Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV in njs_function_lambda_call #530

Open
Q1IQ opened this issue Jun 2, 2022 · 0 comments
Open

SEGV in njs_function_lambda_call #530

Q1IQ opened this issue Jun 2, 2022 · 0 comments
Labels
bug fuzzer

Comments

@Q1IQ
Copy link

Q1IQ commented Jun 2, 2022
edited by xeioex

Environment

OS      : Linux ubuntu 5.11.10 #1 SMP Sat Oct 30 23:40:08 CST 2021 x86_64 x86_64 x86_64 GNU/Linux
Commit  : c62a9fb92b102c90a66aa724cb9054183a33a68c
Version : 0.7.4
Build   : 
          NJS_CFLAGS="$NJS_CFLAGS -fsanitize=address"
          NJS_CFLAGS="$NJS_CFLAGS -fno-omit-frame-pointer"

Proof of concept

async function f() {
    await 1;
    var v = 2;

    function g() {
      v + 1;
    }

    function s() {
      g + 1;
    }

    g();
}

f();

Stack dump

UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3050875==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000043a7c6 bp 0x7ffcd6f10b00 sp 0x7ffcd6f10920 T3050875)
==3050875==The signal is caused by a READ memory access.
==3050875==Hint: address points to the zero page.
    #0 0x43a7c6 in njs_scope_valid_value /njs/src/njs_scope.h:86:10
    #1 0x43a7c6 in njs_vmcode_await /njs/src/njs_vmcode.c:1924:13
    #2 0x43a7c6 in njs_vmcode_interpreter /njs/src/njs_vmcode.c:861:24
    #3 0x468070 in njs_function_lambda_call /njs/src/njs_function.c:693:11
    #4 0x4bd170 in njs_async_function_frame_invoke /njs/src/njs_async.c:32:11
    #5 0x4364d7 in njs_vmcode_interpreter /njs/src/njs_vmcode.c:799:23
    #6 0x4bd35d in njs_await_fulfilled /njs/src/njs_async.c:91:11
    #7 0x468574 in njs_function_native_call /njs/src/njs_function.c:728:11
    #8 0x467941 in njs_function_frame_invoke /njs/src/njs_function.c:766:16
    #9 0x467941 in njs_function_call2 /njs/src/njs_function.c:592:11
    #10 0x4b6938 in njs_function_call /njs/src/njs_function.h:178:12
    #11 0x4b6938 in njs_promise_reaction_job /njs/src/njs_promise.c:1171:15
    #12 0x468574 in njs_function_native_call /njs/src/njs_function.c:728:11
    #13 0x433a27 in njs_vm_invoke /njs/src/njs_vm.c:428:12
    #14 0x433a27 in njs_vm_call /njs/src/njs_vm.c:412:12
    #15 0x433a27 in njs_vm_handle_events /njs/src/njs_vm.c:572:19
    #16 0x433a27 in njs_vm_run /njs/src/njs_vm.c:532:12
    #17 0x428d13 in njs_process_script /njs/src/njs_shell.c:1059:15
    #18 0x428763 in njs_process_file /njs/src/njs_shell.c:754:11
    #19 0x428763 in main /njs/src/njs_shell.c:435:15
    #20 0x7f8424948082 in __libc_start_main /build/glibc-KZwQYS/glibc-2.31/csu/../csu/libc-start.c:308:16
    #21 0x406d3d in _start (/home/q1iq/Documents/njs-dump/njs/build/njs+0x406d3d)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /njs/src/njs_scope.h:86:10 in njs_scope_valid_value
==3050875==ABORTING

Credit

Q1IQ(@Q1IQ)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug fuzzer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xeioex @Q1IQ