segfault

Question

segfault

langston-barrett opened this issue 2 years ago · 6 comments

Escargot (please complete the following information):
See #1190

Describe the bug
segfault

Test case

From the Gecko test suite:

// Binary: cache/js-dbg-64-f3f5d8a8a473-linux
// Flags: -m -n
//

function MakeDay( year, month, date ) {
  date = ToInteger(date );
  var t = ( year < 1970 ) ? 1 :  0;
  return ( (Math.floor(t/86400000)) + date - 1 );
}
function MakeDate( day, time ) {
  if ( day == Number.POSITIVE_INFINITY || day == Number.NEGATIVE_INFINITY ) {  }
}
function ToInteger( t ) {
  var sign = ( t < 0 ) ? -1 : 1;
  return ( sign * Math.floor( Math.abs( t ) ) );
}
var UTCDate = MyDateFromTime( Number("946684800000") );
function MyDate() {
  this.date = 0;
}
function MyDateFromTime( t ) {
  var d = new MyDate();
  d.value = ToInteger( MakeDate( MakeDay( d.year, d.month, d.date ), d.time ) );
  var i = 0; while (Uint32Array && i < 10000) { ++i; if (0 == 100000) return;   }
}

Backtrace

#0  0x0000000000000000 in ?? ()
#1  0x000055a4e8d82f0d in Escargot::Object::fastLookupForSymbol (this=this@entry=0x6ce60, state=...,
    s=<optimized out>, protochainSearchStopAt=..., protochainSearchStopAt@entry=...)
    at src/runtime/Object.cpp:2228
#2  0x000055a4e8dc6320 in Escargot::Value::toPrimitiveSlowCase (this=this@entry=0x7ffe83faefa0,
    state=..., preferredType=preferredType@entry=Escargot::Value::PreferDefault)
    at src/runtime/Value.cpp:235
#3  0x000055a4e8dc8255 in Escargot::Value::toPrimitive (preferredType=Escargot::Value::PreferDefault,
    ec=..., this=0x7ffe83faefa0) at src/runtime/ValueInlines.h:797
#4  Escargot::Value::abstractEqualsToSlowCase (this=0x7ffe83faefc0, state=..., val=...)
    at src/runtime/Value.cpp:368
#5  0x000055a4e8c54ea9 in Escargot::Value::abstractEqualsTo (val=..., state=..., this=<optimized out>)
    at src/runtime/ValueInlines.h:812
#6  Escargot::ByteCodeInterpreter::interpret (state=0x7ffe83faef50, byteCodeBlock=0x85be0,
    programCounter=94166776694008, registerFile=0x7ffe83faef90)
    at src/interpreter/ByteCodeInterpreter.cpp:341
#7  0x000055a4e8d9cf97 in Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder> (newTarget=0x0, argv=<optimized out>,
    argc=<optimized out>, thisArgument=..., self=<optimized out>, state=...) at src/util/Vector.h:347
#8  Escargot::ScriptFunctionObject::call (this=<optimized out>, state=..., thisValue=...,
    argc=<optimized out>, argv=<optimized out>) at src/runtime/ScriptFunctionObject.cpp:117
#9  0x000055a4e8c56af8 in Escargot::ByteCodeInterpreter::interpret (state=0x7ffe83faf120,
    byteCodeBlock=0x85e60, programCounter=94166776688872, registerFile=0x7ffe83faf160)
    at src/interpreter/ByteCodeInterpreter.cpp:641
#10 0x000055a4e8d9cf97 in Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptFunctionObject, false, false, false, Escargot::FunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder> (newTarget=0x0, argv=<optimized out>,
    argc=<optimized out>, thisArgument=..., self=<optimized out>, state=...) at src/util/Vector.h:347
#11 Escargot::ScriptFunctionObject::call (this=<optimized out>, state=..., thisValue=...,
    argc=<optimized out>, argv=<optimized out>) at src/runtime/ScriptFunctionObject.cpp:117
#12 0x000055a4e8c56af8 in Escargot::ByteCodeInterpreter::interpret (state=0x7ffe83faf380,
    byteCodeBlock=0x85f00, programCounter=94166776685720, registerFile=0x7ffe83faf340)
    at src/interpreter/ByteCodeInterpreter.cpp:641
#13 0x000055a4e8cac704 in Escargot::Script::execute (this=0x79fc0, state=...,
    isExecuteOnEvalFunction=isExecuteOnEvalFunction@entry=false, inStrictMode=inStrictMode@entry=false)
    at src/parser/Script.cpp:494
#14 0x000055a4e8bc2342 in Escargot::ScriptRef::execute (this=<optimized out>, state=<optimized out>)
    at src/api/EscargotPublic.cpp:4418
#15 0x000055a4e8bc0f91 in operator() (__closure=0x0, data=<optimized out>, state=...)
    at src/api/EscargotPublic.cpp:1078
#16 _FUN () at src/api/EscargotPublic.cpp:1079
#17 0x000055a4e8d98473 in Escargot::SandBox::run (this=this@entry=0x7ffe83faf5e0,
    scriptRunner=scriptRunner@entry=0x55a4e8bc0f80 <_FUN(Escargot::ExecutionState&, void*)>,
    data=data@entry=0x7ffe83faf590) at src/runtime/SandBox.cpp:110
#18 0x000055a4e8bc26c1 in Escargot::Evaluator::executeFunction (ctx=ctx@entry=0x73a80,
    runner=runner@entry=0x55a4e8dc9760 <Escargot::Evaluator::executeImpl<Escargot::ScriptRef*>(Escargot::ContextRef*, Escargot::ValueRef* (*)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), Escargot::ScriptRef*)::{lambda(Escargot::ExecutionStateRef*, void*, void*)#1}::_FUN(Escargot::ExecutionStateRef*, void*, void*)>, data=data@entry=0x7ffe83faf6c0,
    data2=data2@entry=0x55a4e8dc98f0 <_FUN(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>)
    at src/api/EscargotPublic.cpp:1075
#19 0x000055a4e8dc9f81 in Escargot::Evaluator::executeImpl<Escargot::ScriptRef*> (
    fn=0x55a4e8dc98f0 <_FUN(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>, ctx=0x73a80)
    at src/api/EscargotPublic.h:597
#20 Escargot::Evaluator::execute<Escargot::ScriptRef*, evalScript(Escargot::ContextRef*, Escargot::StringRef*, Escargot::StringRef*, bool, bool)::<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)> > (closure=..., ctx=0x73a80) at src/api/EscargotPublic.h:584
#21 evalScript (context=0x73a80, source=0x7ef60, srcName=<optimized out>,
    shouldPrintScriptResult=false, isModule=<optimized out>) at src/shell/Shell.cpp:738
#22 0x000055a4e8bbf92f in main (argc=2, argv=0x7ffe83faf908) at src/api/EscargotPublic.h:240

