Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stack overflow in ParseNode::Grfnop() #5699

Closed
fumfel opened this issue Sep 12, 2018 · 2 comments
Closed

Stack overflow in ParseNode::Grfnop() #5699

fumfel opened this issue Sep 12, 2018 · 2 comments
Assignees
@wyrichte
Labels
Bug Severity: 1

Comments

@fumfel
Copy link

fumfel commented Sep 12, 2018

Git Head: d1524eb

To reproduce: ch so.js

Crashing payload:

let limit = (1 << 16) - 4;
function test0() {
    return arguments[limit - 1];
}
while (true) {
    try {
        const txt = `test/(${Array(limit).fill(0).map((_, i) => i).join(",")})`;
        var val1 = eval(txt);
        console.log(`arguments[${limit - 1}] == ${val1}`);
        break;
    } catch (e) {
        console.log(e)
        console.log(`${limit} is too many arguments`);
        limit--;
    }
}
console.log(`Arguments limit: ${limit}`);

Extract from Valgrind log (full log available here: https://gist.github.com/fumfel/3c246644270ce2d6f486283a6b570347):

==21642== Stack overflow in thread #1: can't grow stack to 0x1ffe801000
==21642== Stack overflow in thread #1: can't grow stack to 0x1ffe801000
==21642== Can't extend stack to 0x1ffe801068 during signal delivery for thread 1:
==21642==   no stack segment
==21642== 
==21642== Process terminating with default action of signal 11 (SIGSEGV)
==21642==  Access not within mapped region at address 0x1FFE801068
==21642== Stack overflow in thread #1: can't grow stack to 0x1ffe801000
==21642==    at 0x2106D9F: ParseNode::Grfnop() (ptree.h:176)
==21642==  If you believe this happened as a result of a stack
==21642==  overflow in your program's main thread (unlikely but
==21642==  possible), you can try to increase the size of the
==21642==  main thread stack using the --main-stacksize= flag.
==21642==  The main thread stack size used in this run was 8388608.
==21642== Stack overflow in thread #1: can't grow stack to 0x1ffe801000
==21642== 
==21642== Process terminating with default action of signal 11 (SIGSEGV)
==21642==  Access not within mapped region at address 0x1FFE801F28
==21642== Stack overflow in thread #1: can't grow stack to 0x1ffe801000
==21642==    at 0x8296650: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-amd64-linux.so)
==21642==  If you believe this happened as a result of a stack
==21642==  overflow in your program's main thread (unlikely but
==21642==  possible), you can try to increase the size of the
==21642==  main thread stack using the --main-stacksize= flag.
==21642==  The main thread stack size used in this run was 8388608.
@wyrichte wyrichte self-assigned this Sep 20, 2018
@wyrichte
Copy link
Collaborator

A shorter repro:
eval("a/("+Array(2**16).fill(0).join(",")+")");

wyrichte added a commit to wyrichte/ChakraCore_wyrichte_fork that referenced this issue Oct 3, 2018
@wyrichte
Fixes chakra-core#5699 - Converts recursive loop to iterative in MayH…
eb57b65 
…aveSideEffectOnNode to avoid a stack overflow.
wyrichte added a commit to wyrichte/ChakraCore_wyrichte_fork that referenced this issue Oct 3, 2018
@wyrichte
Fixes chakra-core#5699 - Converts recursive loop to iterative in MayH…
458750d 
…aveSideEffectOnNode to avoid a stack overflow.
@wyrichte wyrichte mentioned this issue Oct 3, 2018
Closed
@dilijev dilijev closed this as completed in 3321ead Oct 4, 2018
@ryanelfmank2
Copy link

I am able to reproduce this still with NuGet package 1.11.17 using the code above

eval("a/("+Array(2**16).fill(0).join(",")+")");

@ryanelfmank2 ryanelfmank2 mentioned this issue Apr 27, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wyrichte wyrichte

Labels
Bug Severity: 1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dilijev @fumfel @wyrichte @ryanelfmank2