chakra-core/ChakraCore

SEGV on unknown address 0x000000000020 ,in NativeEntryPointData::GetFrameHeight()

tangsongTJU opened this issue · 0 comments

tangsongTJU commented

Branch: master
commit: c3ead3f8a6e0bb8e32e043adc091c68cba5935e9

Poc is:

async function f1() {
    await null;
    throw new Error(f1());
}
f1();

async function f2() {

    async function f2a() {
        throw "err";
    }

    async function f2b() {
        try {
            var p = f2a();
        } catch (e) {
            console.log("caught " + e);
        }
    }

    async function f2c() {
        var p = f2a();
    }

    f2b();
    f2c();
}
f2();

In release build ./build.sh --sanitize=address --static -j
I get

AddressSanitizer:DEADLYSIGNAL
=================================================================
==11137==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x5600688b0540 bp 0x7ffc05a1ceb0 sp 0x7ffc05a1cea0 T0)
==11137==The signal is caused by a READ memory access.
==11137==Hint: address points to the zero page.
    #0 0x5600688b053f in NativeEntryPointData::GetFrameHeight() /root/ChakraCore-2023-6/lib/Runtime/../Backend/NativeEntryPointData.h:60:36
    #1 0x5600688b053f in Js::EntryPointInfo::GetFrameHeight() /root/ChakraCore-2023-6/lib/Runtime/Base/FunctionBody.cpp:8239
    #2 0x5600688b053f in Js::EntryPointInfo::HasInlinees() /root/ChakraCore-2023-6/lib/Runtime/Base/FunctionBody.cpp:8244
    #3 0x56006930b8a0 in Js::InlinedFrameWalker::FromPhysicalFrame(Js::InlinedFrameWalker&, Js::Amd64StackFrame&, Js::ScriptFunction*, bool, int, Js::JavascriptStackWalker const*, bool, bool) /root/ChakraCore-2023-6/lib/Runtime/Language/JavascriptStackWalker.cpp:1291:29
    #4 0x56006930d3c7 in Js::JavascriptStackWalker::UpdateFrame(bool) /root/ChakraCore-2023-6/lib/Runtime/Language/JavascriptStackWalker.cpp:562:56
    #5 0x560069305b30 in Js::JavascriptStackWalker::Walk(bool) /root/ChakraCore-2023-6/lib/Runtime/Language/JavascriptStackWalker.cpp:784:15
    #6 0x560069310611 in Js::JavascriptStackWalker::GetCaller(Js::JavascriptFunction**, bool) /root/ChakraCore-2023-6/lib/Runtime/Language/JavascriptStackWalker.cpp:795:22
    #7 0x56006920b2dc in Js::JavascriptExceptionOperators::GetCaller(Js::JavascriptStackWalker&, Js::JavascriptFunction*&) /root/ChakraCore-2023-6/lib/Runtime/Language/JavascriptExceptionOperators.cpp:1197:22
    #8 0x56006920b2dc in Js::JavascriptExceptionOperators::WalkStackForExceptionContextInternal(Js::ScriptContext&, Js::JavascriptExceptionContext&, void*, unsigned int&, unsigned long, void*, bool, bool) /root/ChakraCore-2023-6/lib/Runtime/Language/JavascriptExceptionOperators.cpp:1123
    #9 0x56006920b00e in Js::JavascriptExceptionOperators::WalkStackForExceptionContext(Js::ScriptContext&, Js::JavascriptExceptionContext&, void*, unsigned long, void*, bool, bool) /root/ChakraCore-2023-6/lib/Runtime/Language/JavascriptExceptionOperators.cpp:1105:39
    #10 0x5600695c3cdf in Js::JavascriptError::NewInstance(Js::RecyclableObject*, Js::JavascriptError*, Js::CallInfo, void*, void*, void*) /root/ChakraCore-2023-6/lib/Runtime/Library/JavascriptError.cpp:77:9
    #11 0x560069bd375d in amd64_CallFunction /root/ChakraCore-2023-6/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100
