SEGV Escargot::PointerValue::getTypeTag()
Closed this issue · 0 comments
7331akasokoan commented
commit: d398f1e
build setting:
cmake -DCMAKE_CXX_FLAGS=-fsanitize=address -DESCARGOT_MODE=debug -DESCARGOT_OUTPUT=shell -GNinjapoc.js:
var v9 = class v9 {
};
var v10 = class v10 extends v9 {
constructor (v1) {
var v7 = () => eval('(() => this.x)()');
super();
let v6= v7();
v4(v6, v2, "AAA");
}
};
var v12 = new v10()ASAN report:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==13706==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x563991b1dd11 bp 0x7fff5cb9acf0 sp 0x7fff5cb9ace0 T0)
==13706==The signal is caused by a READ memory access.
==13706==Hint: address points to the zero page.
#0 0x563991b1dd11 in Escargot::PointerValue::getTypeTag() const /home/fuzzer/escargot/src/runtime/PointerValue.h:1097
#1 0x563991b1c35f in Escargot::PointerValue::isObject() const /home/fuzzer/escargot/src/runtime/PointerValue.h:169
#2 0x563991b26a73 in Escargot::Value::isObject() const /home/fuzzer/escargot/src/runtime/ValueInlines.h:558
#3 0x563991da2a8e in Escargot::InterpreterSlowPath::getObjectPrecomputedCaseOperation(Escargot::ExecutionState&, Escargot::GetObjectPreComputedCase*, Escargot::Value*, Escargot::ByteCodeBlock*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:2374
#4 0x563991d94556 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:657
#5 0x56399235d697 in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptArrowFunctionObject, false, false, false, Escargot::ScriptArrowFunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptArrowFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
#6 0x56399235cace in Escargot::ScriptArrowFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptArrowFunctionObject.cpp:37
#7 0x563991d952f4 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:770
#8 0x563991f766af in Escargot::Script::executeLocal(Escargot::ExecutionState&, Escargot::Value, Escargot::InterpretedCodeBlock*, bool, bool) /home/fuzzer/escargot/src/parser/Script.cpp:628
#9 0x56399224b811 in Escargot::GlobalObject::evalLocal(Escargot::ExecutionState&, Escargot::Value const&, Escargot::Value, Escargot::InterpretedCodeBlock*, bool) /home/fuzzer/escargot/src/runtime/GlobalObject.cpp:222
#10 0x563991dbc58a in Escargot::InterpreterSlowPath::callFunctionComplexCase(Escargot::ExecutionState&, Escargot::CallComplexCase*, Escargot::Value*, Escargot::ByteCodeBlock*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:4095
#11 0x563991d99507 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1428
#12 0x56399235d697 in Escargot::Value Escargot::FunctionObjectProcessCallGenerator::processCall<Escargot::ScriptArrowFunctionObject, false, false, false, Escargot::ScriptArrowFunctionObjectThisValueBinder, Escargot::FunctionObjectNewTargetBinder, Escargot::FunctionObjectReturnValueBinder>(Escargot::ExecutionState&, Escargot::ScriptArrowFunctionObject*, Escargot::Value const&, unsigned long, Escargot::Value*, Escargot::Object*) /home/fuzzer/escargot/src/runtime/FunctionObjectInlines.h:221
#13 0x56399235cace in Escargot::ScriptArrowFunctionObject::call(Escargot::ExecutionState&, Escargot::Value const&, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/runtime/ScriptArrowFunctionObject.cpp:37
#14 0x563991d952f4 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:770
#15 0x563991db9164 in Escargot::InterpreterSlowPath::blockOperation(Escargot::ExecutionState*&, Escargot::BlockOperation*, unsigned long&, Escargot::ByteCodeBlock*, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:3895
#16 0x563991d99de6 in Escargot::Interpreter::interpret(Escargot::ExecutionState*, Escargot::ByteCodeBlock*, unsigned long, Escargot::Value*) /home/fuzzer/escargot/src/interpreter/ByteCodeInterpreter.cpp:1500
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer: nested bug in the same thread, aborting.