Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV on unknown address in Escargot::TightVector #1309

Open
Ye0nny opened this issue Jan 22, 2024 · 0 comments
Open

SEGV on unknown address in Escargot::TightVector #1309

Ye0nny opened this issue Jan 22, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@Ye0nny
Copy link

Ye0nny commented Jan 22, 2024

Escargot

  • OS: Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
  • Revision : bd95de3

Build Steps

cmake -DCMAKE_CXX_FLAGS=-fsanitize=address -DESCARGOT_MODE=debug -DESCARGOT_OUTPUT=shell -GNinja

Describe the bug
SEGV on unknown address

Test case

testcase 

( function * ( ) { for ( let { func0 : f = class o { } } of [ { } ] ) { } } ) ( ) ; 
( function ( ) { func2 = o ; } ) ( ). next ( ) ; 
( function ( ) { for ( let { func1 : f = class o { } } of [ { } ] ) { } } ) ( ) ; 
( function ( func2 = null, n = function ( func4 ) { if ( e!== n ) return ; 
for ( let { var0 : f = class o { } } of [ { } ] ) { } } ) ( ) ; 
( function ( ) { for ( let [ func3 = class o { } ] = [ [ ] ] ; ; ) break ; } ) ( ) ; 
( function ( ) { var func4 ; for ( [ f = class o { } ] = [ [ ] ] ; ; ) break ; } ) ( ) ;

// poc.js
( function ( n = function ( ) {  ;
( function ( ) { for ( let [ func3 = { } ] = [ ] ; ; ) ; }