    #12 0x5600695eb778 in Js::JavascriptFunction::CallAsConstructor(void*, void*, Js::Arguments, Js::ScriptContext*, Js::AuxArray<unsigned int> const*) /root/ChakraCore-2023-6/lib/Runtime/Library/JavascriptFunction.cpp:972:30
    #13 0x560069272813 in Js::JavascriptOperators::NewScObject(void*, Js::Arguments, Js::ScriptContext*, Js::AuxArray<unsigned int> const*) /root/ChakraCore-2023-6/lib/Runtime/Language/JavascriptOperators.cpp:6931:36
    #14 0x560069334447 in Js::ProfilingHelpers::ProfiledNewScObject(void*, Js::Arguments, Js::FunctionBody*, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) /root/ChakraCore-2023-6/lib/Runtime/Language/ProfilingHelpers.cpp:720:26
    #15 0x560068f0919c in Js::InterpreterStackFrame::ProfiledNewScObject_Helper(void*, unsigned short, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) /root/ChakraCore-2023-6/lib/Runtime/Language/InterpreterStackFrame.cpp:6596:30
    #16 0x560068f0919c in void Js::InterpreterStackFrame::OP_NewScObject_Impl<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0>>, true, false>(Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0>> const __unaligned*, unsigned int, Js::AuxArray<unsigned int> const*) /root/ChakraCore-2023-6/lib/Runtime/Language/InterpreterStackFrame.cpp:6464
    #17 0x560068f0919c in void Js::InterpreterStackFrame::OP_ProfiledNewScObject_Impl<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0>>, true, false>(Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0>> const __unaligned*, unsigned int, Js::AuxArray<unsigned int> const*) /root/ChakraCore-2023-6/lib/Runtime/./Language/InterpreterStackFrame.h:759
    #18 0x560068f0919c in void Js::InterpreterStackFrame::OP_ProfiledNewScObject<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0>>>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0>>> const __unaligned*) /root/ChakraCore-2023-6/lib/Runtime/./Language/InterpreterStackFrame.h:767
    #19 0x560068f0919c in Js::InterpreterStackFrame::ProcessProfiled() /root/ChakraCore-2023-6/lib/Runtime/Language/InterpreterHandler.inl:302
    #20 0x560068e2c2be in Js::InterpreterStackFrame::Process() /root/ChakraCore-2023-6/lib/Runtime/Language/InterpreterStackFrame.cpp:3472:20
    #21 0x560068e29263 in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) /root/ChakraCore-2023-6/lib/Runtime/Language/InterpreterStackFrame.cpp:2153:40
    #22 0x560068e27d7c in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) /root/ChakraCore-2023-6/lib/Runtime/Language/InterpreterStackFrame.cpp:1833:16
    #23 0x7f441f640f99  (<unknown module>)
    #24 0x560069bd375d in amd64_CallFunction /root/ChakraCore-2023-6/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100
    #25 0x5600696038fe in Js::JavascriptGenerator::CallGenerator(void*, Js::ResumeYieldKind) /root/ChakraCore-2023-6/lib/Runtime/Library/JavascriptGenerator.cpp:198:26
    #26 0x5600695982c1 in Js::JavascriptAsyncFunction::AsyncSpawnStep(Js::JavascriptAsyncSpawnStepFunction*, Js::JavascriptGenerator*, void*, void*) /root/ChakraCore-2023-6/lib/Runtime/Library/JavascriptAsyncFunction.cpp:151:25
