Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-72274

string replace crashes Regex JIT Integrity

XMLWordPrintable

    • Integrity

      Regex JIT crashes to "INTEGRITY violation - attempt to store into protected memory" when trying to replace a string. Problem I think comes Alloca wrapper we have in Integrity. Assembly assumes it can write to stack but because we don't have dynamic stack the alloca has been implemented as heap based item i.e. the offset is wrong, maybe I'm misinterpreting as well. Easy fix is to disable regex JIT.

      0x3fbcffc:	00000000      <disassembly unavailable>
0x3fbd000:	d3407c21  uxtw	x1, w1 ; regex JIT starts here
0x3fbd004:	d3407c42  uxtw	x2, w2
0x3fbd008:	320003f0  movi	w16, #0x1
0x3fbd00c:	d29ff491  movz	x17, #0xffa4
0x3fbd010:	f2a08471  movk	x17, #0x423, lsl #16
0x3fbd014:	39000230  strb	w16, [x17]
0x3fbd018:	6b02003f  cmp	w1, w2
0x3fbd01c:	540000e9  b.ls	.+28 (0x3fbd038)
0x3fbd020:	92800000  movn	x0, #0
0x3fbd024:	52800001  movz	w1, #0
0x3fbd028:	d29ff491  movz	x17, #0xffa4
0x3fbd02c:	f2a08471  movk	x17, #0x423, lsl #16
0x3fbd030:	3900023f  strb	wzr, [x17]
0x3fbd034:	d65f03c0  ret
0x3fbd038:	12800010  movn	w16, #0
0x3fbd03c:	b8000070  stur	w16, [x3] ; crash here

