escargot icon indicating copy to clipboard operation
escargot copied to clipboard

Published 20 hours ago verified publisher icon Samsung

SEGV on unknown address in Escargot::ExecutionState::hasRareData()

Open Ye0nny opened this issue 7 months ago • 0 comments

Escargot

  • OS: Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
  • Revision : bd95de3c46e515a387ae1c3d0b214d9ddbd99e90

Build Steps

cmake -DCMAKE_CXX_FLAGS=-fsanitize=address -DESCARGOT_MODE=debug -DESCARGOT_OUTPUT=shell -GNinja

Describe the bug SEGV on unknown address

Test case 1

testcase 

( async ( ) => { await c ( n ), await c ( n ), await c ( n ), await c ( n ) ; } ) ( ). catch ( { } ) ; 
for ( let e = 0 ; e < 6 ; ++ e ) { 
	async function func1 ( ) { 
		throw await 0, " test could not throw " ; 
	} 
	try { await new Error ( ) ; } 
	catch { } 
	gc ( ) ; 
} 
async function func2 ( ) { 
	await Promise. all ( [ a ( ), a ( ), t ( ), t ( ) ] ) ; 
} 
async function func3 ( a ) { 
	try { await a ( ) ; } 
	catch ( a ) { if ( a ) { } } 
	if ( a instanceof Error ) { Error, a. stack ; } 
}

// poc1.js
( async ( ) => { } ) ( );
await new Error ( ) ;

Test case 2

testcase 

( async ( ) => { await c ( n ), await c ( n ), await c ( n ), await c ( n ) ; } ) ( ). then ( ) ; 
for ( let e = 0, c = await Promise. all ; e < 22 ; ++ e ) { 
	async function func1 ( ) { throw await 0, new Error ( ) ; } 
	async function func2 ( ) { await Promise. all ( [ a ( ), a ( ), t ( ), t ( ) ] ) ; } 
	async function func3 ( a ) { 
		try { await a ( ) ; } 
		catch ( a ) { Error, a. stack ; } 
	} 
}

// poc2.js
( async ( ) => { } ) ( );
await Promise. all ;

