Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: P1: Critical
Fix Version/s: 5.12.3, 5.13.1, 5.14.0 Alpha
Affects Version/s: 5.12.2
Component/s: QML: Declarative and Javascript Engine
Labels:
- earmarked_by_ulf
- found_by_libfuzzer
Environment:
Manjaro Linux
clang 7.0.1
gcc 8.2.1

Commits:
0dd884aca1fffcd94fbe55006c94363415aa0965 (qt/qtdeclarative/5.12)

Description

Have a release build of Qt with enabled address sanitizer.
I configured it with:

-developer-build -opensource -confirm-license -nomake examples -nomake tests -no-use-gold-linker -sanitize address -release

Build the attached project on this build of Qt:

#include <QCoreApplication>
#include <QFile>
#include <QJSEngine>

int main(int argc, char *argv[])
{
    QCoreApplication a(argc, argv);
    if (argc < 2)
        return -1;
    QFile inFile(argv[1]);
    inFile.open(QFile::ReadOnly);
    QJSEngine().evaluate(inFile.readAll());
    return 0;
}

Run the program passing the attached input file as parameter:

function a(){a(a&a+a)}a()

It will crash with output like the following:

QML debugging is enabled. Only use this in a safe environment.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==30608==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc6afbd6400 (pc 0x7fc6b7f3a009 bp 0x7ffde49eea90 sp 0x7ffde49ee830 T0)
==30608==The signal is caused by a READ memory access.
    #0 0x7fc6b7f3a008 in QV4::Value::toNumberImpl(QV4::Value) (/home/qtrob/dev/g++-8.2.1/qt-5.12_base_declarative-asan-r/qtbase/lib/libQt5Qml.so.5+0xa0e008)
    #1 0x7fc6b7f50112 in QV4::JIT::toInt32Helper(unsigned long long) (/home/qtrob/dev/g++-8.2.1/qt-5.12_base_declarative-asan-r/qtbase/lib/libQt5Qml.so.5+0xa24112)
    #2 0x7fc6b155d16f  (/memfd:JITCode:/home/qtrob/dev/g++-8.2.1/qt-5.12_base_declarative-asan-r/qtbase/lib/libQt5Qml.so.5 (deleted)+0x16f)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/qtrob/dev/g++-8.2.1/qt-5.12_base_declarative-asan-r/qtbase/lib/libQt5Qml.so.5+0xa0e008) in QV4::Value::toNumberImpl(QV4::Value)
==30608==ABORTING

Trying to debug this will give you this backtrace (full backtrace attached):

1   QV4::Moth::VME::interpret(QV4::CppStackFrame *, QV4::ExecutionEngine *, const char *)                       0x7ffff66a0dee 
2   QV4::Moth::VME::exec(QV4::CppStackFrame *, QV4::ExecutionEngine *)                                          0x7ffff66c0629 
3   QV4::ArrowFunction::virtualCall(QV4::FunctionObject const *, QV4::Value const *, QV4::Value const *, int)   0x7ffff642577f 
4   QV4::Runtime::method_callName(QV4::ExecutionEngine *, int, QV4::Value *, int)                               0x7ffff6931501 
5   QV4::Moth::VME::interpret(QV4::CppStackFrame *, QV4::ExecutionEngine *, const char *)                       0x7ffff66abef8 
6   QV4::Moth::VME::exec(QV4::CppStackFrame *, QV4::ExecutionEngine *)                                          0x7ffff66c0629 
7   QV4::ArrowFunction::virtualCall(QV4::FunctionObject const *, QV4::Value const *, QV4::Value const *, int)   0x7ffff642577f 
8   QV4::Runtime::method_callName(QV4::ExecutionEngine *, int, QV4::Value *, int)                               0x7ffff6931501 
9   QV4::Moth::VME::interpret(QV4::CppStackFrame *, QV4::ExecutionEngine *, const char *)                       0x7ffff66abef8 
10  QV4::Moth::VME::exec(QV4::CppStackFrame *, QV4::ExecutionEngine *)                                          0x7ffff66c0629 
11  QV4::ArrowFunction::virtualCall(QV4::FunctionObject const *, QV4::Value const *, QV4::Value const *, int)   0x7ffff642577f 
12  QV4::Runtime::method_callName(QV4::ExecutionEngine *, int, QV4::Value *, int)                               0x7ffff6931501 
13  QV4::Moth::VME::interpret(QV4::CppStackFrame *, QV4::ExecutionEngine *, const char *)                       0x7ffff66abef8 
14  QV4::Moth::VME::exec(QV4::CppStackFrame *, QV4::ExecutionEngine *)                                          0x7ffff66c0629 
15  QV4::ArrowFunction::virtualCall(QV4::FunctionObject const *, QV4::Value const *, QV4::Value const *, int)   0x7ffff642577f 
16  QV4::Runtime::method_callName(QV4::ExecutionEngine *, int, QV4::Value *, int)                               0x7ffff6931501 
17  QV4::Moth::VME::interpret(QV4::CppStackFrame *, QV4::ExecutionEngine *, const char *)                       0x7ffff66abef8 
18  QV4::Moth::VME::exec(QV4::CppStackFrame *, QV4::ExecutionEngine *)                                          0x7ffff66c0629 
19  QV4::ArrowFunction::virtualCall(QV4::FunctionObject const *, QV4::Value const *, QV4::Value const *, int)   0x7ffff642577f 
20  QV4::Runtime::method_callName(QV4::ExecutionEngine *, int, QV4::Value *, int)                               0x7ffff6931501 
... <Mehr>