QV4MM: Fix crash caused by MarkStack overflow

MemoryManager::collectFromJSStack did push to the mark stack without checking if there is actually still space available. To fix this, we now drain the stack once we hit the limit. The test case is a slightly modified version compared to the reported one, removing one loop. This was required as our regular expression does not throw an exception when there are too many capture groups. However, to trigger the bug, looping was not actually necessary. (cherry-picked from commit e72b032cc1c5a8a07a99fc6522a692c36f369abc) Change-Id: I4d00865f25a989c380f4f5b221f4068c80b71d2b Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
author: Fabian Kosmale <fabian.kosmale@qt.io> 2020-01-06 13:55:53 +0100
committer: Ulf Hermann <ulf.hermann@qt.io> 2020-02-17 17:21:12 +0100
commit: 0a155d14578d01bfe02fa9383745e04bfa1e5648 (patch)
tree: 1efd4824e96f209765193311899fe78563b11a76
parent: e9b4fac4e1765ea8789b17948a0a22fad7db50c0 (diff)
4 files changed, 57 insertions, 1 deletions
diff --git a/src/qml/jsruntime/qv4engine.cpp b/src/qml/jsruntime/qv4engine.cpp
index f9747207db..a4831422d3 100644
--- a/src/qml/jsruntime/qv4engine.cpp
+++ b/src/qml/jsruntime/qv4engine.cpp
@@ -1090,8 +1090,11 @@ QUrl ExecutionEngine::resolvedUrl(const QString &file)
 void ExecutionEngine::markObjects(MarkStack *markStack)
 {
     for (int i = 0; i < NClasses; ++i)
-        if (classes[i])
+        if (classes[i]) {
             classes[i]->mark(markStack);
+            if (markStack->top >= markStack->limit)
+                markStack->drain();
+        }
     markStack->drain();
 
     identifierTable->markObjects(markStack);
diff --git a/src/qml/jsruntime/qv4value_p.h b/src/qml/jsruntime/qv4value_p.h
index ce85e48b72..128ae3528d 100644
--- a/src/qml/jsruntime/qv4value_p.h
+++ b/src/qml/jsruntime/qv4value_p.h
@@ -869,6 +869,8 @@ struct ValueArray {
         } else {
             while (v < end) {
                 v->mark(markStack);
+                if (markStack->top >= markStack->limit)
+                    markStack->drain();
                 ++v;
             }
         }
diff --git a/src/qml/memory/qv4mm.cpp b/src/qml/memory/qv4mm.cpp
index cac68bdcaf..342e31da1b 100644
--- a/src/qml/memory/qv4mm.cpp
+++ b/src/qml/memory/qv4mm.cpp
@@ -1209,6 +1209,8 @@ void MemoryManager::collectFromJSStack(MarkStack *markStack) const
             Q_ASSERT(m->inUse());
             // Skip pointers to already freed objects, they are bogus as well
             m->mark(markStack);
+            if (markStack->top >= markStack->limit)
+                markStack->drain();
         }
         ++v;
     }
diff --git a/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp b/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp
index dc8ef232c1..da116aaed0 100644
--- a/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp
+++ b/tests/auto/qml/qqmlecmascript/tst_qqmlecmascript.cpp
@@ -374,6 +374,8 @@ private slots:
     void getThisObject();
     void semicolonAfterProperty();
 
+    void gcCrashRegressionTest();
+
 private:
 //    static void propertyVarWeakRefCallback(v8::Persistent<v8::Value> object, void* parameter);
     static void verifyContextLifetime(QQmlContextData *ctxt);
@@ -9065,6 +9067,53 @@ void tst_qqmlecmascript::semicolonAfterProperty()
     QVERIFY(!test.isNull());
 }
 
+void tst_qqmlecmascript::gcCrashRegressionTest()
+{
+    const QString qmljs = QLibraryInfo::location(QLibraryInfo::BinariesPath) + "/qmljs";
+    if (!QFile::exists(qmljs)) {
+        QSKIP("Tets requires qmljs");
+    }
+    QProcess process;
+
+    QTemporaryFile infile;
+    QVERIFY(infile.open());
+    infile.write(R"js(
+        function i_want_to_break_free() {
+            var n = 400;
+            var m = 10;
+            var regex = new RegExp("(ab)".repeat(n), "g"); // g flag to trigger the vulnerable path
+            var part = "ab".repeat(n); // matches have to be at least size 2 to prevent interning
+            var s = (part + "|").repeat(m);
+            var cnt = 0;
+            var ary = [];
+            s.replace(regex, function() {
+                for (var i = 1; i < arguments.length-2; ++i) {
+                    if (typeof arguments[i] !== 'string') {
+                        i_am_free = arguments[i];
+                        throw "success";
+                    }
+                    ary[cnt++] = arguments[i];  // root everything to force GC
+                }
+                return "x";
+            });
+        }
+        try { i_want_to_break_free(); } catch (e) {console.log("hi") }
+        console.log(typeof(i_am_free));  // will print "object"
+    )js");
+    infile.close();
+
+    QProcessEnvironment environment = QProcessEnvironment::systemEnvironment();
+    environment.insert("QV4_GC_MAX_STACK_SIZE", "32768");
+
+    process.setProcessEnvironment(environment);
+    process.start(qmljs, QStringList({infile.fileName()}));
+    QVERIFY(process.waitForStarted());
+    const qint64 pid = process.processId();
+    QVERIFY(pid != 0);
+    QVERIFY(process.waitForFinished());
+    QCOMPARE(process.exitCode(), 0);
+}
+
 QTEST_MAIN(tst_qqmlecmascript)
 
 #include "tst_qqmlecmascript.moc"
author	Fabian Kosmale <fabian.kosmale@qt.io>	2020-01-06 13:55:53 +0100
committer	Ulf Hermann <ulf.hermann@qt.io>	2020-02-17 17:21:12 +0100
commit	0a155d14578d01bfe02fa9383745e04bfa1e5648 (patch)
tree	1efd4824e96f209765193311899fe78563b11a76
parent	e9b4fac4e1765ea8789b17948a0a22fad7db50c0 (diff)