Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LibJs: Static Initialization Block Crash #23994

Open
sSt3lla opened this issue Apr 17, 2024 · 0 comments
Open

LibJs: Static Initialization Block Crash #23994

sSt3lla opened this issue Apr 17, 2024 · 0 comments
Labels
bug Something isn't working has-repro We have a way to reproduce this bug.

Comments

@sSt3lla
Copy link
Contributor

sSt3lla commented Apr 17, 2024
edited

Found with fuzzilli:
Original Crash: Uploading program_20240409052048_0C492C66-D7D1-4480-817A-E681B77B7C06_flaky.js.txt…
Minified by @ttrssreal

function f(){
	class C {
	    static {
		    let a = 0
	    }
	}
}
f();

Asan output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==67805==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fdca16f6ace bp 0x7fff5a04d0b0 sp 0x7fff5a04cee0 T0)
==67805==The signal is caused by a WRITE memory access.
==67805==Hint: address points to the zero page.
    #0 0x7fdca16f6ace in JS::Bytecode::Interpreter::run_bytecode() /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:345:79
    #1 0x7fdca16f3b8a in JS::Bytecode::Interpreter::run_and_return_frame(JS::Bytecode::Executable&, JS::Bytecode::BasicBlock const*, JS::Bytecode::CallFrame*) /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:494:5
    #2 0x7fdca1bdb253 in JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() /home/serenity/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:1234:55
    #3 0x7fdca1bd7c2a in JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) /home/serenity/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:411:19
    #4 0x7fdca196c28e in JS::call_impl(JS::VM&, JS::FunctionObject&, JS::Value, AK::Span<JS::Value const>) /home/serenity/Userland/Libraries/LibJS/Runtime/AbstractOperations.cpp:72:21
    #5 0x7fdca1602612 in JS::ThrowCompletionOr<JS::Value> JS::call<>(JS::VM&, JS::FunctionObject&, JS::Value) /home/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Runtime/AbstractOperations.h:119:12
    #6 0x7fdca1602612 in JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_1::operator()(JS::Handle<JS::ECMAScriptFunctionObject>) const /home/serenity/Userland/Libraries/LibJS/AST.cpp:437:9
    #7 0x7fdca1602612 in decltype(auto) AK::Detail::VisitImpl<unsigned char, JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>::visit<AK::Variant<JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>, AK::Variant<JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>::Visitor<JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_0, JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_1>, (unsigned char)1>(AK::Variant<JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>&, unsigned char, void const*, AK::Variant<JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>::Visitor<JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_0, JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_1>&&) /home/serenity/Meta/Lagom/../../AK/Variant.h:112:24
    #8 0x7fdca1602612 in decltype(auto) AK::Detail::VisitImpl<unsigned char, JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>::visit<AK::Variant<JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>, AK::Variant<JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>::Visitor<JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_0, JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_1>, (unsigned char)0>(AK::Variant<JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>&, unsigned char, void const*, AK::Variant<JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>::Visitor<JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_0, JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_1>&&) /home/serenity/Meta/Lagom/../../AK/Variant.h:118:20
    #9 0x7fdca1602612 in decltype(auto) AK::Variant<JS::ClassFieldDefinition, JS::Handle<JS::ECMAScriptFunctionObject>>::visit<JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_0, JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_1>(JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_0&&, JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const::$_1&&) /home/serenity/Meta/Lagom/../../AK/Variant.h:435:16
    #10 0x7fdca1602612 in JS::ClassExpression::create_class_constructor(JS::VM&, JS::Environment*, JS::Environment*, JS::Value, AK::Optional<AK::DeprecatedFlyString> const&, AK::DeprecatedFlyString const&) const /home/serenity/Userland/Libraries/LibJS/AST.cpp:437:9
