hermes icon indicating copy to clipboard operation
hermes copied to clipboard
verified publisher icon facebook

Integer overflow for vector capacity in Hermes

Open JimWongM opened this issue 2 years ago • 1 comments

Bug Description

When hermes run test.js, it crashed.

In hermes/external/llvh/lib/Support/SmallVector.cpp:43 SmallVectorBase::grow_pod, capacity is overflowed and caught by LLVM. This bug is in both debug or release mode, and hermes crashed on both Linux and MacOS.

Hermes version: 6c5270935d652da15440f7bda6bd36e4274fd9e4 React Native version (if any): OS version (if any): MacOS, Linux Platform: x64

Steps To Reproduce

  1. Compile hermes in Debug or Release mode
  2. Run: ./hermes test.js

code example:

========test.js========== var largeNum = 500000; var summary = 'I once was lost but now I am found.'; var replaceValue = function (matchStr, matchStart) { return "$`".repeat(largeNum).padEnd(largeNum * matchStart, summary); }; var result = summary.replace('found', replaceValue); result = result.replace('found', result);

=======================

The Expected Behavior

Throw an exception instead of crashing.

Backtrace: #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140064841960320) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140064841960320) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140064841960320, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007f6364ecc476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007f6364eb27f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00005598c75cb2c9 in llvh::report_bad_alloc_error (Reason=0x5598c7cad220 "SmallVector capacity overflow during allocation", GenCrashDiag=true) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/external/llvh/lib/Support/ErrorHandling.cpp:174 #6 0x00005598c75e4c04 in llvh::SmallVectorBase::grow_pod (this=0x7ffd8d632470, FirstEl=0x7ffd8d632480, MinCapacity=4097237655, TSize=2) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/external/llvh/lib/Support/SmallVector.cpp:54 #7 0x00005598c7630228 in llvh::SmallVectorTemplateCommon<char16_t, void>::grow_pod (this=0x7ffd8d632470, MinCapacity=4097237655, TSize=2) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/external/llvh/include/llvh/ADT/SmallVector.h:105 #8 0x00005598c762c37a in llvh::SmallVectorTemplateBase<char16_t, true>::grow (this=0x7ffd8d632470, MinSize=4097237655) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/external/llvh/include/llvh/ADT/SmallVector.h:317 #9 0x00005598c76f2c0f in llvh::SmallVectorImpl<char16_t>::append<char16_t const*, void> (this=0x7ffd8d632470, in_start=0x7f635e92a010 u"I once was lost but now I am ..., in_end=0x7f635eb12504 u"found.I once was lost but now I am found.I once was lost but now I am found.I once was lost but now I am found.I once was lost but now I am found.I once was lost but now I am found.I once was lost but"...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/external/llvh/include/llvh/ADT/SmallVector.h:408 #10 0x00005598c77c3e8b in hermes::vm::StringView::getUTF16Ref (this=0x7ffd8d6324c0, allocator=..., alwaysCopy=true) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/VM/StringView.cpp:29 #11 0x00005598c783615e in hermes::vm::StringView::appendUTF16String (this=0x7ffd8d6324c0, allocator=...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/include/hermes/VM/StringView.h:338 #12 0x00005598c786c345 in hermes::vm::getSubstitution (runtime=..., matched=..., str=..., position=1000058, captures=..., namedCaptures=..., replacement=...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/VM/JSLib/RegExp.cpp:988 #13 0x00005598c785add9 in hermes::vm::stringPrototypeReplace (runtime=..., args=...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/VM/JSLib/String.cpp:2069 #14 0x00005598c761fae9 in hermes::vm::NativeFunction::_nativeCall (self=0x34fe827f3850, runtime=...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/include/hermes/VM/Callable.h:507 #15 0x00005598c768f100 in hermes::vm::Interpreter::handleCallSlowPath (runtime=..., callTarget=0x7f6362265058) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/VM/Interpreter.cpp:274 #16 0x00005598c7695683 in hermes::vm::Interpreter::interpretFunction<false, false> (runtime=..., state=...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/VM/Interpreter.cpp:1600 #17 0x00005598c76919e0 in hermes::vm::Runtime::interpretFunctionImpl (this=0x34fe81c00000, newCodeBlock=0x5598c8af5810) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/VM/Interpreter.cpp:825 #18 0x00005598c7691a68 in hermes::vm::Runtime::interpretFunction (this=0x34fe81c00000, newCodeBlock=0x5598c8af5810) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/VM/Interpreter.cpp:833 #19 0x00005598c776c813 in hermes::vm::Runtime::runBytecode (this=0x34fe81c00000, bytecode=..., flags=..., sourceURL=..., environment=..., thisArg=...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/VM/Runtime.cpp:1064 #20 0x00005598c7764852 in hermes::vm::Runtime::runBytecode (this=0x34fe81c00000, bytecode=..., runtimeModuleFlags=..., sourceURL=..., environment=...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/include/hermes/VM/Runtime.h:277 #21 0x00005598c7928a98 in hermes::(anonymous namespace)::executeHBCBytecodeImpl (bytecode=..., options=..., filename=0x7ffd8d633d98) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/ConsoleHost/ConsoleHost.cpp:331 #22 0x00005598c7928fa9 in operator() (__closure=0x7ffd8d6335c0) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/ConsoleHost/ConsoleHost.cpp:417 #23 0x00005598c7929664 in hermes::(anonymous namespace)::maybeCatchException<hermes::executeHBCBytecode(std::shared_ptrhermes::hbc::BCProviderBase&&, const hermes::ExecuteOptions&, const string*)::<lambda()> >(const struct {...} &) (f=...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/ConsoleHost/ConsoleHost.cpp:253 #24 0x00005598c7928ffd in hermes::executeHBCBytecode (bytecode=..., options=..., filename=0x7ffd8d633d98) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/lib/ConsoleHost/ConsoleHost.cpp:416 #25 0x00005598c7592474 in executeHBCBytecodeFromCL (bytecode=std::unique_ptrhermes::hbc::BCProviderBase = {...}, info=...) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/tools/hermes/hermes.cpp:131 #26 0x00005598c7592b2c in main (argc=2, argv=0x7ffd8d634018) at /home/jack/InfoSecurity/JavaScriptEngines/hermes/hermes/tools/hermes/hermes.cpp:204 #27 0x00007f6364eb3d90 in __libc_start_call_main (main=main@entry=0x5598c7592952 <main(int, char**)>, argc=argc@entry=2, argv=argv@entry=0x7ffd8d634018) at ../sysdeps/nptl/libc_start_call_main.h:58 #28 0x00007f6364eb3e40 in __libc_start_main_impl (main=0x5598c7592952 <main(int, char**)>, argc=2, argv=0x7ffd8d634018, init=, fini=, rtld_fini=, stack_end=0x7ffd8d634008) at ../csu/libc-start.c:392 #29 0x00005598c758f4d5 in _start ()

JimWongM avatar Jun 17 '23 03:06 JimWongM

Thank you for reporting this. The correct behavior would indeed be to throw a JS range exception.

tmikov avatar Jun 17 '23 06:06 tmikov