Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer dereference issue with unsigned compare peep #1627

Closed
Penguinwizzard opened this issue Sep 22, 2016 · 2 comments · May be fixed by saurabharch/ChakraCore#1
Closed

Null pointer dereference issue with unsigned compare peep #1627

Penguinwizzard opened this issue Sep 22, 2016 · 2 comments · May be fixed by saurabharch/ChakraCore#1
Assignees
@Penguinwizzard
Labels
Bug Fixed

Comments

@Penguinwizzard
Copy link
Contributor

Bug was initially externally reported. LouisL identified the issue as not being a security bug, and as being one with the unsigned compare peep:
"
We emit:

s13.var         =  ShrU_A         s12.var, s2.var                         #000a
s6.var          =  ShrU_A         s4.var, s2.var                          #000e
                   ByteCodeUses   s6, s13                                 #0012
s14.var         =  CmUnGt_A       s12.var, s4.var                         #0012

And I believe we should emit:

s13.var         =  ShrU_A         s12.var, s2.var                         #000a
s6.var          =  ShrU_A         s4.var, s2.var                          #000e
s14.var         =  CmUnGt_A       s12.var, s4.var                         #0012
                   ByteCodeUses   s6, s13                                 #0012

"

Steps to reproduce:
Run the following code:

function t(f,i){
for(var j=0;i.length;++j) {
for(var k=0;i.length;++k){
try{
(f([j],[k]))
}catch(e){}
}
}
}
m=function(x,y){
(
((Math.co0>>>0)>(y>>>0))=ddd
);
};
t(m,[[]])
@Penguinwizzard Penguinwizzard self-assigned this Sep 22, 2016
@Penguinwizzard Penguinwizzard mentioned this issue Sep 23, 2016
Merged
@Penguinwizzard
Copy link
Contributor Author

Fixed in a27e567.

@ThomsonTan
Copy link
Collaborator

This is an interesting case. Seems Chrome report it as ReferenceError about the left-hand side of assignment operator which is uncaught and abort run, but we only generate exception for the right-hand side about un-declared variable which could be caught.

@snyk-bot snyk-bot mentioned this issue Feb 23, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Penguinwizzard Penguinwizzard

Labels
Bug Fixed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Snyk] Upgrade bluebird from 3.5.1 to 3.7.2 saurabharch/ChakraCore
2 participants
@Penguinwizzard @ThomsonTan