    #11 0x7fdca1784e39 in JS::Bytecode::new_class(JS::VM&, JS::Value, JS::ClassExpression const&, AK::Optional<AK::DistinctNumeric<unsigned long, JS::Bytecode::__IdentifierTableIndex_tag, AK::DistinctNumericFeature::Comparison>> const&) /home/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Bytecode/CommonImplementations.h:661:12
    #12 0x7fdca175faf0 in JS::Bytecode::Op::NewClass::execute_impl(JS::Bytecode::Interpreter&) const /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:1630:28
    #13 0x7fdca16f7204 in JS::Bytecode::Instruction::execute(JS::Bytecode::Interpreter&) const /home/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Bytecode/Op.h:1908:9
    #14 0x7fdca16f7204 in JS::Bytecode::Interpreter::run_bytecode() /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:409:38
    #15 0x7fdca16f3b8a in JS::Bytecode::Interpreter::run_and_return_frame(JS::Bytecode::Executable&, JS::Bytecode::BasicBlock const*, JS::Bytecode::CallFrame*) /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:494:5
    #16 0x7fdca1bdb253 in JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body() /home/serenity/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:1234:55
    #17 0x7fdca1bd7c2a in JS::ECMAScriptFunctionObject::internal_call(JS::Value, AK::Span<JS::Value const>) /home/serenity/Userland/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:411:19
    #18 0x7fdca196c28e in JS::call_impl(JS::VM&, JS::FunctionObject&, JS::Value, AK::Span<JS::Value const>) /home/serenity/Userland/Libraries/LibJS/Runtime/AbstractOperations.cpp:72:21
    #19 0x7fdca17744ee in JS::call(JS::VM&, JS::FunctionObject&, JS::Value, AK::Span<JS::Value const>) /home/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Runtime/AbstractOperations.h:102:12
    #20 0x7fdca17744ee in JS::Bytecode::perform_call(JS::Bytecode::Interpreter&, JS::Value, JS::Bytecode::Op::CallType, JS::Value, AK::Span<JS::Value const>) /home/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Bytecode/CommonImplementations.h:329:24
    #21 0x7fdca174736c in JS::Bytecode::Op::Call::execute_impl(JS::Bytecode::Interpreter&) const /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:1297:28
    #22 0x7fdca16f777e in JS::Bytecode::Instruction::execute(JS::Bytecode::Interpreter&) const /home/serenity/Meta/Lagom/../../Userland/Libraries/LibJS/Bytecode/Op.h:1908:9
    #23 0x7fdca16f777e in JS::Bytecode::Interpreter::run_bytecode() /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:409:38
    #24 0x7fdca16f3b8a in JS::Bytecode::Interpreter::run_and_return_frame(JS::Bytecode::Executable&, JS::Bytecode::BasicBlock const*, JS::Bytecode::CallFrame*) /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:494:5
    #25 0x7fdca16f129c in JS::Bytecode::Interpreter::run(JS::Script&, JS::GCPtr<JS::Environment>) /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:266:36
    #26 0x5227c9 in auto parse_and_run(JS::Realm&, AK::StringView, AK::StringView)::$_0::operator()<JS::NonnullGCPtr<JS::Script>>(JS::NonnullGCPtr<JS::Script>&) const /home/serenity/Userland/Utilities/js.cpp:214:44
    #27 0x5227c9 in parse_and_run(JS::Realm&, AK::StringView, AK::StringView) /home/serenity/Userland/Utilities/js.cpp:229:13
    #28 0x51dfe0 in serenity_main(Main::Arguments) /home/serenity/Userland/Utilities/js.cpp:851:14
    #29 0x53cbe8 in main /home/serenity/Userland/Libraries/LibMain/Main.cpp:39:19
    #30 0x7fdc9fa1a149 in __libc_start_call_main /usr/src/debug/glibc-2.38-17.fc39.x86_64/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #31 0x7fdc9fa1a20a in __libc_start_main@GLIBC_2.2.5 /usr/src/debug/glibc-2.38-17.fc39.x86_64/csu/../csu/libc-start.c:360:3
    #32 0x42fd74 in _start (/home/serenity/Build/lagom/bin/js+0x42fd74) (BuildId: 498c30ee301d0e17992f957d4298c6ec2fca6aa3)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/serenity/Userland/Libraries/LibJS/Bytecode/Interpreter.cpp:345:79 in JS::Bytecode::Interpreter::run_bytecode()
==67805==ABORTING
@Lubrsi Lubrsi added bug Something isn't working has-repro We have a way to reproduce this bug. labels Apr 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working has-repro We have a way to reproduce this bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Lubrsi @sSt3lla