    #27 0x5600695994a6 in Js::JavascriptAsyncFunction::EntryAsyncSpawnCallStepFunction(Js::RecyclableObject*, Js::CallInfo, ...) /root/ChakraCore-2023-6/lib/Runtime/Library/JavascriptAsyncFunction.cpp:130:5
    #28 0x5600699b576e in Js::JavascriptPromise::EntryReactionTaskFunction(Js::RecyclableObject*, Js::CallInfo, ...) /root/ChakraCore-2023-6/lib/Runtime/Library/JavascriptPromise.cpp:1273:37
    #29 0x560069bd375d in amd64_CallFunction /root/ChakraCore-2023-6/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100
    #30 0x5600695ea096 in Js::JavascriptFunction::CallRootFunctionInternal(Js::RecyclableObject*, Js::Arguments, Js::ScriptContext*, bool) /root/ChakraCore-2023-6/lib/Runtime/Library/JavascriptFunction.cpp:772:24
    #31 0x5600695e9c7e in Js::JavascriptFunction::CallRootFunction(Js::RecyclableObject*, Js::Arguments, Js::ScriptContext*, bool) /root/ChakraCore-2023-6/lib/Runtime/Library/JavascriptFunction.cpp:717:15
    #32 0x5600695e9c7e in Js::JavascriptFunction::CallRootFunction(Js::Arguments, Js::ScriptContext*, bool) /root/ChakraCore-2023-6/lib/Runtime/Library/JavascriptFunction.cpp:832
    #33 0x5600684d89c0 in JsCallFunction::$_65::operator()(Js::ScriptContext*, TTD::TTDJsRTActionResultAutoRecorder&) const /root/ChakraCore-2023-6/lib/Jsrt/Jsrt.cpp:2842:41
    #34 0x5600684d89c0 in _JsErrorCode ContextAPIWrapper<false, JsCallFunction::$_65>(JsCallFunction::$_65)::'lambda'(Js::ScriptContext*)::operator()(Js::ScriptContext*) const /root/ChakraCore-2023-6/lib/Jsrt/JsrtInternal.h:237
    #35 0x5600684d89c0 in _JsErrorCode ContextAPIWrapper_Core<false, _JsErrorCode ContextAPIWrapper<false, JsCallFunction::$_65>(JsCallFunction::$_65)::'lambda'(Js::ScriptContext*)>(JsCallFunction::$_65) /root/ChakraCore-2023-6/lib/Jsrt/JsrtInternal.h:192
    #36 0x5600684d89c0 in _JsErrorCode ContextAPIWrapper<false, JsCallFunction::$_65>(JsCallFunction::$_65) /root/ChakraCore-2023-6/lib/Jsrt/JsrtInternal.h:235
    #37 0x5600684d89c0 in JsCallFunction /root/ChakraCore-2023-6/lib/Jsrt/Jsrt.cpp:2804
    #38 0x5600683644ee in ChakraRTInterface::JsCallFunction(void*, void**, unsigned short, void**) /root/ChakraCore-2023-6/bin/ch/ChakraRtInterface.h:416:149
    #39 0x5600683644ee in WScriptJsrt::CallbackMessage::CallFunction(char const*) /root/ChakraCore-2023-6/bin/ch/WScriptJsrt.cpp:2009
    #40 0x56006832d1ac in MessageQueue::ProcessAll(char const*) /root/ChakraCore-2023-6/bin/ch/MessageQueue.h:256:18
    #41 0x56006832d1ac in RunScript(char const*, char const*, unsigned long, void (*)(void*), void*, char*, void*) /root/ChakraCore-2023-6/bin/ch/ch.cpp:480
    #42 0x560068331990 in ExecuteTest(char const*) /root/ChakraCore-2023-6/bin/ch/ch.cpp:917:13
    #43 0x560068333177 in ExecuteTestWithMemoryCheck(char*) /root/ChakraCore-2023-6/bin/ch/ch.cpp:967:10
    #44 0x560068333177 in main /root/ChakraCore-2023-6/bin/ch/ch.cpp:1274
    #45 0x7f4423bb2c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #46 0x56006822ec69 in _start (/home/tangsong/engines/all_version/ChakraCore/ChakraCore-2023-6/sanitize/ch+0x2c6c69)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/ChakraCore-2023-6/lib/Runtime/../Backend/NativeEntryPointData.h:60:36 in NativeEntryPointData::GetFrameHeight()
==11137==ABORTING