Segmentation fault in jerry

Question

Segmentation fault in jerry

Opened this issue a year ago · 5 comments

marckwei commented a year ago

JerryScript revision

1a2c047

Build platform

Ubuntu 20.04.2 LTS (Linux 5.15.0-67-generic x86_64)

Build steps

Describe how to build JerryScript. Give all the necessary details of the build
(e.g., environment variables, command(s), profile, command line options, etc.).

E.g.:

tools/build.py --compile-flag=-fsanitize=address --compile-flag=-g

Build log

Test case

function i(a,b=eval()){eval()}
i(i("a"),eval("var a"))

Execution platform

same as the build platform.

Execution steps

build/bin/jerry testcase.js

Output

Segmentation fault (core dumped)

Backtrace

=================================================================
==167385==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x562a05bd8581 bp 0x7fffdc027800 sp 0x7fffdc027790 T0)
==167385==The signal is caused by a READ memory access.
==167385==Hint: address points to the zero page.
#0 0x562a05bd8580 (/data/jerryscript/asan/bin/jerry+0xd0580)
#1 0x562a05b8051c (/data/jerryscript/asan/bin/jerry+0x7851c)
#2 0x562a05b9069f (/data/jerryscript/asan/bin/jerry+0x8869f)
#3 0x562a05b919b9 (/data/jerryscript/asan/bin/jerry+0x899b9)
#4 0x562a05b6b6d8 (/data/jerryscript/asan/bin/jerry+0x636d8)
#5 0x562a05bc14cd (/data/jerryscript/asan/bin/jerry+0xb94cd)
#6 0x562a05bc696a (/data/jerryscript/asan/bin/jerry+0xbe96a)
#7 0x562a05b9085b (/data/jerryscript/asan/bin/jerry+0x8885b)
#8 0x562a05b919b9 (/data/jerryscript/asan/bin/jerry+0x899b9)
#9 0x562a05bf8576 (/data/jerryscript/asan/bin/jerry+0xf0576)
#10 0x562a05b25dac (/data/jerryscript/asan/bin/jerry+0x1ddac)
#11 0x7f32bb095082 in __libc_start_main ../csu/libc-start.c:308
#12 0x562a05b26cfd (/data/jerryscript/asan/bin/jerry+0x1ecfd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/data/jerryscript/asan/bin/jerry+0xd0580)
==167385==ABORTING

Expected behavior

Answer 1 · 2023-04-03T22:25:13.000Z

It doesn't crash for me. Did you give it enough RAM/stack?

Answer 2 · 2023-04-05T04:43:30.000Z

It doesn't crash for me. Did you give it enough RAM/stack?

To reproduce，you should use the same build args as me

Answer 3 · 2023-04-05T07:11:30.000Z

Indeed it crashes on PC (I was testing on esp32). You should use --strip=OFF build option, you get a better backtrace:

ASAN:SIGSEGV
=================================================================
==28181==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x000000423a68 bp 0x0000006eddc0 sp 0x7ffe1ba87990 T0)
    #0 0x423a67 in ecma_find_named_property /home/maciek/jerryscript/jerry-core/ecma/base/ecma-helpers.c:625
    #1 0x414560 in vm_loop.lto_priv.126 /home/maciek/jerryscript/jerry-core/vm/vm.c:1445
    #2 0x4ae08f in vm_execute /home/maciek/jerryscript/jerry-core/vm/vm.c:5211
    #3 0x4af362 in vm_run /home/maciek/jerryscript/jerry-core/vm/vm.c:5312
    #4 0x4835c4 in vm_run_eval /home/maciek/jerryscript/jerry-core/vm/vm.c:374
    #5 0x4835c4 in ecma_op_eval_chars_buffer /home/maciek/jerryscript/jerry-core/ecma/operations/ecma-eval.c:93
    #6 0x4835c4 in ecma_op_eval /home/maciek/jerryscript/jerry-core/ecma/operations/ecma-eval.c:56
    #7 0x4835c4 in ecma_builtin_global_object_eval /home/maciek/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-global.c:109
    #8 0x4835c4 in ecma_builtin_global_dispatch_routine /home/maciek/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-global.c:594
    #9 0x4396d2 in ecma_builtin_dispatch_routine.isra.0 /home/maciek/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
    #10 0x4396d2 in ecma_builtin_dispatch_call /home/maciek/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
    #11 0x4396d2 in ecma_op_function_call_native_built_in /home/maciek/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1216
    #12 0x43c87b in ecma_op_function_call /home/maciek/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
    #13 0x4ae237 in ecma_op_function_validated_call /home/maciek/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1371
    #14 0x4ae237 in opfunc_call /home/maciek/jerryscript/jerry-core/vm/vm.c:757
    #15 0x4ae237 in vm_execute /home/maciek/jerryscript/jerry-core/vm/vm.c:5217
    #16 0x4af362 in vm_run /home/maciek/jerryscript/jerry-core/vm/vm.c:5312
    #17 0x411983 in vm_run_global /home/maciek/jerryscript/jerry-core/vm/vm.c:286
    #18 0x411983 in jerry_run /home/maciek/jerryscript/jerry-core/api/jerryscript.c:548
    #19 0x4054f7 in jerryx_source_exec_script /home/maciek/jerryscript/jerry-ext/util/sources.c:68
    #20 0x4054f7 in main /home/maciek/jerryscript/jerry-main/main-desktop.c:156
    #21 0x7fd447a9383f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #22 0x406448 in _start (/home/maciek/jerryscript/build/bin/jerry+0x406448)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/maciek/jerryscript/jerry-core/ecma/base/ecma-helpers.c:625 ecma_find_named_property
==28181==ABORTING

Answer 4 · 2023-04-05T07:58:47.000Z

actually, if you build with debug enabled, you get an assert earlier:

ICE: Assertion 'ecma_get_lex_env_type (lex_env_p) == ECMA_LEXICAL_ENVIRONMENT_DECLARATIVE' failed at /home/maciek/jerryscript/jerry-core/vm/vm.c(vm_loop):1441.

(lex_env_p has env type ECMA_LEXICAL_ENVIRONMENT_THIS_OBJECT_BOUND)

Answer 5 · 2023-04-26T19:22:42.000Z

CVE-2023-30406 seems to have been assigned for this issue.