Execution steps & Output

$ ./escargot poc.js
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3464772==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x564abb9e766b bp 0x7fff2f068dc0 sp 0x7fff2f068db0 T0)
==3464772==The signal is caused by a READ memory access.
==3464772==Hint: address points to the zero page.
    #0 0x564abb9e766a in Escargot::TightVector<Escargot::ASTBlockContextNameInfo, GCUtil::gc_malloc_atomic_allocator<Escargot::ASTBlockContextNameInfo> >::size() const src/util/TightVector.h:172
    #1 0x564abbac0caa in Escargot::esprima::Parser::closeBlock(Escargot::esprima::Parser::ParserBlockContext&) src/parser/esprima_cpp/esprima.cpp:3726
    #2 0x564abbb933ba in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::parseFunctionExpression<Escargot::SyntaxChecker>(Escargot::SyntaxChecker&) src/parser/esprima_cpp/esprima.cpp:5485
    #3 0x564abbb63683 in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::parsePrimaryExpression<Escargot::SyntaxChecker>(Escargot::SyntaxChecker&) src/parser/esprima_cpp/esprima.cpp:1217
    #4 0x564abbb90a87 in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::inheritCoverGrammar<Escargot::SyntaxChecker, Escargot::SyntaxNode (Escargot::esprima::Parser::*)(Escargot::SyntaxChecker&)>(Escargot::SyntaxChecker&, Escargot::SyntaxNode (Escargot::esprima::Parser::*)(Escargot::SyntaxChecker&)) src/parser/esprima_cpp/esprima.cpp:1013
    #5 0x564abbbdc285 in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::parseLeftHandSideExpressionAllowCall<Escargot::SyntaxChecker>(Escargot::SyntaxChecker&) (./escargot/escargot+0x853285)
    #6 0x564abbb90a87 in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::inheritCoverGrammar<Escargot::SyntaxChecker, Escargot::SyntaxNode (Escargot::esprima::Parser::*)(Escargot::SyntaxChecker&)>(Escargot::SyntaxChecker&, Escargot::SyntaxNode (Escargot::esprima::Parser::*)(Escargot::SyntaxChecker&)) src/parser/esprima_cpp/esprima.cpp:1013
    #7 0x564abbc07dda in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::parseUpdateExpression<Escargot::SyntaxChecker>(Escargot::SyntaxChecker&) src/parser/esprima_cpp/esprima.cpp:2772
    #8 0x564abbbecd2d in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::parseUnaryExpression<Escargot::SyntaxChecker>(Escargot::SyntaxChecker&) src/parser/esprima_cpp/esprima.cpp:2929
    #9 0x564abbb90a87 in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::inheritCoverGrammar<Escargot::SyntaxChecker, Escargot::SyntaxNode (Escargot::esprima::Parser::*)(Escargot::SyntaxChecker&)>(Escargot::SyntaxChecker&, Escargot::SyntaxNode (Escargot::esprima::Parser::*)(Escargot::SyntaxChecker&)) src/parser/esprima_cpp/esprima.cpp:1013
    #10 0x564abbbcd659 in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::parseExponentiationExpression<Escargot::SyntaxChecker>(Escargot::SyntaxChecker&) (./escargot/escargot+0x844659)
    #11 0x564abbb90a87 in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::inheritCoverGrammar<Escargot::SyntaxChecker, Escargot::SyntaxNode (Escargot::esprima::Parser::*)(Escargot::SyntaxChecker&)>(Escargot::SyntaxChecker&, Escargot::SyntaxNode (Escargot::esprima::Parser::*)(Escargot::SyntaxChecker&)) src/parser/esprima_cpp/esprima.cpp:1013
    #12 0x564abbb8f347 in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::parseBinaryExpression<Escargot::SyntaxChecker>(Escargot::SyntaxChecker&) src/parser/esprima_cpp/esprima.cpp:3035
    #13 0x564abbb90a87 in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::inheritCoverGrammar<Escargot::SyntaxChecker, Escargot::SyntaxNode (Escargot::esprima::Parser::*)(Escargot::SyntaxChecker&)>(Escargot::SyntaxChecker&, Escargot::SyntaxNode (Escargot::esprima::Parser::*)(Escargot::SyntaxChecker&)) src/parser/esprima_cpp/esprima.cpp:1013
    #14 0x564abbb615fa in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::parseConditionalExpression<Escargot::SyntaxChecker>(Escargot::SyntaxChecker&) src/parser/esprima_cpp/esprima.cpp:3186
    #15 0x564abbb2b0c9 in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::parseAssignmentExpression<Escargot::SyntaxChecker, false>(Escargot::SyntaxChecker&) src/parser/esprima_cpp/esprima.cpp:3228
    #16 0x564abbb90a87 in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::inheritCoverGrammar<Escargot::SyntaxChecker, Escargot::SyntaxNode (Escargot::esprima::Parser::*)(Escargot::SyntaxChecker&)>(Escargot::SyntaxChecker&, Escargot::SyntaxNode (Escargot::esprima::Parser::*)(Escargot::SyntaxChecker&)) src/parser/esprima_cpp/esprima.cpp:1013
