [0x7f619cbf8a78]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run_executable(JS::Bytecode::Executable&, AK::Optional<unsigned long>, JS::Value) 0xc3c) [0x7f619cbe385c]
/home/jess/code/ladybird-flake/ladybird/Build/debug/bin/../lib64/liblagom-js.so.0 JS::Bytecode::Interpreter::run(JS::Script&, GC::Ptr<JS::Environment>) 0x802) [0x7f619cbe2052]
Build/debug/bin/js(+0x1938e5) [0x558f3e9e58e5]
Build/debug/bin/js(+0x190106) [0x558f3e9e2106]
Build/debug/bin/js(+0x1b7d6a) [0x558f3ea09d6a]
/nix/store/rmy663w9p7xb202rcln4jjzmvivznmz8-glibc-2.40-66/lib/libc.so.6(+0x2a1fe) [0x7f619ac2a1fe]
/nix/store/rmy663w9p7xb202rcln4jjzmvivznmz8-glibc-2.40-66/lib/libc.so.6(__libc_start_main+0x89) [0x7f619ac2a2b9]
Build/debug/bin/js(+0x42c95) [0x558f3e894c95]
[1]    153706 illegal hardware instruction  Build/debug/bin/js min.js

ttrssreal avatar Apr 12 '25 21:04 ttrssreal