Skip to content

AddressSanitizer: SEGV xsArray.c:2577 in fx_ArrayIterator_prototype_next  #783

New issue
New issue
Closed
Closed
AddressSanitizer: SEGV xsArray.c:2577 in fx_ArrayIterator_prototype_next #783
Labels
confirmedissue reported has been reproducedfixed - please verifyIssue has been fixed. Please verify and close.
@phoddie

Description

@phoddie
phoddie
opened on Jan 20, 2022

Target: xst with fuzzilli
Moddable SDK commit: 83dadd3
Reported by: @jessysaurusrex
POC:

function main() {
var v1 = [];
var v2 = v1.keys();
var v3 = new Int32Array();
var v6 = [v3];
var v7 = v2.next;
var v8 = Reflect.apply(v7,Array,v6);
}
main();

Crash log:

STDERR: 
/Users/amulet/moddable/xs/sources/xsScript.c:173:16: runtime error: left shift of 1327365517 by 1 places cannot be represented in type 'txSize' (aka 'int')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Users/amulet/moddable/xs/sources/xsScript.c:173:16 in 
/Users/amulet/moddable/xs/sources/xsDataView.c:1430:42: runtime error: left shift of 3 by 30 places cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Users/amulet/moddable/xs/sources/xsDataView.c:1430:42 in 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==30594==ERROR: AddressSanitizer: SEGV on unknown address 0x2fefb539cdff (pc 0x000102cb0ea0 bp 0x000102cb0c60 sp 0x00016d18d4b0 T0)
==30594==The signal is caused by a UNKNOWN memory access.
    #0 0x102cb0ea0 in fx_ArrayIterator_prototype_next xsArray.c:2577

==30594==Register values:
 x[0] = 0x000000010a31d920   x[1] = 0x000000010a30af80   x[2] = 0x000000000000000f   x[3] = 0x000000010a30aee0  
 x[4] = 0x0000000000000001   x[5] = 0x0000000000000000   x[6] = 0x0000000000000000   x[7] = 0x0000000000000000  
 x[8] = 0x15202fefb539cdff   x[9] = 0xa9017bfda9be6ffc  x[10] = 0x000000016d1b2128  x[11] = 0x000000016d1b21e8  
x[12] = 0x0000000000000020  x[13] = 0x000000016d1b22e0  x[14] = 0x000000016d18dae0  x[15] = 0x0000000000000000  
x[16] = 0x00000001939cc110  x[17] = 0x0000000103f605b8  x[18] = 0x0000000000000000  x[19] = 0x00000001039d8060  
x[20] = 0x000000010347f56c  x[21] = 0x0000000103b90070  x[22] = 0x0000000000000000  x[23] = 0x0000000000000000  
x[24] = 0x0000000000000000  x[25] = 0x0000000000000000  x[26] = 0x0000000000000000  x[27] = 0x0000000000000000  
x[28] = 0x0000000000000000     fp = 0x000000016d18dbd0     lr = 0x0000000102cb0c60     sp = 0x000000016d18d4b0  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV xsArray.c:2577 in fx_ArrayIterator_prototype_next
==30594==ABORTING

Status: 
pid 30594 SIGABRT (signal 6)

Fix: ed7c204

Metadata

Metadata

Assignees

No one assigned

    Labels

    confirmedissue reported has been reproducedfixed - please verifyIssue has been fixed. Please verify and close.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions