[v8-dev] Issue 3820 in v8: Null pointer deref in v8::internal::Scanner::CurrentSymbol

[codesite-noreply via v8-dev]

Status: New
Owner: ----

New issue 3820 by cwhan.t...@gmail.com: Null pointer deref in  
v8::internal::Scanner::CurrentSymbol
https://code.google.com/p/v8/issues/detail?id=3820
I think this crash happens when there is incomplete raw character after  
right brace.

$ cat crash1
`${tunz}\x

So, `${asdf}\u << also crashes.

Program received signal SIGSEGV, Segmentation fault.
v8::internal::Scanner::CurrentSymbol (this=0x7fffffffd780,  
ast_value_factory=0x222cb70) at ../src/scanner.cc:1302
1302      if (is_literal_one_byte()) {
(gdb) bt
#0  v8::internal::Scanner::CurrentSymbol (this=0x7fffffffd780,  
ast_value_factory=0x222cb70) at ../src/scanner.cc:1302
#1  0x000000000097e09a in v8::internal::Parser::AddTemplateSpan  
(this=0x7fffffffd720, state=state@entry=0x7fffffffcc60,
    tail=<optimized out>) at ../src/parser.cc:5190
#2  0x000000000098f767 in AddTemplateSpan (tail=false,  
state=0x7fffffffcc60, this=0x7fffffffd720) at .././src/parser.h:995
#3   
v8::internal::ParserBase<v8::internal::ParserTraits>::ParseTemplateLiteral  
(this=0x7fffffffd720, tag=0x0, start=0,
    ok=0x7fffffffd130) at .././src/preparser.h:2908
#4  0x0000000000987d18 in  
v8::internal::ParserBase<v8::internal::ParserTraits>::ParsePrimaryExpression  
(
    this=this@entry=0x7fffffffd720, ok=ok@entry=0x7fffffffd130)  
at .././src/preparser.h:1927
#5  0x00000000009884eb in  
v8::internal::ParserBase<v8::internal::ParserTraits>::ParseMemberExpression  
(
    this=this@entry=0x7fffffffd720, ok=ok@entry=0x7fffffffd130)  
at .././src/preparser.h:2686
#6  0x0000000000988b09 in  
v8::internal::ParserBase<v8::internal::ParserTraits>::ParseMemberWithNewPrefixesExpression  
(
    this=this@entry=0x7fffffffd720, ok=ok@entry=0x7fffffffd130)  
at .././src/preparser.h:2631
#7  0x0000000000988f31 in  
v8::internal::ParserBase<v8::internal::ParserTraits>::ParseLeftHandSideExpression  
(
    this=this@entry=0x7fffffffd720, ok=ok@entry=0x7fffffffd130)  
at .././src/preparser.h:2506
#8  0x0000000000989775 in  
v8::internal::ParserBase<v8::internal::ParserTraits>::ParsePostfixExpression  
(this=0x7fffffffd720,
    ok=0x7fffffffd130) at .././src/preparser.h:2482
#9  0x0000000000989e6e in  
v8::internal::ParserBase<v8::internal::ParserTraits>::ParseBinaryExpression  
(
    this=this@entry=0x7fffffffd720, prec=prec@entry=4,  
accept_IN=accept_IN@entry=true, ok=ok@entry=0x7fffffffd130)
    at .././src/preparser.h:2385
#10 0x000000000098ea5b in  
v8::internal::ParserBase<v8::internal::ParserTraits>::ParseConditionalExpression  
(this=0x7fffffffd720,
    accept_IN=true, ok=0x7fffffffd130) at .././src/preparser.h:2367
#11 0x000000000098e218 in  
v8::internal::ParserBase<v8::internal::ParserTraits>::ParseAssignmentExpression  
(this=0x7fffffffd720,
    accept_IN=<optimized out>, ok=0x7fffffffd130)  
at .././src/preparser.h:2258
#12 0x000000000098ed28 in  
v8::internal::ParserBase<v8::internal::ParserTraits>::ParseExpression  
(this=this@entry=0x7fffffffd720,
    accept_IN=accept_IN@entry=true, ok=ok@entry=0x7fffffffd130)  
at .././src/preparser.h:1957
#13 0x000000000099a5d7 in  
v8::internal::Parser::ParseExpressionOrLabelledStatement  
(this=0x7fffffffd720, labels=0x0,
