assertion failed: duk_get_hstring(thr, idx) != NULL in duk_known_hstring #2031

renatahodovan · 2019-01-16T10:30:11Z

Duktape version:

Checked revision: b062b50a

OS:

Ubuntu 18.04, x86_64

Test case:

Object.defineProperty(Array.prototype, 0, { set : function ( ) { } } ) ; 
eval('var x; for (x++ in [0,1]) {}');

Backtrace:

*** FATAL ERROR: assertion failed: duk_get_hstring(thr, idx) != NULL (prep/fuzz/duktape.c:20171)

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff7686801 in __GI_abort () at abort.c:79
#2  0x000055555555759f in duk_default_fatal_handler (msg=<optimized out>, 
    msg@entry=0x5555558c0af0 "assertion failed: duk_get_hstring(thr, idx) != NULL (prep/fuzz/duktape.c:20171)", 
    udata=udata@entry=0x5555558c0af0) at prep/fuzz/duktape.c:11792
#3  0x00005555555af4dc in duk_known_hstring (thr=0x555555bc7680, idx=-1) at prep/fuzz/duktape.c:20171
#4  0x0000555555882a71 in duk__init_varmap_and_prologue_for_pass2 (out_stmt_value_reg=<optimized out>, comp_ctx=0x7fffffffcc08)
    at prep/fuzz/duktape.c:72149
#5  duk__parse_func_body (comp_ctx=comp_ctx@entry=0x7fffffffcc08, expect_eof=expect_eof@entry=1, 
    implicit_return_value=implicit_return_value@entry=1, regexp_after=regexp_after@entry=1, expect_token=expect_token@entry=-1)
    at prep/fuzz/duktape.c:6850
#6  0x0000555555888885 in duk__js_compile_raw (thr=thr@entry=0x555555bc7680, udata=udata@entry=0x7fffffffcc00)
    at prep/fuzz/duktape.c:72959
#7  0x00005555556370a7 in duk__handle_safe_call_inner (num_stack_rets=1, idx_retbase=1, entry_thread_state=2 '\002', 
    entry_curr_thread=0x555555bc7680, entry_callstack_top=2, entry_valstack_bottom_byteoff=128, udata=0x7fffffffcc00, 
    func=0x555555888190 <duk__js_compile_raw>, thr=0x555555bc7680) at prep/fuzz/duktape.c:64542
#8  duk_handle_safe_call (thr=thr@entry=0x555555bc7680, func=func@entry=0x555555888190 <duk__js_compile_raw>, 
    udata=udata@entry=0x7fffffffcc00, num_stack_args=num_stack_args@entry=1, num_stack_rets=num_stack_rets@entry=1)
    at prep/fuzz/duktape.c:64787
#9  0x0000555555639296 in duk_safe_call (thr=thr@entry=0x555555bc7680, func=func@entry=0x555555888190 <duk__js_compile_raw>, 
    udata=udata@entry=0x7fffffffcc00, nargs=nargs@entry=1, nrets=nrets@entry=1) at prep/fuzz/duktape.c:14520
#10 0x00005555557cb7bd in duk_js_compile (thr=0x555555bc7680, src_buffer=<optimized out>, src_length=<optimized out>, 
    flags=<optimized out>) at prep/fuzz/duktape.c:73001
#11 0x000055555584c922 in duk_bi_global_object_eval (thr=0x555555bc7680) at prep/fuzz/duktape.c:33944
#12 0x000055555561cb0f in duk__handle_call_raw (thr=thr@entry=0x555555bc7680, idx_func=idx_func@entry=1, call_flags=24, 
    call_flags@entry=12) at prep/fuzz/duktape.c:64335
#13 0x000055555556116d in duk_handle_call_unprotected (call_flags=12, idx_func=1, thr=0x555555bc7680) at prep/fuzz/duktape.c:64489
#14 duk__executor_handle_call (call_flags=12, nargs=1, idx=1, thr=0x555555bc7680) at prep/fuzz/duktape.c:10215
#15 duk__js_execute_bytecode_inner (entry_act=entry_act@entry=0x555555bd57a0, entry_thread=<optimized out>)
    at prep/fuzz/duktape.c:12289
#16 0x0000555555614f86 in duk_js_execute_bytecode (exec_thr=exec_thr@entry=0x555555bc7680) at prep/fuzz/duktape.c:76013
#17 0x000055555561db30 in duk__handle_call_raw (thr=0x555555bc7680, idx_func=<optimized out>, call_flags=0)
    at prep/fuzz/duktape.c:64307
#18 0x00005555558930b7 in wrapped_compile_execute (ctx=ctx@entry=0x555555bc7680, udata=udata@entry=0x0)
    at examples/cmdline/duk_cmdline.c:301
#19 0x00005555556370a7 in duk__handle_safe_call_inner (num_stack_rets=1, idx_retbase=0, entry_thread_state=1 '\001', 
    entry_curr_thread=0x0, entry_callstack_top=0, entry_valstack_bottom_byteoff=0, udata=0x0, 
    func=0x555555892cf0 <wrapped_compile_execute>, thr=0x555555bc7680) at prep/fuzz/duktape.c:64542
#20 duk_handle_safe_call (thr=0x555555bc7680, func=0x555555892cf0 <wrapped_compile_execute>, udata=0x0, 
    num_stack_args=<optimized out>, num_stack_rets=1) at prep/fuzz/duktape.c:64787
#21 0x0000555555893a53 in handle_fh (ctx=0x555555bc7680, f=0x555555bd9280, filename=0x7fffffffe1b7 "test.js", 
    bytecode_filename=0x0) at examples/cmdline/duk_cmdline.c:632
#22 0x000055555555b51b in handle_file (bytecode_filename=<optimized out>, filename=0x7fffffffe1b7 "test.js", ctx=0x555555bc7680)
    at examples/cmdline/duk_cmdline.c:691
#23 main (argc=2, argv=0x7fffffffdde8) at examples/cmdline/duk_cmdline.c:1465

