Skip to content

==1327323==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x55fb3005c209,0x55fc3005c205) and [0x55fc3005c0f8, 0x55fd3005c0f4) overlap #5080

New issue
New issue
Open
Open
==1327323==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x55fb3005c209,0x55fc3005c205) and [0x55fc3005c0f8, 0x55fd3005c0f4) overlap#5080
@Limesss

Description

@Limesss
Limesss
opened on May 10, 2023
JerryScript revision

Version: v3.0.0

Build platform

Linux cqian-s2 5.4.0-148-generic #165-Ubuntu SMP Tue Apr 18 08:53:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linu

Build steps

python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20

Test case
let evil = new RegExp();
evil.exec = () => ({ 0: "1234567", length: 1, index: 0 });
"abc".replace(evil, "$'");
Execution platform

Unnecessary if the same as the build platform.

Execution steps

List the steps that trigger the bug.

E.g., if a bug is snapshot-specific:

build/bin/jerry-snapshot generate -o testcase.js.snapshot testcase.js
build/bin/jerry --exec-snapshot testcase.js.snapshot
Output

SEGMENT

Backtrace
==1327323==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x55fb3005c209,0x55fc3005c205) and [0x55fc3005c0f8, 0x55fd3005c0f4) overlap
    #0 0x7fc34e7684ed in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:823
    #1 0x55fc2ff5cea1 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
    #2 0x55fc2ff5cea1 in ecma_stringbuilder_append_raw /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:2609
    #3 0x55fc2ffe19b0 in ecma_builtin_replace_substitute /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-helpers.c:982
    #4 0x55fc2ffe9c25 in ecma_regexp_replace_helper /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:2924
    #5 0x55fc2ffe9c25 in ecma_builtin_regexp_prototype_dispatch_routine /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:602
    #6 0x55fc2ff7dedc in ecma_builtin_dispatch_routine /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
    #7 0x55fc2ff7dedc in ecma_builtin_dispatch_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
    #8 0x55fc2ff7dedc in ecma_op_function_call_native_built_in /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
    #9 0x55fc2ff84908 in ecma_op_function_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
    #10 0x55fc2ffec6dc in ecma_op_function_validated_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1371
    #11 0x55fc2ffec6dc in ecma_builtin_string_prototype_object_replace_helper /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:555
    #12 0x55fc2ffeda96 in ecma_builtin_string_prototype_dispatch_routine /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:1416
    #13 0x55fc2ffeda96 in ecma_builtin_string_prototype_dispatch_routine /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:1369
    #14 0x55fc2ff7dedc in ecma_builtin_dispatch_routine /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
    #15 0x55fc2ff7dedc in ecma_builtin_dispatch_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
    #16 0x55fc2ff7dedc in ecma_op_function_call_native_built_in /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
    #17 0x55fc2ff84908 in ecma_op_function_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
    #18 0x55fc2ffcf524 in ecma_op_function_validated_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1371
    #19 0x55fc2ffcf524 in opfunc_call /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/vm/vm.c:758
    #20 0x55fc2ffcf524 in vm_execute /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/vm/vm.c:5217
    #21 0x55fc2ffbca95 in vm_run /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/vm/vm.c:5312
    #22 0x55fc2ff5f2a7 in vm_run_global /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/vm/vm.c:286
    #23 0x55fc2ff5f2a7 in jerry_run /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-core/api/jerryscript.c:548
    #24 0x55fc2ff51a41 in jerryx_source_exec_script /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-ext/util/sources.c:68
    #25 0x55fc2ff51a41 in main /home2/dingjie/jsfuzz/fuzz_target/jerryscript/jerry-main/main-desktop.c:156
    #26 0x7fc34e411082 in __libc_start_main ../csu/libc-start.c:308
    #27 0x55fc2ff52abd in _start (/home2/dingjie/jsfuzz/fuzz_target/jerryscript/asan/bin/jerry+0x1eabd)

Credit: Jie Ding from HKU S3Lab

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions