Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV xs/sources/xsDataView.c:559:24 in fx_ArrayBuffer_prototype_concat #774

Closed
hope-fly opened this issue Jan 10, 2022 · 5 comments
Closed

SEGV xs/sources/xsDataView.c:559:24 in fx_ArrayBuffer_prototype_concat #774

hope-fly opened this issue Jan 10, 2022 · 5 comments
Labels
confirmed issue reported has been reproduced fixed - please verify Issue has been fixed. Please verify and close.

Comments

@hope-fly
Copy link

hope-fly commented Jan 10, 2022
edited
Loading

Moddable-XS revision

Commit: 2f93df29

Version: 11.5.0 32 4

Build environment

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps
cd  ~/moddable/xs/makefiles/lin
make -f xst.mk
Test case
poc.js 


function JSEtest(f, args) {
    var bound = Function.prototype.bind.apply(f, new ArrayBuffer(64).concat(new Object));
    return new bound();
}
var d = JSEtest(Date, [1957, 4, 27]);

Execution & Output
$ ./moddable/build/bin/lin/debug/xst poc.js

AddressSanitizer:DEADLYSIGNAL
=================================================================
==62908==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000061df67 bp 0x7fff84c54690 sp 0x7fff84c544f0 T0)
==62908==The signal is caused by a READ memory access.
==62908==Hint: address points to the zero page.
    #0 0x61df66 in fx_ArrayBuffer_prototype_concat /root/moddable/xs/sources/xsDataView.c:559:24
    #1 0x84f3ca in fxRunID /root/moddable/xs/sources/xsRun.c:842:7
    #2 0x8ceaac in fxRunScript /root/moddable/xs/sources/xsRun.c:4766:4
    #3 0xad3231 in fxRunProgramFile /root/moddable/xs/tools/xst.c:1387:2
    #4 0xacfa83 in main /root/moddable/xs/tools/xst.c:281:8
    #5 0x7f1a84524bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x42ddc9 in _start (/usr/local/bin/xst+0x42ddc9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/moddable/xs/sources/xsDataView.c:559:24 in fx_ArrayBuffer_prototype_concat
==62908==ABORTING

Credits: Found by OWL337 team.
@phoddie phoddie added the confirmed issue reported has been reproduced label Jan 10, 2022
@phoddie
Copy link
Collaborator

phoddie commented Jan 10, 2022

Thank you for the report.

This PoC can be simplified:

new ArrayBuffer(64).concat({})

FWIW – Array.prototype.concat is an extension to JavaScript by XS, not part of EcmaScript standard.

@phoddie
Copy link
Collaborator

phoddie commented Jan 10, 2022

It looks like the problem is missing braces. 🤦

moddable/xs/sources/xsDataView.c

Lines 557 to 559 in 83dadd3

if (slot && (slot->kind == XS_ARRAY_BUFFER_KIND))
arrayBuffer = slot;
bufferInfo = slot->next;

@hope-fly
Copy link
Author

that's interesting, I'll note it 😉

@phoddie
Copy link
Collaborator

phoddie commented Jan 10, 2022

It looks like that problem snuck in with recent changes to the internal XS buffer representation. I imagine some linter would pick that mistake up.

mkellner pushed a commit that referenced this issue Jan 10, 2022
@phoddie
XS: #774
0c4403b
@phoddie phoddie added the fixed - please verify Issue has been fixed. Please verify and close. label Jan 10, 2022
@hope-fly
Copy link
Author

Verified!

@phoddie phoddie closed this as completed Jan 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
confirmed issue reported has been reproduced fixed - please verify Issue has been fixed. Please verify and close.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@phoddie @hope-fly