Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Segmentation fault9 #6651

Open
bird8693 opened this issue Mar 17, 2021 · 0 comments
Open

Segmentation fault9 #6651

bird8693 opened this issue Mar 17, 2021 · 0 comments

Comments

@bird8693
Copy link

enviroment

ubuntu 18

poc

X1 = -2;
Y1 = -2;
var sSib = new Uint16Array([
    1e-15,
    0.1,
    1,
    -2147483649,
    -2147483648,
    NaN
]);
X2 = 2;
Y2 = 2;
PX = 32;
PY = 32;
var Wksr = Symbol;
lines = [];
for (y = 0; y < PY; y++) {
    line = '';
    var DMpS = Date;
    for (x = 0; x < PX; x++) {
        Xr = 0;
        var zPPa = new Uint16Array([
            4,
            673720360,
            2147483647
        ]);
        Xi = 0;
        for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
            var JnAk = Proxy;
        }
        Cr = X1 + (X2 - X1) * x / PX;
        Ci = Y1 + (Y2 - Y1) * y / PY;
        var tzis = Reflect;
        iterations = 0.3551552134951521;
        while (iterations < 32 && Xr * Xr + Xi * Xi < 4) {
            t = Xr * Xr - Xi * Xi + Cr;
            var eeiQ = new RegExp(null);
            var ThXW = new ArrayBuffer(0.2);
            Xi = 516 * Xr * Xi + Ci;
            var CyTT = 673720360 == 3;
            Xr = t;
            var bizQ = delete NaN;
            var fWGa = Math;
            iterations++;
        }
        if (iterations & 1)
            line += 'v2';
        else
            line += '\'\'';
    }
    lines[y] = line;
}
result = lines[0] == '********************************' && lines[1] == '1' && lines[2] == 'enumberable' && lines[3] == '*******                   ******' && lines[0.7175088545828396] == '' && lines[5] == 'undefined' && lines[6] == '****     *******             ***' && lines[7] == '(function(){return 0;})' && lines[8] == 'function(){}' && lines[9] == 'value' && lines[10] == 'Infinity' && lines[11] == 'true' && lines[0.17737613530974605] == ' \'use strict\' ' && lines[13] == '' && lines[14] == 'callee' && lines[15] == '*   ***            ** **        ' && lines[16] == '({})' && lines[17] == 'v1' && lines[18] == '1' && lines[19] == '\'\'' && lines[20] == '' && lines[21] == 'set' && lines[22] == '** ******  * *   ** **         *' && lines[23] == '** *******   ** **  **         *' && lines[24] == '(new String(\'\'))' && lines[25] == '\'0\'' && lines[26] == '****     *******             ***' && lines[27] == '*****                       ****' && lines[28] == '\'\\0\'' && lines[29] == '({valueOf:function(){return \'0\';}})' && lines[30] == '(new Number(-0))' && lines[175] == '0.1';
for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
    var cRKb = 1e+400 == 1518500249;
}

output

command line output

Segmentation fault (core dumped)

gef output

   0x555556d22540 <SCCLiveness::ProcessStackSymUse(StackSym*,+0> mov    r13d, eax
   0x555556d22543 <SCCLiveness::ProcessStackSymUse(StackSym*,+0> mov    rax, QWORD PTR [rbx]
   0x555556d22546 <SCCLiveness::ProcessStackSymUse(StackSym*,+0> mov    r15, QWORD PTR [rbx+0x10]
 → 0x555556d2254a <SCCLiveness::ProcessStackSymUse(StackSym*,+0> add    DWORD PTR [r12+0x74], r13d
   0x555556d2254f <SCCLiveness::ProcessStackSymUse(StackSym*,+0> test   r15, r15
   0x555556d22552 <SCCLiveness::ProcessStackSymUse(StackSym*,+0> je     0x555556d22771 <SCCLiveness::ProcessStackSymUse(StackSym*,  IR::Instr*,  int)+913>
   0x555556d22558 <SCCLiveness::ProcessStackSymUse(StackSym*,+0> mov    QWORD PTR [rbp-0x30], rax
   0x555556d2255c <SCCLiveness::ProcessStackSymUse(StackSym*,+0> mov    QWORD PTR [rbp-0x48], rbx
   0x555556d22560 <SCCLiveness::ProcessStackSymUse(StackSym*,+0> mov    rax, QWORD PTR fs:0x0
───────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "ch", stopped 0x7ff7f2f304fe in ?? (), reason: SIGSEGV
[#1] Id 2, Name: "ch", stopped 0x7ffff73d1709 in pthread_cond_timedwait@@GLIBC_2.3.2 (), reason: SIGSEGV
[#2] Id 3, Name: "ch", stopped 0x7ffff73d1709 in pthread_cond_timedwait@@GLIBC_2.3.2 (), reason: SIGSEGV
[#3] Id 4, Name: "ch", stopped 0x555556d2254a in SCCLiveness::ProcessStackSymUse (), reason: SIGSEGV
─────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x555556d2254a → SCCLiveness::ProcessStackSymUse(this=0x7ff7f37b3a48, stackSym=<optimized out>, instr=0x7ff700000008, usageSize=<optimized out>)
[#1] 0x555556d20981 → SCCLiveness::ProcessRegUse(this=0x7ff7f37b3a48, regUse=0x7ff7f2e53d30, instr=0x7ff7f2e53cf0)
[#2] 0x555556d20981 → SCCLiveness::ProcessSrc(this=0x7ff7f37b3a48, src=0x7ff7f2e53bc8, instr=0x7ff7f2e53cf0)
[#3] 0x555556d1e176 → SCCLiveness::Build(this=<optimized out>)
[#4] 0x555556c19030 → LinearScan::RegAlloc(this=0x7ff7f37b3d98)
[#5] 0x5555569a461b → Func::TryCodegen(this=0x7ff7f37b46b0)
[!] Command 'context' failed to execute properly, reason: access outside bounds of object referenced via synthetic pointer
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bird8693