serenity icon indicating copy to clipboard operation
serenity copied to clipboard

Published 20 hours ago verified publisher icon SerenityOS

LibJS: Bytecode has potential misaligned allocations which UBSAN detected

Open davidot opened this issue 3 years ago • 2 comments

Here is a minimal example:

var passed = false;
if (!passed)
    console.log('Hello UBSAN');

The error:

Userland/Libraries/LibJS/Bytecode/Op.h:425:76: runtime error: member access within misaligned address 0x7f669477b054 for type 'struct JumpConditional', which requires 8 byte alignment
0x7f669477b054: note: pointer points here
  30 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
              ^ 
    #0 0x7f66a553601f in JS::Bytecode::Op::JumpConditional::JumpConditional(AK::Optional<JS::Bytecode::Label>, AK::Optional<JS::Bytecode::Label>) Userland/Libraries/LibJS/Bytecode/Op.h:425
    #1 0x7f66a54e12c3 in JS::Bytecode::Op::JumpConditional& JS::Bytecode::Generator::emit<JS::Bytecode::Op::JumpConditional>() Userland/Libraries/LibJS/Bytecode/Generator.h:52
    #2 0x7f66a54e12c3 in JS::IfStatement::generate_bytecode(JS::Bytecode::Generator&) const Userland/Libraries/LibJS/Bytecode/ASTCodegen.cpp:949
    #3 0x7f66a54c3c31 in JS::ScopeNode::generate_bytecode(JS::Bytecode::Generator&) const Userland/Libraries/LibJS/Bytecode/ASTCodegen.cpp:49
    #4 0x7f66a554e6b9 in JS::Bytecode::Generator::generate(JS::ASTNode const&, JS::FunctionKind) Userland/Libraries/LibJS/Bytecode/Generator.cpp:37
    #5 0x55f411eb9254 in operator() Userland/Utilities/js.cpp:936
    #6 0x55f411ec128d in parse_and_run Userland/Utilities/js.cpp:973
    #7 0x55f411ecf658 in serenity_main(Main::Arguments) Userland/Utilities/js.cpp:1563
    #8 0x7f669fc0eb71 in main Userland/Libraries/LibMain/Main.cpp:20
    #9 0x7f669895cfcf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #10 0x7f669895d07c in __libc_start_main_impl ../csu/libc-start.c:409
    #11 0x55f411e29424 in _start (js+0x133424)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior Userland/Libraries/LibJS/Bytecode/Op.h:425:76 in

As far as I can see this breaks because some Intstructions have to be aligned to 8 but the unary operators (in particular ! Not we use in the example) are small 4 bytes and can thus misalign the next entry. The 30 00 00 00 I suspect is the Not as it has type of value 48 = 0x30.

This does seem to work so maybe we just need to ignore this? But that I couldn't get to work either.

davidot avatar Jan 25 '22 13:01 davidot

Can we just add an 4 byte noop opcode, preferably just 0s, that gets emitted when padding is needed?

Hendiadyoin1 avatar Sep 02 '22 22:09 Hendiadyoin1

Can we just add an 4 byte noop opcode, preferably just 0s, that gets emitted when padding is needed?

Yes, that's exactly the solution I have tried some time ago, just never ended up making a PR. Mostly because it feels wasteful, but feel free to just do that I haven't heard any other solutions

davidot avatar Sep 02 '22 23:09 davidot