Stack Exhaustion (ecma_proxy_object_get, ecma_proxy_object_set)

Question

Stack Exhaustion (ecma_proxy_object_get, ecma_proxy_object_set)

nszetei opened this issue 4 years ago · 3 comments

nszetei commented 4 years ago

JerryScript revision

6cd309b

Build platform

Ubuntu 20.04 LTS (Linux 5.4.0-31-generic x86_64)

Build steps

python tools/build.py --profile=es2015-subset --lto=off --compile-flag=-g \
--error-messages=on --debug --compile-flag=-g --strip=off --logging=on \
 --compile-flag=-fsanitize=address

Test cases

var v2 = {};
var v4 = new Proxy(Uint8Array,v2);
v4.__proto__ = v4;
v4[1] = 2;

var v1 = {};
var v3 = new Proxy(parseFloat,v1);
v3.__proto__ = v3;
var v6 = "aa".constructor;
var v7 = parseFloat & v6;

Answer 1 · 2020-05-23T09:34:44.000Z

Could you please try whether you get SO even if you set a limit for the stack? (Note: You can use --stack-limit option when building the engine to limit the maximum amount of stack that the engine can use.)

Answer 2 · 2020-05-23T10:07:27.000Z

Could you please try whether you get SO even if you set a limit for the stack? (Note: You can use --stack-limit option when building the engine to limit the maximum amount of stack that the engine can use.)

Yes. Unlike #3783 here I got SO in both cases (e.g. with --stack-limit=10).

Answer 3 · 2020-05-23T18:02:10.000Z

Just to have it grouped together, a PoC for ecma_proxy_object_has:

function main() {
var v1 = [13.37,13.37,13.37,13.37];
var v4 = {isExtensible:Infinity};
var v6 = new Proxy(WeakMap,v4);
v6.__proto__ = v1;
v1.__proto__ = v6;
with (v1) {
    valueOf = 0;
}
}
main();