Execution steps & Output

$ ./escargot/escargot poc.js
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3427107==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x55d3f95709d3 bp 0x7fff73396510 sp 0x7fff73396500 T0)
==3427107==The signal is caused by a READ memory access.
==3427107==Hint: address points to the zero page.
    #0 0x55d3f95709d2 in Escargot::ExecutionState::hasRareData() src/runtime/ExecutionState.h:193
    #1 0x55d3f9570ac6 in Escargot::ExecutionState::pauseSource() src/runtime/ExecutionState.h:209
    #2 0x55d3f99f0790 in Escargot::ExecutionState::executionPauser() src/runtime/ExecutionState.cpp:271
    #3 0x55d3f95a712f in Escargot::InterpreterSlowPath::executionPauseOperation(Escargot::ExecutionState&, Escargot::Value*, unsigned long&, unsigned char*) src/interpreter/ByteCodeInterpreter.cpp:4209
    #4 0x55d3f9583ad3 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) src/interpreter/ByteCodeInterpreter.cpp:1489
    #5 0x55d3f9745347 in Escargot::Script::execute(Escargot::ExecutionState&, bool, bool) src/parser/Script.cpp:499
    #6 0x55d3f933ac62 in Escargot::ScriptRef::execute(Escargot::ExecutionStateRef*) src/api/EscargotPublic.cpp:4706
    #7 0x55d3f9bd02ee in operator() src/shell/Shell.cpp:781
    #8 0x55d3f9bd0319 in _FUN src/shell/Shell.cpp:782
    #9 0x55d3f9bd9fcb in decltype (((forward<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>)({parm#1}))((forward<Escargot::ExecutionStateRef*&>)({parm#3}), (forward<Escargot::ScriptRef*&>)({parm#3}))) Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<0ul>::apply<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&, Escargot::ExecutionStateRef*&, Escargot::ScriptRef*&>(Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&, Escargot::ExecutionStateRef*&, Escargot::ScriptRef*&) src/api/EscargotPublic.h:521
    #10 0x55d3f9bd95d7 in decltype (Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<0ul>::apply((forward<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>)({parm#1}), (forward<std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&>)({parm#2}), (get<(1ul)-(1)>)((forward<std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&>)({parm#2})), (forward<Escargot::ScriptRef*&>)({parm#3}))) Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<1ul>::apply<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&, Escargot::ScriptRef*&>(Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&, Escargot::ScriptRef*&) src/api/EscargotPublic.h:510
    #11 0x55d3f9bd8a37 in decltype (Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<1ul>::apply((forward<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>)({parm#1}), (forward<std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&>)({parm#2}), (get<(2ul)-(1)>)((forward<std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&>)({parm#2})))) Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<2ul>::apply<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&>(Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&) src/api/EscargotPublic.h:510
    #12 0x55d3f9bd7aea in decltype (Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<std::tuple_size<std::decay<std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&>::type>::value>::apply((forward<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>)({parm#1}), (forward<std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&>)({parm#2}))) Escargot::EvaluatorUtil::applyTupleIntoArgumentsOfVariadicTemplateFunction<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&>(Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&) src/api/EscargotPublic.h:531
    #13 0x55d3f9bd60fe in Escargot::Evaluator::executeImpl<Escargot::ContextRef, Escargot::ScriptRef*>(Escargot::ContextRef*, Escargot::ValueRef* (*)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), Escargot::ScriptRef*)::{lambda(Escargot::ExecutionStateRef*, void*, void*)#1}::operator()(Escargot::ExecutionStateRef*, void*, void*) const src/api/EscargotPublic.h:612
    #14 0x55d3f9bd618c in Escargot::Evaluator::executeImpl<Escargot::ContextRef, Escargot::ScriptRef*>(Escargot::ContextRef*, Escargot::ValueRef* (*)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), Escargot::ScriptRef*)::{lambda(Escargot::ExecutionStateRef*, void*, void*)#1}::_FUN(Escargot::ExecutionStateRef*, void*, void*) src/api/EscargotPublic.h:606
    #15 0x55d3f9336de0 in operator() src/api/EscargotPublic.cpp:1087
    #16 0x55d3f9336e1a in _FUN src/api/EscargotPublic.cpp:1088
    #17 0x55d3f9b18b96 in Escargot::SandBox::run(Escargot::Value (*)(Escargot::ExecutionState&, void*), void*) src/runtime/SandBox.cpp:111
    #18 0x55d3f9337079 in Escargot::Evaluator::executeFunction(Escargot::ContextRef*, Escargot::ValueRef* (*)(Escargot::ExecutionStateRef*, void*, void*), void*, void*) src/api/EscargotPublic.cpp:1089
    #19 0x55d3f9bd638e in Escargot::Evaluator::EvaluatorResult Escargot::Evaluator::executeImpl<Escargot::ContextRef, Escargot::ScriptRef*>(Escargot::ContextRef*, Escargot::ValueRef* (*)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), Escargot::ScriptRef*) src/api/EscargotPublic.h:614
    #20 0x55d3f9bd4928 in execute<Escargot::ScriptRef*, evalScript(Escargot::ContextRef*, Escargot::StringRef*, Escargot::StringRef*, bool, bool)::<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)> > src/api/EscargotPublic.h:585
    #21 0x55d3f9bd0aea in evalScript src/shell/Shell.cpp:783
    #22 0x55d3f9bd358d in main src/shell/Shell.cpp:1130
    #23 0x7f29cf45b082 in __libc_start_main ../csu/libc-start.c:308
    #24 0x55d3f93187fd in _start (./escargot/escargot+0x2587fd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/runtime/ExecutionState.h:193 in Escargot::ExecutionState::hasRareData()
==3427107==ABORTING

when executed in release mode

Output

Segmentation fault

Expected behavior

SyntaxError: await is only valid in async function
await new Error ( ) ;
  ^

Credits: @Ye0nny, @EJueon

Ye0nny avatar Jan 22 '24 12:01 Ye0nny