Skip to content

SEGV in ecma_find_named_property #3045

@renatahodovan

Description

@renatahodovan
JerryScript revision

2975810

Build platform

Linux-4.15.0-54-generic-x86_64-with-Ubuntu-18.04-bionic

Build steps
./tools/build.py --clean --debug --compile-flag=-fsanitize=address \
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer \
--compile-flag=-fno-common --compile-flag=-g \
--strip=off --system-allocator=on --logging=on \
--linker-flag=-fuse-ld=gold --error-messages=on --profile=es2015-subset
Test case
var set = new Set()
set.add()
set.has([ 1 ])
Output
ASAN:DEADLYSIGNAL
=================================================================
==42448==ERROR: AddressSanitizer: SEGV on unknown address 0x00000014 (pc 0x566f1cfe bp 0xffc645b8 sp 0xffc644f0 T0)
==42448==The signal is caused by a READ memory access.
==42448==Hint: address points to the zero page.
    #0 0x566f1cfd in ecma_find_named_property jerryscript/jerry-core/ecma/base/ecma-helpers.c:586
    #1 0x56614ea8 in ecma_op_container_to_key jerryscript/jerry-core/ecma/operations/ecma-container-object.c:247
    #2 0x566152fa in ecma_op_container_has jerryscript/jerry-core/ecma/operations/ecma-container-object.c:364
    #3 0x56657a51 in ecma_builtin_set_prototype_object_has jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-set-prototype.c:115
    #4 0x56657923 in ecma_builtin_set_prototype_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-set-prototype.inc.h:45
    #5 0x566aaee3 in ecma_builtin_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1025
    #6 0x566ab144 in ecma_builtin_dispatch_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1050
    #7 0x566bd1dd in ecma_op_function_call jerryscript/jerry-core/ecma/operations/ecma-function-object.c:729
    #8 0x566723a0 in opfunc_call jerryscript/jerry-core/vm/vm.c:581
    #9 0x56683542 in vm_execute jerryscript/jerry-core/vm/vm.c:3618
    #10 0x56683e46 in vm_run jerryscript/jerry-core/vm/vm.c:3738
    #11 0x56671637 in vm_run_global jerryscript/jerry-core/vm/vm.c:282
    #12 0x566cae25 in jerry_run jerryscript/jerry-core/api/jerry.c:570
    #13 0x566c7789 in main jerryscript/jerry-main/main-unix.c:743
    #14 0xf7774e80 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18e80)
    #15 0x565f55a0  (jerryscript/build_gcc_asan_es2015/bin/jerry+0x165a0)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV jerryscript/jerry-core/ecma/base/ecma-helpers.c:586 in ecma_find_named_property
==42448==ABORTING
Backtrace
bt
#0  0x56667cfe in ecma_find_named_property (obj_p=0xf5f00460, name_p=0x27cd) at jerryscript/jerry-core/ecma/base/ecma-helpers.c:586
#1  0x5658aea9 in ecma_op_container_to_key (key_arg=4126147683) at jerryscript/jerry-core/ecma/operations/ecma-container-object.c:247
#2  0x5658b2fb in ecma_op_container_has (this_arg=4126148403, key_arg=4126147683, lit_id=LIT_MAGIC_STRING_SET_UL) at jerryscript/jerry-core/ecma/operations/ecma-container-object.c:364
#3  0x565cda52 in ecma_builtin_set_prototype_object_has (this_arg=4126148403, value_arg=4126147683) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-set-prototype.c:115
#4  0x565cd924 in ecma_builtin_set_prototype_dispatch_routine (builtin_routine_id=75, this_arg_value=4126148403, arguments_list=0xffffc4d0, arguments_number=2) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-set-prototype.inc.h:45
#5  0x56620ee4 in ecma_builtin_dispatch_routine (builtin_object_id=ECMA_BUILTIN_ID_SET_PROTOTYPE, builtin_routine_id=75, this_arg_value=4126148403, arguments_list_p=0xffffc4d0, arguments_list_len=2) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1025
#6  0x56621145 in ecma_builtin_dispatch_call (obj_p=0xf5f00670, this_arg_value=4126148403, arguments_list_p=0xffffc770, arguments_list_len=2) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1050
#7  0x566331de in ecma_op_function_call (func_obj_p=0xf5f00670, this_arg_value=4126148403, arguments_list_p=0xffffc770, arguments_list_len=2) at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:729
#8  0x565e83a1 in opfunc_call (frame_ctx_p=0xffffc7e0) at jerryscript/jerry-core/vm/vm.c:581
#9  0x565f9543 in vm_execute (frame_ctx_p=0xffffc7e0, arg_p=0x0, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:3618
#10 0x565f9e47 in vm_run (bytecode_header_p=0xf4f03c00, this_binding_value=4126149459, lex_env_p=0xf5d007b0, parse_opts=0, arg_list_p=0x0, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:3738
#11 0x565e7638 in vm_run_global (bytecode_p=0xf4f03c00) at jerryscript/jerry-core/vm/vm.c:282
#12 0x56640e26 in jerry_run (func_val=4126148787) at jerryscript/jerry-core/api/jerry.c:570
#13 0x5663d78a in main (argc=3, argv=0xffffcc14) at jerryscript/jerry-main/main-unix.c:743

Found by Fuzzinator with grammarinator.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugUndesired behaviourecma coreRelated to core ECMA functionality

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions