Invalid Memory Access in `OP_LdSlot` #6705

bin2415 · 2021-04-17T02:58:47Z

PoC:

function main() {
const v2 = [13.37,1337,1337,1337,1337];
async function v3(v4,v5,v6,v7,v8) {
    const v9 = `
        v7;
    `;
    for (const v11 in v7) {
        for (const v13 in v5) {
            const v14 = {b:v9,e:v13,...v8,...v3,...1,...v7};
            const v15 = await v14;
        }
        function v16(v17) {
        }
        const v18 = v16;
        function v19(v20,v21) {
            v16 = v20;
        }
    }
    const v22 = v3(RegExp,v4,RegExp,v2);
}
const v23 = v3();
}
main();

Bactrace:

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x0000000102e1475c libChakraCore.dylib`Js::InterpreterStackFrame::OP_LdSlot(this=0x00000001006f7c00, instance=0x0000000000000000, slotIndex=2) at InterpreterStackFrame.cpp:9169:28
   9166	    {
   9167	        if (!PHASE_OFF(ClosureRangeCheckPhase, this->m_functionBody))
   9168	        {
-> 9169	            if ((uintptr_t)((Var*)instance)[ScopeSlots::EncodedSlotCountSlotIndex] <= (uintptr_t)(slotIndex - ScopeSlots::FirstSlotIndex))
   9170	            {
   9171	                Js::Throw::FatalInternalError();
   9172	            }
Target 0: (ch) stopped.
(lldb) bt 20
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000102e1475c libChakraCore.dylib`Js::InterpreterStackFrame::OP_LdSlot(this=0x00000001006f7c00, instance=0x0000000000000000, slotIndex=2) at InterpreterStackFrame.cpp:9169:28
    frame #1: 0x0000000102d35799 libChakraCore.dylib`void* Js::InterpreterStackFrame::OP_LdInnerSlot<Js::OpLayoutDynamicProfile<Js::OpLayoutT_ElementSlotI2<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x00000001006f7c00, slotArray=0x0000000000000000, playout=0x000000090824d0af)0> > > __unaligned const __unaligned*) at InterpreterStackFrame.cpp:9196:16
    frame #2: 0x0000000102d0674c libChakraCore.dylib`void* Js::InterpreterStackFrame::OP_ProfiledLdInnerSlot<Js::OpLayoutDynamicProfile<Js::OpLayoutT_ElementSlotI2<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x00000001006f7c00, slotArray=0x0000000000000000, playout=0x000000090824d0af)0> > > __unaligned const __unaligned*) at InterpreterStackFrame.cpp:9203:21
    frame #3: 0x0000000102cfef47 libChakraCore.dylib`Js::InterpreterStackFrame::ProcessProfiled(this=0x00000001006f7c00) at InterpreterHandler.inl:253:3
    frame #4: 0x0000000102c93804 libChakraCore.dylib`Js::InterpreterStackFrame::Process(this=0x00000001006f7c00) at InterpreterStackFrame.cpp:3472:20
    frame #5: 0x0000000102c9230c libChakraCore.dylib`Js::InterpreterStackFrame::InterpreterHelper(function=0x00000001006e6820, args=ArgumentReader @ 0x00007ffeefbfe1f0, returnAddress=0x0000000908260f92, addressOfReturnAddress=0x00007ffeefbfe238, asmJsReturn=0x0000000000000000) at InterpreterStackFrame.cpp:2153:40
    frame #6: 0x0000000102c91390 libChakraCore.dylib`Js::InterpreterStackFrame::InterpreterThunk(layout=0x00007ffeefbfe250) at InterpreterStackFrame.cpp:1833:16
    frame #7: 0x0000000908260f92
    frame #8: 0x000000010340d14e libChakraCore.dylib`amd64_CallFunction at JavascriptFunctionA.S:100
    frame #9: 0x00000001030c625b libChakraCore.dylib`void* Js::JavascriptFunction::CallFunction<true>(function=0x00000001006e6820, entryPoint=(libChakraCore.dylib`NativeCodeGenerator::CheckCodeGenThunk(Js::RecyclableObject*, Js::CallInfo, ...)), args=Arguments @ 0x00007ffeefbfe348, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
