Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address misalignment causes futex error #6971

Closed
coolboy43 opened this issue Mar 20, 2024 · 6 comments
Closed

Address misalignment causes futex error #6971

coolboy43 opened this issue Mar 20, 2024 · 6 comments
Assignees
@ppenzin
Labels
Bug PAL

Comments

@coolboy43
Copy link

commit

c3ead3f

bug

Address misalignment causes futex error

build and run

os: Ubuntu 22.04.2 LTS
build: ./build.sh --debug --static -j=8
run: ./DebugBuild/Debug/ch this.js
Run 10 times, 3 crashes

POC

function classOf(object) {
   var string = Object.prototype.toString.call(object);
   return string.substring(8, string.length - 1);
}
function deepObjectEquals(a, b) {
  var aProps = Object.keys(a);
  aProps.sort();
  var bProps = Object.keys(b);
  bProps.sort();
  if (!deepEquals(aProps, bProps)) {
    return false;
  }
  for (var i = 0; i < aProps.length; i++) {
    if (!deepEquals(a[aProps[i]], b[aProps[i]])) {
      return false;
    }
  }
  return true;
}
function deepEquals(a, b) {
  if (a === b) {
    if (a === 0) return (1 / a) === (1 / b);
    return true;
  }
  if (typeof a != typeof b) return false;
  if (typeof a == 'number') return (isNaN(a) && isNaN(b)) || (a===b);
  if (typeof a !== 'object' && typeof a !== 'function' && typeof a !== 'symbol') return false;
  var objectClass = classOf(a);
  if (objectClass === 'Array') {
    if (a.length != b.length) {
      return false;
    }
    for (var i = 0; i < a.length; i++) {
      if (!deepEquals(a[i], b[i])) return false;
    }
    return true;
  }                
  if (objectClass !== classOf(b)) return false;
  if (objectClass === 'RegExp') {
    return (a.toString() === b.toString());
  }
  if (objectClass === 'Function') return true;
  
  if (objectClass == 'String' || objectClass == 'Number' ||
      objectClass == 'Boolean' || objectClass == 'Date') {
    if (a.valueOf() !== b.valueOf()) return false;
  }
  return deepObjectEquals(a, b);
}
function opt(opt_param){
const v0 = {};
const v1 = [v0,v0,v0,v0,v0];
const v2 = v0[v0];
const v3 = class V3 {
    constructor(v5,v6,v7) {
        ({"MAX_SAFE_INTEGER":v4,"dotAll":v6,} = v2);
        function v8(v9,v10,v11,v12) {
            const v13 = {"get":v10,"set":v6};
        }
    }
    get(v15,v16,v17) {
        const v18 = v3 >>> v16;
    }
    pop(v20,v21,v22,v23) {
        let {"NEGATIVE_INFINITY":v24,"byteLength":v25,"source":v26,"split":v27,...v28} = v22;
    }
};
return v3;
}
function main(){
	let gflag = true;
	let jit_a0 = opt(true);
	let jit_a0_0 = opt(false);
	for(let i=0;i<0x10;i++){opt(false);}
	let jit_a2 = opt(true);
	if (jit_a0 === undefined && jit_a2 === undefined) {
    	opt(true);
	} else {
    	if (jit_a0_0===jit_a0 && !deepEquals(jit_a0, jit_a2)) {
        	gflag = false;
    	}
	}
	for(let i=0;i<0x200;i++){opt(false);}
	let jit_a4 = opt(true);
	if (jit_a0 === undefined && jit_a4 === undefined) {
    	opt(true);
	} else {
    	if (gflag && jit_a0_0===jit_a0 && !deepEquals(jit_a0, jit_a4)) {
        	fuzzilli('FUZZILLI_CRASH', 0);
    	}
	}
}
main();

fix suggestions

old in cclock.hpp line 12-16:

#if defined(_M_ARM64)
#define CCLOCK_ALIGN __declspec(align(8))
#else
#define CCLOCK_ALIGN 
#endif

new in cclock.hpp:

#define CCLOCK_ALIGN __declspec(align(8))
@ppenzin
Copy link
Member

ppenzin commented Mar 23, 2024

I just ran into this, it breaks tests and bytecode regeneration. Testing your fix - I'd wrap the define in additional AMD64 macro check, similar to old ARM64 check.

@coolboy43
Copy link
Author

coolboy43 commented Mar 23, 2024 via email

@ppenzin ppenzin self-assigned this Mar 23, 2024
@rhuanjl
Copy link
Collaborator

rhuanjl commented Apr 16, 2024

Same idea as #6931 and #6932 I tried putting a fix with a CI update in #6975 but for getting Ubuntu 22 fully working it's not enough - the debug build seems good but not the Release with Debug Info build.

@ppenzin did you get anywhere looking at it?

@coolboy43
Copy link
Author

coolboy43 commented Apr 16, 2024 via email

@ppenzin
Copy link
Member

ppenzin commented Apr 16, 2024

I've started looking at it, responded on the PR, will report back if I find out what is going on. There might be other spaces with missed alignment or something very similar. This kind of fragility in PAL makes me a bit nervous actually, though it has worked this far.

@rhuanjl
Copy link
Collaborator

rhuanjl commented Apr 18, 2024

I've started looking at it, responded on the PR, will report back if I find out what is going on. There might be other spaces with missed alignment or something very similar. This kind of fragility in PAL makes me a bit nervous actually, though it has worked this far.

I'd really like to delete most of PAL but it's a big job - if we ever advance CC far I consider it one of our goals...
For now as of #6932 this specific matter seems fixed

@rhuanjl rhuanjl closed this as completed Apr 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ppenzin ppenzin

Labels
Bug PAL
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@coolboy43 @ppenzin @rhuanjl