Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

assertion failed: thr->valstack_end - thr->valstack == pre_end - pre_valstack in duk__resize_valstack #2024

Closed
renatahodovan opened this issue Dec 30, 2018 · 6 comments
Closed

assertion failed: thr->valstack_end - thr->valstack == pre_end - pre_valstack in duk__resize_valstack #2024

renatahodovan opened this issue Dec 30, 2018 · 6 comments
Labels
bug

Comments

@renatahodovan
Copy link

Duktape version:
Checked revision: b062b50a
Build command: make dukd-low
OS:
Ubuntu 18.04, x86_64
Test case:
function test ( ) { 
    var func = function foo ( a , b , c ) { print ( a , b , c ) ; } ; 
    func = function foo ( id_0, id_1 , id_2 , id_3 , id_4 , id_5 , id_6 , id_7 , id_8 , id_9 , id_10 , id_11 , id_12 , id_13 , id_14 , id_15 , id_16 , id_17 , id_18 , id_19 , id_20 , id_21 , id_22 , id_23 , id_24 , id_25 , id_26 , id_27 , id_28 , id_29 , id_30 , id_31 , id_32 , id_33 , id_34 , id_35 , id_36 , id_37 , id_38 , id_39 , id_40 , id_41 , id_42 , id_43 , id_44 , id_45 , id_46 , id_47 , id_48 , id_49 , id_50 , id_51 , id_52 , id_53 , id_54 , id_55 , id_56 , id_57 , id_58 , id_59 , id_60 , id_61 , id_62 , id_63 , id_64 , id_65 , id_66 , id_67 , id_68 , id_69 , id_70 , id_71 , id_72 , id_73 , id_74 , id_75 , id_76 , id_77 , id_78 , id_79 , id_80 , id_81 , id_82 , id_83 , id_84 , id_85 , id_86 , id_87 , id_88 , id_89 , id_90 , id_91 , id_92 , id_93 , id_94 , id_95 , id_96 , id_97 , id_98 , id_99 , id_100 , id_101 , id_102 , id_103 , id_104 , id_105 , id_106 , id_107 , id_108 , id_109 , id_110 , id_111 , id_112 , id_113 , id_114 , id_115 , id_116 , id_117 , id_118 , id_119 , id_120 , id_121 , id_122 , id_123 , id_124 , id_125 , id_126 , id_127 , id_128 , id_129 , id_130 , id_131 , id_132 , id_133 , id_134 , id_135 , id_136 , id_137 , id_138 , id_139 , id_140 , id_141 , id_142 , id_143 , id_144 , id_145 , id_146 , id_147 , id_148 , id_149 , id_150 , id_151 , id_152 , id_153 , id_154 , id_155 , id_156 , id_157 , id_158 , id_159 , id_160 , id_161 , id_162 , id_163 , id_164 , id_165 , id_166 , id_167 , id_168 , id_169 , id_170 , id_171 , id_172 , id_173 , id_174 , id_175 , id_176 , id_177 , id_178 , id_179 , id_180 , id_181 , id_182 , id_183 , id_184 , id_185 , id_186 , id_187 , id_188 , id_189 , id_190 , id_191 , id_192 , id_193 , id_194 , id_195 , id_196 , id_197 , id_198 , id_199 , id_200 , id_201 , id_202 , id_203 , id_204 , id_205 , id_206 , id_207 , id_208 , id_209 , id_210 , id_211 , id_212 , id_213 , id_214 , id_215 , id_216 , id_217 , id_218 , id_219 , id_220 , id_221 , id_222 , id_223 , id_224 , id_225 , id_226 , id_227 , id_228 , id_229 , id_230 , id_231 , id_232 , id_233 , id_234 , id_235, id_236 , id_237 , id_238 , id_239 ) { 
        print ( 'arg239:' , id_104 ) ; 
    }; 
    func.apply ( null , [ 0 ] );
    func = function ( a , b , c , d ) { print ( typeof id_19 ) ; } ; 
    func = function ( a , b , c , d , e ) { function inner ( ) { print ( 'inner' ) } ; } ; 
    test ( ) ; 
    func = function ( a , b , c ) { print ( eval ( '"aiee"' ) ) ; } ; 
} 
try { test ( ) ; } catch ( NaN ) { }
Backtrace:
Program received signal SIGABRT, Aborted.
0xf7fd5059 in __kernel_vsyscall ()
#0  0xf7fd5059 in __kernel_vsyscall ()
#1  0xf7de0832 in raise () from /lib/i386-linux-gnu/libc.so.6
#2  0xf7de1cc1 in abort () from /lib/i386-linux-gnu/libc.so.6
#3  0x565c8336 in duk_default_fatal_handler.lto_priv.138 (udata=0x0, msg=0x5666e7c4 "assertion failed: thr->valstack_end - thr->valstack == pre_end - pre_valstack (duk_api_stack.c:769)")
    at duk_error_macros.c:145
#4  0x565c2c0f in duk__resize_valstack (thr=0xf7fad418, new_size=1025) at duk_api_stack.c:769
#5  0x565c2e02 in duk__valstack_grow (thr=0xf7fad418, min_bytes=8200, throw_on_error=1) at duk_api_stack.c:854
#6  0x565c2ebf in duk_valstack_grow_check_throw.lto_priv.284 (thr=0xf7fad418, min_bytes=8200) at duk_api_stack.c:885
#7  0x56573d41 in duk__handle_call_raw (thr=0xf7fad418, idx_func=240, call_flags=8) at duk_js_call.c:2130
#8  0x565748e3 in duk_handle_call_unprotected.lto_priv.254 (thr=0xf7fad418, idx_func=240, call_flags=8) at duk_js_call.c:2385
#9  0x5656129b in duk__executor_handle_call (thr=0xf7fad418, idx=240, nargs=2, call_flags=8) at duk_js_executor.c:2655
#10 0x56563f02 in duk__js_execute_bytecode_inner (entry_thread=0xf7fad418, entry_act=0xf7fa4094) at duk_js_executor.c:4729
#11 0x56561670 in duk_js_execute_bytecode.lto_priv.283 (exec_thr=0xf7fad418) at duk_js_executor.c:2917
#12 0x56574143 in duk__handle_call_raw (thr=0xf7fad418, idx_func=3, call_flags=0) at duk_js_call.c:2203
#13 0x565748e3 in duk_handle_call_unprotected.lto_priv.254 (thr=0xf7fad418, idx_func=3, call_flags=0) at duk_js_call.c:2385
#14 0x565ca3fd in duk_call_method (thr=0xf7fad418, nargs=0) at duk_api_call.c:152
#15 0x5655a458 in wrapped_compile_execute (ctx=0xf7fad418, udata=0x0) at examples/cmdline/duk_cmdline.c:301
#16 0x56574bab in duk__handle_safe_call_inner (thr=0xf7fad418, func=0x5655a1db <wrapped_compile_execute>, udata=0x0, entry_valstack_bottom_byteoff=0, entry_callstack_top=0, entry_curr_thread=0x0, 
    entry_thread_state=1 '\001', idx_retbase=0, num_stack_rets=1) at duk_js_call.c:2438
#17 0x565756a4 in duk_handle_safe_call.lto_priv.479 (thr=0xf7fad418, func=0x5655a1db <wrapped_compile_execute>, udata=0x0, num_stack_args=4, num_stack_rets=1) at duk_js_call.c:2683
#18 0x565cb3af in duk_safe_call (thr=0xf7fad418, func=0x5655a1db <wrapped_compile_execute>, udata=0x0, nargs=4, nrets=1) at duk_api_call.c:320
#19 0x5655a657 in handle_fh (ctx=0xf7fad418, f=0x566bd160, filename=0xffffd396 "test.js", bytecode_filename=0x0) at examples/cmdline/duk_cmdline.c:632
#20 0x5655a831 in handle_file (ctx=0xf7fad418, filename=0xffffd396 "test.js", bytecode_filename=0x0) at examples/cmdline/duk_cmdline.c:691
#21 0x5655b3df in main (argc=2, argv=0xffffd1e4) at examples/cmdline/duk_cmdline.c:1465

