WRITE memory access
Categories
(Core :: JavaScript Engine, task)
Tracking
()
People
(Reporter: 1422930734, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(1 file)
|
2.42 KB,
text/plain
|
Details |
1 . version:
JavaScript-C72.0a1
2. git commit:
27ded6834ef8b61fa52838acd59fe617bf44c61c
3 . command:
./js poc
4. description:
ASAN:DEADLYSIGNAL
==103463==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x558417c3da58 bp 0x7ffc49e3a810 sp 0x7ffc49e3a640 T0)
==103463==The signal is caused by a WRITE memory access.
==103463==Hint: address points to the zero page.
#0 0x558417c3da57 in Crash(JSContext*, unsigned int, JS::Value*) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:3711:5
#1 0x55841802fdbf in CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:456:13
#2 0x55841802fdbf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:548
#3 0x558418036240 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:634:8
#4 0x558418ecc7d5 in js::fun_call(JSContext*, unsigned int, JS::Value*) /root/AFL/compile/gecko-dev/js/src/vm/JSFunction.cpp:1119:10
#5 0x55841802fdbf in CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:456:13
#6 0x55841802fdbf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:548
#7 0x558417fde08c in js::CallFromStack(JSContext*, JS::CallArgs const&) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:621:10
#8 0x558417fde08c in Interpret(JSContext*, js::RunState&) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:3110
#9 0x558417fc0036 in js::RunScript(JSContext*, js::RunState&) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:423:10
#10 0x55841803e201 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:810:13
#11 0x55841803f533 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /root/AFL/compile/gecko-dev/js/src/vm/Interpreter.cpp:843:10
#12 0x5584189630c6 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /root/AFL/compile/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:482:10
#13 0x558417c4cc48 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:899:10
#14 0x558417c48ee5 in Process(JSContext*, char const*, bool, FileKind) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:1459:14
#15 0x558417b7ef88 in ProcessArgs(JSContext*, js::cli::OptionParser*) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:10234:10
#16 0x558417b7ef88 in Shell(JSContext*, js::cli::OptionParser*, char**) /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:10828
#17 0x558417b7ef88 in main /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:11479
#18 0x7fc1c913882f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
#19 0x558417a369e8 in _start (/root/analysis/gecko/js3+0x6649e8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/AFL/compile/gecko-dev/js/src/shell/js.cpp:3711:5 in Crash(JSContext*, unsigned int, JS::Value*)
==103463==ABORTING
|
||
Updated•5 years ago
|
|
||
Comment 1•5 years ago
|
||
This is crashing in the crash shell function. Not security-sensitive, for fuzzing you should use --fuzzing-safe.
|
|
||
Updated•5 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•1 year ago
|
Description
•