Open
Description
Commit ID
Build platform
Ubuntu 22.04.3
Build steps
python3 ./tools/build.py --builddir=xxx --clean --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --stack-limit=20Test case
class s extends Uint32Array { static { } const }
const n = new s ( ) ; Execution steps
./jerry poc.jsOutput
=================================================================
==880670==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000012211fc at pc 0x00000067e7fb bp 0x7ffddd05ca10 sp 0x7ffddd05ca08
READ of size 2 at 0x0000012211fc thread T0
#0 0x67e7fa in scanner_literal_is_created /jerryscript/jerry-core/parser/js/js-scanner-util.c:2922:44
#1 0x7e82c1 in parser_parse_var_statement /jerryscript/jerry-core/parser/js/js-parser-statm.c:523:15
#2 0x7da089 in parser_parse_statements /jerryscript/jerry-core/parser/js/js-parser-statm.c:2781:9
#3 0x663433 in parser_parse_source /jerryscript/jerry-core/parser/js/js-parser.c:2280:5
#4 0x6611ca in parser_parse_script /jerryscript/jerry-core/parser/js/js-parser.c:3332:38
#5 0x4ec611 in jerry_parse_common /jerryscript/jerry-core/api/jerryscript.c:418:21
#6 0x4ec23e in jerry_parse /jerryscript/jerry-core/api/jerryscript.c:486:10
#7 0x80402d in jerryx_source_parse_script /jerryscript/jerry-ext/util/sources.c:52:26
#8 0x80432c in jerryx_source_exec_script /jerryscript/jerry-ext/util/sources.c:63:26
#9 0x4e0160 in main /jerryscript/jerry-main/main-desktop.c:156:20
#10 0x7f0ac095fd8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
#11 0x7f0ac095fe3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
#12 0x427fd4 in _start (/jerryscript/0805/bin/jerry+0x427fd4)
0x0000012211fc is located 4 bytes to the left of global variable 'jerry_global_heap' defined in '/jerryscript/jerry-core/jcontext/jcontext.c:148:13' (0x1221200) of size 524288
0x0000012211fc is located 1108 bytes to the right of global variable 'jerry_global_context' defined in '/jerryscript/jerry-core/jcontext/jcontext.c:135:17' (0x121fc40) of size 4456
SUMMARY: AddressSanitizer: global-buffer-overflow /jerryscript/jerry-core/parser/js/js-scanner-util.c:2922:44 in scanner_literal_is_created
Shadow bytes around the buggy address:
0x00008023c1e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x00008023c1f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x00008023c200: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x00008023c210: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x00008023c220: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x00008023c230: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9[f9]
0x00008023c240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008023c250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008023c260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008023c270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008023c280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==880670==ABORTING