Found by Fuzzinator with grammarinator.

@svaarala svaarala added the bug label Dec 30, 2018
@svaarala
Copy link
Owner

Thanks @renatahodovan, I'll check this out.

@FlatAssembler
Copy link

And what kind of output do you expect? That JavaScript code is both invalid and as far from sensical as it can get. It's not even wrong. Garbage in, garbage out. Yes, the error message Duktape generates is incomprehensible, but I don't see why it would qualify as a bug.

@fatcerberus
Copy link
Contributor

@FlatAssembler https://en.m.wikipedia.org/wiki/Fuzzing

@fatcerberus
Copy link
Contributor

Based on the assertion that was hit, it looks like this could be a potential security issue.

@svaarala
Copy link
Owner

svaarala commented Jan 3, 2019

@fatcerberus Agreed, it might indicate that a valstack resize happens during a valstack resize for some reason and that might be memory unsafe. With a repro this shouldn't be difficult to check. 👍

@svaarala svaarala mentioned this issue Jun 10, 2019
Merged
@svaarala
Copy link
Owner

svaarala commented Jun 10, 2019
edited
Loading

This is now fixed in master, and seems to be fixed by #2108 (verified with git bisect). I'll try to verify this also manually before closing.

svaarala added a commit that referenced this issue Jun 17, 2019
@svaarala
Add repro test for GH-2024
85edefd
svaarala added a commit that referenced this issue Jun 17, 2019
@svaarala
Releases: assert fix GH-2024
66b5aff
svaarala added a commit that referenced this issue Jun 17, 2019
@svaarala
Merge pull request #2115 from svaarala/releases-testcase-gh2024
d9eda43 
Add bug testcase for GH-2024 (fixed in master), update RELEASES
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@renatahodovan @fatcerberus @svaarala @FlatAssembler