ReportFatalException2

[bird8693]

enviroment

ubuntu18

poc

function testBuiltInFunction(options, builtInConstructor, builtInName, builtInFunc, intlConstructor, intlFunc, args) {
    try {
        var builtInValue = builtInValue !== intlValue ? console.log('en-US', options) : [...arguments].join(args[1], 'en-US', options);
        for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
            builtInValue = testBuiltInFunction(-2147483648, builtInValue, builtInValue, builtInValue, builtInValue, builtInValue, -1);
        }   
        var intlValue = [...arguments].join(args[0], args[1]);
        if (builtInValue !== intlValue) {
            new builtInConstructor(args[0])[builtInFunc](`ERROR: new ${ builtInConstructor.name }(${ args[0] }).${ builtInFunc }() -> ${ builtInValue } !== new Intl.${ intlConstructor }("en-US", ${ JSON.stringify(options) }).${ intlFunc }(${ args[0] }, ${ args[1] }) -> ${ intlValue }`);
        }   
    } catch (ex) {
        console.log(`Error: testBuiltInFunction(${ JSON.stringify(',') }) threw message ${ ex.message }`);
        var XwcJ = -5e-324 | 10000;
    }   
}
testBuiltInFunction({ minimumFractionDigits: 3 }, Number, 'Number', 'toLocaleString', '({x:3})', 'format', [0.48771553605893536]);
testBuiltInFunction({ sensitivity: 'base' }, String, 'String', 'localeCompare', 'Collator', '\'\'', [
    'A',
    'arguments.caller'
]);
testBuiltInFunction({
    hour: ' \'\\0\' ',
    timeZone: '1024'
}, Date, 'Date', 'toLocaleString', 'DateTimeFormat', 'arguments', [new Date(2000, 1, 1)]);
testBuiltInFunction({
    hour: 'numeric',
    timeZone: 'UTC'
}, Date, '/0/', 'v2', 'DateTimeFormat', 'format', [new Date(2000, 1, 1)]);
testBuiltInFunction({
    month: 'numeric',
    timeZone: '(new String(\'\'))'
}, Date, 'Date', 'toLocaleDateString', 'DateTimeFormat', 'format', [new Date(2000, 1, 1)]);
JSON.stringify('Pass');

callstack

[#0] 0x555555d59fac → DebugBreak()
[#1] 0x555555d59fac → ReportFatalException(context=<optimized out>, exceptionCode=<optimized out>, reasonCode=<optimized out>, scenarioptimized out>)
[#2] 0x555555d5a3a7 → OutOfMemory_unrecoverable_error()
[#3] 0x5555569f7a7b → Js::JavascriptExceptionOperators::ThrowOutOfMemory(scriptContext=0x61a000000680)
[#4] 0x55555750d896 → Js::JavascriptString::SetLength(this=<optimized out>, newLength=0x83421e59)
[#5] 0x555556a0230e → Js::CompoundString::TryAppendGeneric<Js::CompoundString>(s=0x7ffff21b3500, appendCharLength=0x41a10f26, toString7ffff21b3740)
[#6] 0x555556c2b50c → Js::CompoundString::AppendGeneric<Js::CompoundString>(s=0x7ffff21b3500, toString=0x7ffff21b3740, appendChars=0x0
[#7] 0x555556df24e9 → Js::JavascriptArray::JoinArrayHelper<Js::JavascriptArray>(arr=0x7ffff21b23f0, separator=0x7ffff21ad200, scriptCoxt=<optimized out>)
[#8] 0x555556d016ff → Js::JavascriptArray::JoinHelper(void*, Js::JavascriptString*, Js::ScriptContext*)::$_2::operator()() const(this=timized out>)
[#9] 0x555556d016ff → TryFinally<Js::JavascriptArray::JoinHelper(void*, Js::JavascriptString*, Js::ScriptContext*)::$_2, Js::Javascripray::JoinHelper(void*, Js::JavascriptString*, Js::ScriptContext*)::$_3>(Js::JavascriptArray::JoinHelper(void*, Js::JavascriptString*, :ScriptContext*)::$_2 const&, Js::JavascriptArray::JoinHelper(void*, Js::JavascriptString*, Js::ScriptContext*)::$_3 const&)(tryFunc=<imized out>, finallyFunc=<optimized out>)

[MadProbe]

Can you tell me, where did you find this code, you wrote it by yourself?

[bird8693]

I  try  to   find   some  security bugs by  fuzzing.

…

---Original--- From: ***@***.***> Date: Tue, Mar 16, 2021 18:40 PM To: ***@***.***>; Cc: ***@***.******@***.***>; Subject: Re: [chakra-core/ChakraCore] ReportFatalException2 (#6625) Can you tell me, where did you find this code, you wrote it by yourself? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[ppenzin]

@rain6851 thank you for all the submissions, though your email client is mangling your responses. Are you sure this is not a legitimate out-of-memory issue?

Are you using an opensource fuzzer? We have been looking for a fuzzer to use on regular basis.

[bird8693]

@rain6851 thank you for all the submissions, though your email client is mangling your responses. Are you sure this is not a legitimate out-of-memory issue?

Are you using an opensource fuzzer? We have been looking for a fuzzer to use on regular basis.

It is a legitimate out-of-memory issue(The memory of my computer is over 32 G). I develop a new fuzzer by myself.

[ppenzin]

It is a legitimate out-of-memory issue(The memory of my computer is over 32 G)

Sorry, I am a bit confused - do you think this test should run out of memory?

SetLength frame showing an argument of the order 2 * 10^9, though I can't tell right off the bat if anything else should be in memory (a fair guess would be yes, since the test is recursive).

[bird8693]

It is a legitimate out-of-memory issue(The memory of my computer is over 32 G)

Sorry, I am a bit confused - do you think this test should run out of memory?

SetLength frame showing an argument of the order 2 * 10^9, though I can't tell right off the bat if anything else should be in memory (a fair guess would be yes, since the test is recursive).

I use htop to monitor memory usage. When testing the poc, I found that only a small amount of memory was used, and the program quit after reporting an error.

[ppenzin]

OK, I see what is going on - SetLength throws OOM when length parameter is bigger than maximum allowed. I am not sure if it should be doing it.

CC @rhuanjl

[rhuanjl]

I suppose we could introduce a non-fatal "length is too big" error for cases with no actual memory pressure.

[rhuanjl]

Can you tell me, where did you find this code, you wrote it by yourself?

This is a fuzzer output - fuzzers generate random combinations of code to try and hit obscure bugs.

That said this specific case is a by design "feature" but I'm not sure if it's the right decision.

Attempting to create a string or array with length >=2^32 Chakracore aborts - the other major JS engines throw a range error which I think we could do.

@rain6851 thank you for the submission.

[ppenzin]

I suppose we could introduce a non-fatal "length is too big" error for cases with no actual memory pressure.

There is a length out-of-bound error, I'll try to repurpose that here.

This isn't really a bug in itself, somebody intended this kind of situations to throw OOM (there are even tests checking for the error). However I think we should not throw it "proactively" like this, but reserve it for situations when runtime actually runs out of memory.