Closed
Description
Revision
Build
./tools/build.py --clean --debug --compile-flag=-fsanitize=address
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer
--compile-flag=-fno-common --compile-flag=-g
--strip=off --system-allocator=on --logging=on
--error-messages=on --profile=es2015-subset
OS
Linux 4.15.0-58-generic #64-Ubuntu x86_64 GNU/Linux
Test case
var arr = new Int8Array(357913942);
arr.copyWithin(4096, 14, 5)Backtrace
Run with jerry poc.js
=================================================================
==52075==ERROR: AddressSanitizer: negative-size-param: (size=-9)
#0 0xf7a1cc79 in memmove (/usr/lib32/libasan.so.4+0x7ac79)
#1 0x566cd783 in ecma_builtin_typedarray_prototype_copy_within /jerryscript/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-prototype.c:1900
#2 0x566c48ae in ecma_builtin_typedarray_prototype_dispatch_routine /jerryscript/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-prototype.inc.h:75
#3 0x566c32d6 in ecma_builtin_dispatch_routine /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1021
#4 0x566c3537 in ecma_builtin_dispatch_call /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1046
#5 0x566e5466 in ecma_op_function_call /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:729
#6 0x56772d7f in opfunc_call /jerryscript/jerry-core/vm/vm.c:581
#7 0x56788112 in vm_execute /jerryscript/jerry-core/vm/vm.c:3629
#8 0x567889c1 in vm_run /jerryscript/jerry-core/vm/vm.c:3749
#9 0x56771be5 in vm_run_global /jerryscript/jerry-core/vm/vm.c:282
#10 0x56633c6b in jerry_run /jerryscript/jerry-core/api/jerry.c:570
#11 0x566305be in main /jerryscript/jerry-main/main-unix.c:743
#12 0xf77e1e80 in __libc_start_main (/lib32/libc.so.6+0x18e80)
#13 0x5662de90 (/home/fuzzing/jerryscript/tmpmaster/jerry+0x15e90)
0xdffa9826 is located 38 bytes inside of 357913966-byte region [0xdffa9800,0xf54fed6e)
allocated by thread T0 here:
#0 0xf7a87f34 in malloc (/usr/lib32/libasan.so.4+0xe5f34)
#1 0x567147e2 in jmem_heap_alloc /jerryscript/jerry-core/jmem/jmem-heap.c:258
#2 0x5671485a in jmem_heap_gc_and_alloc_block /jerryscript/jerry-core/jmem/jmem-heap.c:293
#3 0x566623a4 in jmem_heap_alloc_block /jerryscript/jerry-core/jmem/jmem-heap.c:327
#4 0x566623a4 in ecma_alloc_extended_object /jerryscript/jerry-core/ecma/base/ecma-alloc.c:109
#5 0x566623a4 in ecma_create_object /jerryscript/jerry-core/ecma/base/ecma-helpers.c:81
#6 0x566d4081 in ecma_arraybuffer_new_object /jerryscript/jerry-core/ecma/operations/ecma-arraybuffer-object.c:49
#7 0x5670f70b in ecma_typedarray_create_object_with_length /jerryscript/jerry-core/ecma/operations/ecma-typedarray-object.c:246
#8 0x56711ff3 in ecma_op_create_typedarray /jerryscript/jerry-core/ecma/operations/ecma-typedarray-object.c:624
#9 0x566c4062 in ecma_typedarray_helper_dispatch_construct /jerryscript/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-helpers.c:219
#10 0x566c3cc1 in ecma_builtin_int8array_dispatch_construct /jerryscript/jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-int8array.c:68
#11 0x566c37cb in ecma_builtin_dispatch_construct /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1080
#12 0x566e6a65 in ecma_op_function_construct /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1077
#13 0x5677339e in opfunc_construct /jerryscript/jerry-core/vm/vm.c:665
#14 0x56788138 in vm_execute /jerryscript/jerry-core/vm/vm.c:3641
#15 0x567889c1 in vm_run /jerryscript/jerry-core/vm/vm.c:3749
#16 0x56771be5 in vm_run_global /jerryscript/jerry-core/vm/vm.c:282
#17 0x56633c6b in jerry_run /jerryscript/jerry-core/api/jerry.c:570
#18 0x566305be in main /jerryscript/jerry-main/main-unix.c:743
#19 0xf77e1e80 in __libc_start_main (/lib32/libc.so.6+0x18e80)
SUMMARY: AddressSanitizer: negative-size-param (/usr/lib32/libasan.so.4+0x7ac79) in memmove
==52075==ABORTING