ChakraCore icon indicating copy to clipboard operation
ChakraCore copied to clipboard
verified publisher icon chakra-core

segment fault4

Open bird8693 opened this issue 4 years ago • 3 comments

enviroment

ubunut 16

poc

let x = 1;
fdRk = x.toFixed(x);
var PPJi = JSON;
fdRk = !9007199254740991;
this.x;
this.x = 4660;
fdRk = fdRk / x;
for (let i = 0; i < 495; i++) {
    String.prototype.localeCompare.call(x, new Date(0, 0, 0, 0, 0, 0, undefined));
    var EixA = +4;
    var djhd = Proxy;
    var NxQT = JSON;
    this.__defineSetter__('x', () => {
    });
    var EixA = +4;
    x = x / x;
    fdRk = new Uint32Array([
        1200,
        fdRk
    ]);
    x = new RegExp(null);
    var fdRk = JSON.stringify(1518500249);
    fdRk = 2147483649 % -2147483648;
    let a = new Uint8Array(100);
}
n.xyz = 2187875060;
this.x;

output

command line output

Segmentation fault (core dumped)

gef output

   0x555556d22540 <SCCLiveness::ProcessStackSymUse(StackSym*,+0> mov    r13d, eax
   0x555556d22543 <SCCLiveness::ProcessStackSymUse(StackSym*,+0> mov    rax, QWORD PTR [rbx]
   0x555556d22546 <SCCLiveness::ProcessStackSymUse(StackSym*,+0> mov    r15, QWORD PTR [rbx+0x10]
 → 0x555556d2254a <SCCLiveness::ProcessStackSymUse(StackSym*,+0> add    DWORD PTR [r12+0x74], r13d
   0x555556d2254f <SCCLiveness::ProcessStackSymUse(StackSym*,+0> test   r15, r15
   0x555556d22552 <SCCLiveness::ProcessStackSymUse(StackSym*,+0> je     0x555556d22771 <SCCLiveness::ProcessStackSymUse(StackSym*,  IR::Instr*,  int)+913>
   0x555556d22558 <SCCLiveness::ProcessStackSymUse(StackSym*,+0> mov    QWORD PTR [rbp-0x30], rax
   0x555556d2255c <SCCLiveness::ProcessStackSymUse(StackSym*,+0> mov    QWORD PTR [rbp-0x48], rbx
   0x555556d22560 <SCCLiveness::ProcessStackSymUse(StackSym*,+0> mov    rax, QWORD PTR fs:0x0
─────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "ch", stopped 0x7ffff73d1360 in pthread_cond_wait@@GLIBC_2.3.2 (), reason: SIGSEGV
[#1] Id 2, Name: "ch", stopped 0x7ffff73d1709 in pthread_cond_timedwait@@GLIBC_2.3.2 (), reason: SIGSEGV
[#2] Id 3, Name: "ch", stopped 0x7ffff73d1709 in pthread_cond_timedwait@@GLIBC_2.3.2 (), reason: SIGSEGV
[#3] Id 4, Name: "ch", stopped 0x555556d2254a in SCCLiveness::ProcessStackSymUse (), reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x555556d2254a → SCCLiveness::ProcessStackSymUse(this=0x7ff7f37b3a48, stackSym=<optimized out>, instr=0x7ff700000008, usageSize=<optimized out>)
[#1] 0x555556d20981 → SCCLiveness::ProcessRegUse(this=0x7ff7f37b3a48, regUse=0x7ff7f2ec4158, instr=0x7ff7f2ec4208)
[#2] 0x555556d20981 → SCCLiveness::ProcessSrc(this=0x7ff7f37b3a48, src=0x7ff7f2ec4170, instr=0x7ff7f2ec4208)
[#3] 0x555556d1e176 → SCCLiveness::Build(this=<optimized out>)
[#4] 0x555556c19030 → LinearScan::RegAlloc(this=0x7ff7f37b3d98)
[#5] 0x5555569a461b → Func::TryCodegen(this=0x7ff7f37b46b0)
[!] Command 'context' failed to execute properly, reason: access outside bounds of object referenced via synthetic pointer

bird8693 avatar Mar 17 '21 03:03 bird8693

@rhuanjl please check this 6642~6654

bird8693 avatar Apr 21 '21 02:04 bird8693

This doesn't repro for me with master - what version of chakracore did you use?

rhuanjl avatar Apr 21 '21 07:04 rhuanjl

1.12.0.0, this issue may have been fixed.

bird8693 avatar Aug 08 '21 00:08 bird8693