Answer 1 · 2023-03-13T20:55:37.000Z

By the way, this bug and #1190 can both be found simply by running escargot on every JavaScript file retrieved by this script:

#!/usr/bin/env bash

set -e

repos=(
  "v8/v8"
  "mozilla/gecko-dev"
  "svaarala/duktape"
  "Samsung/escargot"
  "jerryscript-project/jerryscript"
  "chakra-core/ChakraCore"
  "boa-dev/boa"
  "cesanta/elk"
  "Starlight-JS/starlight"
  "denoland/deno"
)
mkdir -p js
for repo in "${repos[@]}"; do
  base=$(basename "${repo}")
  if ! [[ -d "${base}" ]]; then
    git clone --jobs 4 --depth 1 "https://github.com/${repo}"
  fi
  for f in $(find "${base}" -type f -name "*.js"); do 
    echo "${f}"
    cp "${f}" js/"${base}-$(sha256sum "${f}" | head -c 5)-$(basename "${f}")"
  done
done

Answer 2 · 2023-03-14T01:02:37.000Z

I cannot reproduce the error you reported.
Would you please elaborate it more?
e.g. Which version of Escargot or How you tested it

Answer 3 · 2023-03-14T01:34:14.000Z

Huh, that's odd. I just tried again, and it still works.

escargot version:e0fbe20f, Mar 13 2023

escargot test.js

Answer 4 · 2023-03-14T02:10:18.000Z

I tested it again but there was no error.
Follwing is my build script on ubuntu-20.04

cmake -H. -Bout/linux/x64/debug -DESCARGOT_HOST=linux -DESCARGOT_ARCH=x64 -DESCARGOT_MODE=debug -DESCARGOT_OUTPUT=shell_test -GNinja
ninja -Cout/linux/x64/debug

It seems that something is missed in the test code.
For example, MyDatFromTime function has t parameter but that is nowhere used here.

function MyDateFromTime( t ) {
  var d = new MyDate();
  d.value = ToInteger( MakeDate( MakeDay( d.year, d.month, d.date ), d.time ) );
  var i = 0; while (Uint32Array && i < 10000) { ++i; if (0 == 100000) return;   }
}

Answer 5 · 2023-03-14T02:18:20.000Z

Huh. Sorry to waste your time!

Answer 6 · 2023-03-14T04:12:24.000Z

No problem!
Feel free to ask anything if you have :)