Closed
Description
JerryScript revision
$ git show
commit a588e4966175a190ec6350b2a3689d30ed017ec9 (HEAD -> master, origin/master, origin/HEAD)
Author: Máté Tokodi <tokodi.mate.24@gmail.com>
Date: Wed Sep 20 15:38:30 2023 +0200
Build & Execution platform
$ uname -a
Linux user-AYA-NEO-FOUNDER 5.19.0-43-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon May 22 13:39:36 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Build steps
export CC=clang
python tools/build.py --compile-flag=-fsanitize-coverage=trace-pc-guard --compile-flag="-fsanitize=address -g" --profile=es.next --lto=off --compile-flag=-D_POSIX_C_SOURCE=200809 --stack-limit=15 --compile-flag=-Werror --compile-flag=-Wincompatible-pointer-types --compile-flag=-Wno-strict-prototypes
Test case
the pocfile.js
async function f0(a1, a2) {
function f6(a7, a8, a9, ...a10) {
return f0;
}
var o11 = {
"get": f0,
};
var v12 = f0();
v12.__proto__ = f0;
async function f13(a14, a15) {
("h").matchAll(a14);
return v12;
}
f13(v12);
var v19 = new Proxy(f6, o11);
f0.__proto__ = v19;
f0["F"](h);
return f0;
}
f0(f0, f0);
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
//
// STDOUT:
//
// ARGS: /home/user/jerryscript/build/bin/jerry --reprl-fuzzilli
// EXECUTION TIME: 129ms
Execution steps
./build/bin/jerry pocfile.jsOutput
asan report:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4145220==ERROR: AddressSanitizer: SEGV on unknown address 0x000001632228 (pc 0x0000004fa98a bp 0x7ffd146d3570 sp 0x7ffd146d3450 T0)
==4145220==The signal is caused by a READ memory access.
#0 0x4fa98a in ecma_get_object_type /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/base/ecma-helpers.c:238:58
#1 0x530b2b in ecma_op_object_get_own_property_descriptor /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-objects.c:1806:7
#2 0x53742e in ecma_proxy_object_get /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-proxy-object.c:1185:25
#3 0x5bafa5 in ecma_builtin_string_prototype_object_match_all /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:384:32
#4 0x5bafa5 in ecma_builtin_string_prototype_dispatch_routine /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:1397:12
#5 0x50b96c in ecma_builtin_dispatch_routine /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460:10
#6 0x50b96c in ecma_builtin_dispatch_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489:12
#7 0x525d04 in ecma_op_function_call_native_built_in /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217:5
#8 0x52548f in ecma_op_function_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411:16
#9 0x5832d5 in opfunc_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:758:5
#10 0x5832d5 in vm_execute /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5217:9
#11 0x581e39 in vm_run /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5312:10
#12 0x52592a in ecma_op_function_call_simple /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1176:28
#13 0x5254c5 in ecma_op_function_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1406:16
#14 0x5832d5 in opfunc_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:758:5
#15 0x5832d5 in vm_execute /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5217:9
#16 0x581e39 in vm_run /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5312:10
#17 0x52592a in ecma_op_function_call_simple /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1176:28
#18 0x5254c5 in ecma_op_function_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1406:16
#19 0x5832d5 in opfunc_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:758:5
#20 0x5832d5 in vm_execute /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5217:9
#21 0x581e39 in vm_run /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5312:10
#22 0x52592a in ecma_op_function_call_simple /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1176:28
#23 0x5254c5 in ecma_op_function_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1406:16
#24 0x5373ba in ecma_proxy_object_get /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-proxy-object.c:1173:30
#25 0x58d2a9 in vm_loop /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:2959:20
#26 0x582c82 in vm_execute /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5211:37
#27 0x581e39 in vm_run /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5312:10
#28 0x52592a in ecma_op_function_call_simple /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1176:28
#29 0x5254c5 in ecma_op_function_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1406:16
#30 0x5832d5 in opfunc_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:758:5
#31 0x5832d5 in vm_execute /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5217:9
#32 0x581e39 in vm_run /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5312:10
#33 0x52592a in ecma_op_function_call_simple /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1176:28
#34 0x5254c5 in ecma_op_function_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1406:16
#35 0x5832d5 in opfunc_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:758:5
#36 0x5832d5 in vm_execute /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5217:9
#37 0x581e39 in vm_run /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5312:10
#38 0x52592a in ecma_op_function_call_simple /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1176:28
#39 0x5254c5 in ecma_op_function_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1406:16
#40 0x5832d5 in opfunc_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:758:5
#41 0x5832d5 in vm_execute /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5217:9
#42 0x581e39 in vm_run /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5312:10
#43 0x52592a in ecma_op_function_call_simple /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1176:28
#44 0x5254c5 in ecma_op_function_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1406:16
#45 0x5832d5 in opfunc_call /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:758:5
#46 0x5832d5 in vm_execute /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5217:9
#47 0x581e39 in vm_run /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5312:10
#48 0x581ba0 in vm_run_global /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:286:25
#49 0x4dae6a in jerry_run /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/api/jerryscript.c:548:24
#50 0x5f9127 in jerryx_source_exec_script /home/user/fuzz/jerryscript_origin/jerryscript/jerry-ext/util/sources.c:68:14
#51 0x4d6e94 in main /home/user/fuzz/jerryscript_origin/jerryscript/jerry-main/main-desktop.c:156:20
#52 0x7f1536429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#53 0x7f1536429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#54 0x41ee74 in _start (/home/user/fuzz/jerryscript_origin/jerryscript/build/bin/jerry+0x41ee74)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/base/ecma-helpers.c:238:58 in ecma_get_object_type
==4145220==ABORTING
Backtrace
$ gdb -nx -q ./jerry -ex 'r /home/user/fuzzilli-0.9.3/Targets/Jerryscript/out/crashes/program_20230514101203_40AD785C-9A14-45A0-90E3-D89516D5715C_deterministic.js'
Reading symbols from ./jerry...
Starting program: /home/user/fuzz/jerryscript_origin/jerryscript/build/bin/jerry /home/user/fuzzilli-0.9.3/Targets/Jerryscript/out/crashes/program_20230514101203_40AD785C-9A14-45A0-90E3-D89516D5715C_deterministic.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00000000004fa98a in ecma_get_object_type (object_p=object_p@entry=0x1632228) at /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/base/ecma-helpers.c:238
238 return (ecma_object_type_t) (object_p->type_flags_refs & ECMA_OBJECT_TYPE_MASK);
(gdb)
Expected behavior
SEGV or crash
Credits:
@gandalf4a of PKU-Changsha Institute for Computing and Digital Economy
Metadata
Metadata
Assignees
Labels
No labels