Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

assertion failed: (duk_size_t) a_size <= DUK_HOBJECT_MAX_PROPERTIES in duk__get_min_grow_a #2023

Closed
renatahodovan opened this issue Dec 30, 2018 · 1 comment · Fixed by #2146
Closed

assertion failed: (duk_size_t) a_size <= DUK_HOBJECT_MAX_PROPERTIES in duk__get_min_grow_a #2023

renatahodovan opened this issue Dec 30, 2018 · 1 comment · Fixed by #2146
Labels
bug

Comments

@renatahodovan
Copy link

Duktape version:
Checked revision: b062b50a
Build command: make dukd-low
OS:
Ubuntu 18.04, x86_64
Test case:
function mapchar ( v ) { } 
var input ; 
var round ; 
input = [ ] ; 
input[ 65536 ] = 0 ; 
input.map( mapchar ).join( '' );
Backtrace:
Program received signal SIGABRT, Aborted.
0xf7fd5059 in __kernel_vsyscall ()
#0  0xf7fd5059 in __kernel_vsyscall ()
#1  0xf7de0832 in raise () from /lib/i386-linux-gnu/libc.so.6
#2  0xf7de1cc1 in abort () from /lib/i386-linux-gnu/libc.so.6
#3  0x565c8336 in duk_default_fatal_handler.lto_priv.138 (udata=0x0, msg=0x565f5634 "assertion failed: (duk_size_t) a_size <= DUK_HOBJECT_MAX_PROPERTIES (duk_hobject_props.c:248)")
    at duk_error_macros.c:145
#4  0x56584306 in duk__get_min_grow_a (a_size=65536) at duk_hobject_props.c:248
#5  0x565850af in duk__grow_props_for_array_item (thr=0xf7fad418, obj=0xf7f9f6ec, highest_arr_idx=65536) at duk_hobject_props.c:1052
#6  0x5658a0bd in duk_hobject_define_property_internal_arridx.lto_priv.469 (thr=0xf7fad418, obj=0xf7f9f6ec, arr_idx=65536, flags=7) at duk_hobject_props.c:4768
#7  0x565d0982 in duk_xdef_prop_index.lto_priv.242 (thr=0xf7fad418, obj_idx=4, arr_idx=65536, desc_flags=7) at duk_api_object.c:409
#8  0x565a72eb in duk_bi_array_prototype_iter_shared.lto_priv.19 (thr=0xf7fad418) at duk_bi_array.c:1515
#9  0x565742e2 in duk__handle_call_raw (thr=0xf7fad418, idx_func=2, call_flags=8) at duk_js_call.c:2239
#10 0x565748e3 in duk_handle_call_unprotected.lto_priv.254 (thr=0xf7fad418, idx_func=2, call_flags=8) at duk_js_call.c:2385
#11 0x5656129b in duk__executor_handle_call (thr=0xf7fad418, idx=2, nargs=1, call_flags=8) at duk_js_executor.c:2655
#12 0x56563f02 in duk__js_execute_bytecode_inner (entry_thread=0xf7fad418, entry_act=0xf7fa4064) at duk_js_executor.c:4729
#13 0x56561670 in duk_js_execute_bytecode.lto_priv.283 (exec_thr=0xf7fad418) at duk_js_executor.c:2917
#14 0x56574143 in duk__handle_call_raw (thr=0xf7fad418, idx_func=3, call_flags=0) at duk_js_call.c:2203
#15 0x565748e3 in duk_handle_call_unprotected.lto_priv.254 (thr=0xf7fad418, idx_func=3, call_flags=0) at duk_js_call.c:2385
#16 0x565ca3fd in duk_call_method (thr=0xf7fad418, nargs=0) at duk_api_call.c:152
#17 0x5655a458 in wrapped_compile_execute (ctx=0xf7fad418, udata=0x0) at examples/cmdline/duk_cmdline.c:301
#18 0x56574bab in duk__handle_safe_call_inner (thr=0xf7fad418, func=0x5655a1db <wrapped_compile_execute>, udata=0x0, entry_valstack_bottom_byteoff=0, entry_callstack_top=0, entry_curr_thread=0x0, 
    entry_thread_state=1 '\001', idx_retbase=0, num_stack_rets=1) at duk_js_call.c:2438
#19 0x565756a4 in duk_handle_safe_call.lto_priv.479 (thr=0xf7fad418, func=0x5655a1db <wrapped_compile_execute>, udata=0x0, num_stack_args=4, num_stack_rets=1) at duk_js_call.c:2683
#20 0x565cb3af in duk_safe_call (thr=0xf7fad418, func=0x5655a1db <wrapped_compile_execute>, udata=0x0, nargs=4, nrets=1) at duk_api_call.c:320
#21 0x5655a657 in handle_fh (ctx=0xf7fad418, f=0x566bd160, filename=0xffffd396 "test.js", bytecode_filename=0x0) at examples/cmdline/duk_cmdline.c:632
#22 0x5655a831 in handle_file (ctx=0xf7fad418, filename=0xffffd396 "test.js", bytecode_filename=0x0) at examples/cmdline/duk_cmdline.c:691
#23 0x5655b3df in main (argc=2, argv=0xffffd1e4) at examples/cmdline/duk_cmdline.c:1465

Found by Fuzzinator with grammarinator.

@svaarala
Copy link
Owner

Thanks @renatahodovan, I'll check this out.

@svaarala svaarala added the bug label Dec 30, 2018
svaarala added a commit that referenced this issue Jul 15, 2019
@svaarala
Array testcase improvements
6fa9215 
* Add bug testcase for GH-2023.

* Testcase coverage improvement for Object.defineProperty() and array
  part handling.
svaarala added a commit that referenced this issue Jul 15, 2019
@svaarala
Array handling improvements, fix GH-2023
7897dea 
When array size is limited to 16 bits, some internal operations which
don't support abandoning the array could try to grow it beyond 16 bits
rather than abandoning the array part.  This caused an assertion failure
and also potentially memory unsafe behavior.

Changes:

* When growing the property table, sanity check entry and array sizes.
  If the new values won't fit in the duk_hobject structure (which may
  happen with 16-bit fields), fail the grow attempt with an internal
  error.  This avoids field truncation and potentially memory unsafe
  behavior as a result.

* Rework array part growth vs. abandon code to avoid the GH-2023 issue.

* Add support for keeping array part when possible into
  Object.defineProperty().

* Add support for abandoning array part when using internal variants
  for defining properties (such as in Array .map()).

* Executor compile warning fix.

* Debug logging trivia, downgrade a noisy log entry.

* Fix compile warning in duk_cmdline.c.
svaarala added a commit that referenced this issue Jul 15, 2019
@svaarala
Releases: GH-2023 fix, defineProperty() array part
76ec737
@svaarala svaarala mentioned this issue Jul 15, 2019
Merged
svaarala added a commit that referenced this issue Jul 16, 2019
@svaarala
Merge pull request #2146 from svaarala/fix-gh2023
1de2be9 
Array handling improvements, fix GH-2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Array handling improvements, fix GH-2023 svaarala/duktape
2 participants
@renatahodovan @svaarala