 0	0x3fbd03c(0, 0x183a334, 0, 0x40000b0, 0, 0x5801730)
 1	QV4::RegExp::match(struct QV4::RegExp *const this=0x4e5dee0, const struct QString string={...}, int start=-268435456, unsigned int *matchOffsets=0x9)	[/home/qt3d/512/qtdeclarative/src/qml/jsruntime/qv4regexp.cpp:69,11]
 2	QV4::StringPrototype::method_replace(const struct QV4::FunctionObject *b=0x5801718, const struct QV4::Value *thisObject=0x5801698, const struct QV4::Value *argv=0x58016c0, int argc=2)	[/home/qt3d/512/qtdeclarative/src/qml/jsruntime/qv4stringobject.cpp:794,34]
 3	QV4::FunctionObject::call(const struct QV4::FunctionObject *const this=0x5801718, const struct QV4::Value *thisObject=0x5801698, const struct QV4::Value *argv=0x58016c0, int argc=2)	[/home/qt3d/512/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:202,4]
 4	QV4::Runtime::method_callProperty(struct QV4::ExecutionEngine *engine=0x423ff90, struct QV4::Value *base=0x5801698, int nameIndex=7, struct QV4::Value *argv=0x58016c0, int argc=2)	[/home/qt3d/512/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1385,36]
 5	QV4::Moth::VME::interpret(struct QV4::CppStackFrame *frame=0x3d56b68, struct QV4::ExecutionEngine *engine=0x423ff90, const char *code=0x4dd8256)	[/home/qt3d/512/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:718,269]
 6	QV4::Moth::VME::exec(struct QV4::CppStackFrame *frame=0x3d56b68, struct QV4::ExecutionEngine *engine=0x423ff90)	[/home/qt3d/512/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:441,26]
 7	QV4::ArrowFunction::virtualCall(const struct QV4::FunctionObject *fo=0x5801660, const struct QV4::Value *thisObject=0x5801650, const struct QV4::Value *argv=0x5801610, int argc=2)	[/home/qt3d/512/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:513,16]
 8	QV4::FunctionObject::call(const struct QV4::FunctionObject *const this=0x5801660, const struct QV4::Value *thisObject=0x5801650, const struct QV4::Value *argv=0x5801610, int argc=2)	[/home/qt3d/512/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:202,4]
 9	QV4::Runtime::method_callName(struct QV4::ExecutionEngine *engine=0x423ff90, int nameIndex=3, struct QV4::Value *argv=0x5801610, int argc=2)	[/home/qt3d/512/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1346,21]
 10	QV4::Moth::VME::interpret(struct QV4::CppStackFrame *frame=0x3d57f38, struct QV4::ExecutionEngine *engine=0x423ff90, const char *code=0x4dd82a7)	[/home/qt3d/512/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:745,296]
 11	QV4::Moth::VME::exec(struct QV4::CppStackFrame *frame=0x3d57f38, struct QV4::ExecutionEngine *engine=0x423ff90)	[/home/qt3d/512/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:441,26]
 12	QV4::ArrowFunction::virtualCall(const struct QV4::FunctionObject *fo=0x58015b8, const struct QV4::Value *thisObject=0x5801558, const struct QV4::Value *argv=0x5801570, int argc=1)	[/home/qt3d/512/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:513,16]
 13	QV4::FunctionObject::call(const struct QV4::FunctionObject *const this=0x58015b8, const struct QV4::Value *thisObject=0x5801558, const struct QV4::Value *argv=0x5801570, int argc=1)	[/home/qt3d/512/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:202,4]
 14	QV4::Runtime::method_callProperty(struct QV4::ExecutionEngine *engine=0x423ff90, struct QV4::Value *base=0x5801558, int nameIndex=108, struct QV4::Value *argv=0x5801570, int argc=1)	[/home/qt3d/512/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1385,36]
 15	QV4::Moth::VME::interpret(struct QV4::CppStackFrame *frame=0x3d59378, struct QV4::ExecutionEngine *engine=0x423ff90, const char *code=0x4f6ced3)	[/home/qt3d/512/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:718,269]
 16	QV4::Moth::VME::exec(struct QV4::CppStackFrame *frame=0x3d59378, struct QV4::ExecutionEngine *engine=0x423ff90)	[/home/qt3d/512/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:441,26]
 17	QV4::Function::call(struct QV4::Function *const this=0x4f88e80, const struct QV4::Value *thisObject=0x58014f8, const struct QV4::Value *argv=0x5801510, int argc=0, const struct QV4::ExecutionContext *context=0x3fc1420)	[/home/qt3d/512/qtdeclarative/src/qml/jsruntime/qv4function.cpp:68,12]
 18	QQmlJavaScriptExpression::evaluate(struct QQmlJavaScriptExpression *const this=0x4f90590, struct QV4::CallData *callData=0x58014e0, bool *isUndefined=0x3d59677)	[/home/qt3d/512/qtdeclarative/src/qml/qml/qqmljavascriptexpression.cpp:216,36]
 19	QQmlBinding::evaluate(struct QQmlBinding *const this=0x4f90590, bool *isUndefined=0x3d59677)	[/home/qt3d/512/qtdeclarative/src/qml/qml/qqmlbinding.cpp:209,18]

Status	
pc	0x0000000003fbd03c
pstate	0x00000000
General	
r0	0x0000000003d533b0
r1	0x0000000004e973d8
r2	0x00000000f0000000
r3	0x0000000000000009
r4	0x0000000003d55698
r5	0x0000000003d53430
r6	0x0000000000002000
r7	0x0000000000002000
r8	0x0000000003fbd000
r9	0x0000000003fbd000
r10	0x0000000003fbd000
r11	0x0000000000000008
r12	0x0000000000000000
r13	0x0000000000000001
r14	0x0000000000000000
r15	0x0000000000000000
r16	0x00000000ffffffff
r17	0x000000000423ffa4
r18	0x0000000003ef0000
r19	0x0000000003d53420
r20	0x0000000004e5dee0
r21	0x0000000004e973d8
r22	0x00000000f0000000
r23	0x0000000000000009
r24	0x0000000003d55698
r25	0x0000000003d53430
r26	0x0000000000002000
r27	0x0000000000000040
r28	0x00000000f0000000
r29	0x0000000003d53350
r30	0x0000000001840dc0
sp	0x0000000003d53350

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            e0150566 Janne Roine
            e0150566 Janne Roine
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved:

                There are no open Gerrit changes