    frame #10: 0x00000001030d29c7 libChakraCore.dylib`Js::JavascriptGenerator::CallGenerator(this=0x00000009082290c0, data=0x0000000908466820, resumeKind=Normal) at JavascriptGenerator.cpp:185:26
    frame #11: 0x0000000103083814 libChakraCore.dylib`Js::JavascriptAsyncFunction::EntryAsyncSpawnStepNextFunction(function=0x00000009084674d0, callInfo=(Count = 1, Flags = CallFlags_Value, unused = 0)) at JavascriptAsyncFunction.cpp:93:31
    frame #12: 0x00000001030839f8 libChakraCore.dylib`Js::JavascriptAsyncFunction::AsyncSpawnStep(stepFunction=0x00000009084674d0, generator=0x00000009082290c0, resolve=0x00000009082bf0c0, reject=0x00000009082bf120) at JavascriptAsyncFunction.cpp:151:25
    frame #13: 0x0000000103084487 libChakraCore.dylib`Js::JavascriptAsyncFunction::EntryAsyncSpawnCallStepFunction(function=0x00000009084673f0, callInfo=(Count = 2, Flags = CallFlags_Value, unused = 0)) at JavascriptAsyncFunction.cpp:130:5
    frame #14: 0x00000001032873d6 libChakraCore.dylib`Js::JavascriptPromise::EntryReactionTaskFunction(function=0x0000000908469230, callInfo=(Count = 1, Flags = CallFlags_None, unused = 0)) at JavascriptPromise.cpp:1074:37
    frame #15: 0x000000010340d14e libChakraCore.dylib`amd64_CallFunction at JavascriptFunctionA.S:100
    frame #16: 0x00000001030c625b libChakraCore.dylib`void* Js::JavascriptFunction::CallFunction<true>(function=0x0000000908469230, entryPoint=(libChakraCore.dylib`Js::JavascriptPromise::EntryReactionTaskFunction(Js::RecyclableObject*, Js::CallInfo, ...) at JavascriptPromise.cpp:1037), args=Arguments @ 0x00007ffeefbfeb00, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
    frame #17: 0x00000001030c657f libChakraCore.dylib`Js::JavascriptFunction::CallRootFunctionInternal(obj=0x0000000908469230, args=Arguments @ 0x00007ffeefbfeb70, scriptContext=0x0000000101819658, inScript=true) at JavascriptFunction.cpp:772:24
    frame #18: 0x00000001030c63bc libChakraCore.dylib`Js::JavascriptFunction::CallRootFunction(obj=0x0000000908469230, args=<unavailable>, scriptContext=0x0000000101819658, inScript=true) at JavascriptFunction.cpp:717:15
    frame #19: 0x00000001030c6361 libChakraCore.dylib`Js::JavascriptFunction::CallRootFunction(this=0x0000000908469230, args=<unavailable>, scriptContext=0x0000000101819658, inScript=true) at JavascriptFunction.cpp:832:16

How to reproduce it:

- build.sh -d -j
- ./ch poc.js

The text was updated successfully, but these errors were encountered:

rhuanjl · 2021-04-17T10:10:24Z

I think this will be fixed by #6700 will verify later.

EDIT: confirmed

rhuanjl mentioned this issue Apr 17, 2021

Fix Errors in Generator Jit for SlotArray and CopyProp Restores #6700

Merged

rhuanjl added Bug Duplicate labels Apr 17, 2021

ppenzin closed this as completed in #6700 Apr 18, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Invalid Memory Access in `OP_LdSlot` #6705

Invalid Memory Access in `OP_LdSlot` #6705

bin2415 commented Apr 17, 2021

rhuanjl commented Apr 17, 2021 •

edited

Loading

Invalid Memory Access in OP_LdSlot #6705

Invalid Memory Access in OP_LdSlot #6705

Comments

bin2415 commented Apr 17, 2021

rhuanjl commented Apr 17, 2021 • edited Loading

Invalid Memory Access in `OP_LdSlot` #6705

Invalid Memory Access in `OP_LdSlot` #6705

rhuanjl commented Apr 17, 2021 •

edited

Loading