    ok=0x7fffffffd130) at ../src/parser.cc:2445
#14 0x00000000009975b2 in v8::internal::Parser::ParseStatement  
(this=this@entry=0x7fffffffd720, ok=ok@entry=0x7fffffffd130,
    labels=0x0) at ../src/parser.cc:1731
#15 0x000000000098b249 in v8::internal::Parser::ParseModuleElement  
(this=0x7fffffffd720, ok=0x7fffffffd130, labels=0x0)
    at ../src/parser.cc:1204
#16 0x000000000098b848 in v8::internal::Parser::ParseSourceElements  
(this=this@entry=0x7fffffffd720,
    processor=processor@entry=0x2240280, end_token=end_token@entry=0,  
is_eval=false, is_global=is_global@entry=true,
    eval_scope=eval_scope@entry=0x7fffffffd200, ok=ok@entry=0x7fffffffd130)  
at ../src/parser.cc:1104
#17 0x000000000098c07c in v8::internal::Parser::DoParseProgram  
(this=this@entry=0x7fffffffd720, info=0x7fffffffd9f0,
    scope=scope@entry=0x7fffffffd1f0,  
eval_scope=eval_scope@entry=0x7fffffffd200) at ../src/parser.cc:936
#18 0x000000000099dd45 in v8::internal::Parser::ParseProgram  
(this=0x7fffffffd720) at ../src/parser.cc:861
#19 0x000000000099ed3e in v8::internal::Parser::Parse (this=0x7fffffffd720)  
at ../src/parser.cc:5131
#20 0x00000000004d76cd in v8::internal::Parser::Parse (info=0x7fffffffd9f0,  
allow_lazy=<optimized out>) at .././src/parser.h:673
#21 0x00000000004dbad6 in v8::internal::CompileToplevel  
(info=info@entry=0x7fffffffd9f0) at ../src/compiler.cc:1148
#22 0x00000000004ded41 in v8::internal::Compiler::CompileScript  
(source=..., script_name=..., line_offset=0,
    column_offset=<optimized out>, is_shared_cross_origin=<optimized out>,  
context=..., extension=0x0, cached_data=0x7fffffffdbd0,
    compile_options=v8::ScriptCompiler::kNoCompileOptions,  
natives=v8::internal::NOT_NATIVES_CODE) at ../src/compiler.cc:1338
#23 0x000000000043b3a9 in v8::ScriptCompiler::CompileUnbound  
(v8_isolate=0x21e6e60, source=0x7fffffffdc20, options=<optimized out>)
    at ../src/api.cc:1549
#24 0x000000000040e92a in v8::Shell::CompileString  
(isolate=isolate@entry=0x21e6e60, source=source@entry=...,  
name=name@entry=...,
    compile_options=v8::ScriptCompiler::kNoCompileOptions)  
at ../src/d8.cc:246
#25 0x00000000004106ae in v8::Shell::ExecuteString  
(isolate=isolate@entry=0x21e6e60, source=source@entry=...,  
name=name@entry=...,
    report_exceptions=true, print_result=false) at ../src/d8.cc:270
#26 0x0000000000413a43 in v8::SourceGroup::Execute (this=0x21e5018,  
isolate=isolate@entry=0x21e6e60) at ../src/d8.cc:1213
#27 0x0000000000415107 in v8::Shell::RunMain  
(isolate=isolate@entry=0x21e6e60, argc=argc@entry=2,  
argv=argv@entry=0x7fffffffe188)
    at ../src/d8.cc:1448
#28 0x000000000041e8d2 in v8::Shell::Main (argc=2, argv=0x7fffffffe188)  
at ../src/d8.cc:1721
#29 0x00007ffff6de3ec5 in __libc_start_main (main=0x409710 <main>, argc=2,  
argv=0x7fffffffe188, init=<optimized out>,
    fini=<optimized out>, rtld_fini=<optimized out>,  
stack_end=0x7fffffffe178) at libc-start.c:287
#30 0x0000000000409ba1 in _start ()

(gdb) print this->current_
$1 = {token = v8::internal::Token::RBRACE, location = {beg_pos = 7, end_pos  
= 8}, literal_chars = 0x0, raw_literal_chars = 0x0}

I found it with afl-fuzz

--
You received this message because this project is configured to send all  
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.