    #17 0x564abbb95dc4 in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::parseGroupExpression<Escargot::SyntaxChecker>(Escargot::SyntaxChecker&) src/parser/esprima_cpp/esprima.cpp:2186
    #18 0x564abbb90a87 in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::inheritCoverGrammar<Escargot::SyntaxChecker, Escargot::SyntaxNode (Escargot::esprima::Parser::*)(Escargot::SyntaxChecker&)>(Escargot::SyntaxChecker&, Escargot::SyntaxNode (Escargot::esprima::Parser::*)(Escargot::SyntaxChecker&)) src/parser/esprima_cpp/esprima.cpp:1013
    #19 0x564abbb62eab in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::parsePrimaryExpression<Escargot::SyntaxChecker>(Escargot::SyntaxChecker&) src/parser/esprima_cpp/esprima.cpp:1184
    #20 0x564abbb90a87 in Escargot::SyntaxChecker::ASTNode Escargot::esprima::Parser::inheritCoverGrammar<Escargot::SyntaxChecker, Escargot::SyntaxNode (
    ...
    ...
    #83 0x564abbb32875 in Escargot::NodeGenerator::ASTNode Escargot::esprima::Parser::inheritCoverGrammar<Escargot::NodeGenerator, Escargot::Node* (Escargot::esprima::Parser::*)(Escargot::NodeGenerator&)>(Escargot::NodeGenerator&, Escargot::Node* (Escargot::esprima::Parser::*)(Escargot::NodeGenerator&)) src/parser/esprima_cpp/esprima.cpp:1013
    #84 0x564abbb0d084 in Escargot::NodeGenerator::ASTNode Escargot::esprima::Parser::parseConditionalExpression<Escargot::NodeGenerator>(Escargot::NodeGenerator&) src/parser/esprima_cpp/esprima.cpp:3186
    #85 0x564abbb086a5 in Escargot::NodeGenerator::ASTNode Escargot::esprima::Parser::parseAssignmentExpression<Escargot::NodeGenerator, false>(Escargot::NodeGenerator&) src/parser/esprima_cpp/esprima.cpp:3228
    #86 0x564abbb0c7f3 in Escargot::NodeGenerator::ASTNode Escargot::esprima::Parser::isolateCoverGrammar<Escargot::NodeGenerator, Escargot::Node* (Escargot::esprima::Parser::*)(Escargot::NodeGenerator&)>(Escargot::NodeGenerator&, Escargot::Node* (Escargot::esprima::Parser::*)(Escargot::NodeGenerator&)) src/parser/esprima_cpp/esprima.cpp:989
    #87 0x564abbb41414 in Escargot::NodeGenerator::ASTNode Escargot::esprima::Parser::parseExpression<Escargot::NodeGenerator>(Escargot::NodeGenerator&) src/parser/esprima_cpp/esprima.cpp:3609
    #88 0x564abbb4fba8 in Escargot::NodeGenerator::ASTNode Escargot::esprima::Parser::parseExpressionStatement<Escargot::NodeGenerator>(Escargot::NodeGenerator&) src/parser/esprima_cpp/esprima.cpp:4065
    #89 0x564abbb25be0 in Escargot::NodeGenerator::ASTNode Escargot::esprima::Parser::parseStatement<Escargot::NodeGenerator>(Escargot::NodeGenerator&, bool, bool) src/parser/esprima_cpp/esprima.cpp:4888
    #90 0x564abbb0672c in Escargot::NodeGenerator::ASTNode Escargot::esprima::Parser::parseStatementListItem<Escargot::NodeGenerator>(Escargot::NodeGenerator&) src/parser/esprima_cpp/esprima.cpp:3666
    #91 0x564abbac5b03 in Escargot::esprima::Parser::parseProgram(Escargot::NodeGenerator&) src/parser/esprima_cpp/esprima.cpp:6896
    #92 0x564abbac8957 in Escargot::esprima::parseProgram(Escargot::Context*, Escargot::StringView, Escargot::ASTClassInfo*, bool, bool, bool, bool, bool, bool, bool) src/parser/esprima_cpp/esprima.cpp:7122
    #93 0x564abba289ae in Escargot::ScriptParser::initializeScript(Escargot::String*, unsigned long, Escargot::String*, Escargot::String*, Escargot::InterpretedCodeBlock*, bool, bool, bool, bool, bool, bool, bool, bool, bool) src/parser/ScriptParser.cpp:394
    #94 0x564abb5f000d in Escargot::ScriptParser::initializeScript(Escargot::String*, Escargot::String*, bool) src/parser/ScriptParser.h:57
    #95 0x564abb6037c1 in Escargot::ScriptParserRef::initializeScript(Escargot::StringRef*, Escargot::StringRef*, bool) src/api/EscargotPublic.cpp:4626
    #96 0x564abbe9967c in evalScript src/shell/Shell.cpp:751
    #97 0x564abbe9c58d in main src/shell/Shell.cpp:1130
    #98 0x7f29aa63f082 in __libc_start_main ../csu/libc-start.c:308
    #99 0x564abb5e17fd in _start (./escargot/escargot+0x2587fd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/util/TightVector.h:172 in Escargot::TightVector<Escargot::ASTBlockContextNameInfo, GCUtil::gc_malloc_atomic_allocator<Escargot::ASTBlockContextNameInfo> >::size() const
==3464772==ABORTING

when executed in release mode

Output

Segmentation fault

Expected behavior

SyntaxError: Expected ')'
	at code (poc.js:3:1)

Credits: @Ye0nny, @EJueon
@Ye0nny Ye0nny added the bug Something isn't working label Jan 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Ye0nny