Build script:

#!/bin/bash

git reset --hard origin/master
git pull origin master
rm -rf prep/fuzz duk
mkdir -p prep/fuzz

python2 tools/configure.py --output-directory prep/fuzz --source-directory src-input --config-metadata config --option-file $(dirname $0)/duktape-fuzzinator-options.yaml

gcc -o duk \
    -Iprep/fuzz \
    -D_POSIX_C_SOURCE=200809L \
    -pedantic -ansi -std=c99 -fstrict-aliasing -Wall -Wextra -Wunused-result -Wdeclaration-after-statement -Wunused-function -Wcast-qual -Wcast-align -Wshadow -Wunreachable-code   -Wmissing-prototypes -Wsign-conversion -Wsuggest-attribute=noreturn -fmax-errors=3 \
    -Ilinenoise \
    -Iexamples/cmdline \
    -Iexamples/alloc-logging \
    -Iexamples/alloc-torture \
    -Iexamples/alloc-hybrid \
    -Iexamples/debug-trans-socket \
    -Iextras/print-alert \
    -Iextras/console \
    -Iextras/logging \
    -Iextras/module-duktape \
    -Iextras/cbor \
    -O0 -g -ggdb \
    prep/fuzz/duktape.c \
    examples/cmdline/duk_cmdline.c \
    examples/alloc-logging/duk_alloc_logging.c \
    examples/alloc-torture/duk_alloc_torture.c \
    examples/alloc-hybrid/duk_alloc_hybrid.c \
    extras/print-alert/duk_print_alert.c \
    extras/console/duk_console.c \
    extras/logging/duk_logging.c \
    extras/module-duktape/duk_module_duktape.c \
    extras/cbor/duk_cbor.c \
    examples/debug-trans-socket/duk_trans_socket_unix.c \
    linenoise/linenoise.c \
    -lm

duktape-fuzzinator-options.yaml:

DUK_USE_ASSERTIONS: true
DUK_USE_DEBUG: false

DUK_USE_ES6_OBJECT_PROTO_PROPERTY: true
DUK_USE_JX: true
DUK_USE_JC: true

DUK_USE_NONSTD_ARRAY_SPLICE_DELCOUNT: true
DUK_USE_NONSTD_JSON_ESC_U2028_U2029: true
DUK_USE_NONSTD_STRING_FROMCHARCODE_32BIT: true
DUK_USE_ES6_OBJECT_PROTO_PROPERTY: true
DUK_USE_ES6_OBJECT_SETPROTOTYPEOF: true
DUK_USE_ES6_PROXY: true
DUK_USE_ZERO_BUFFER_DATA: true
DUK_USE_SETJMP: true
DUK_USE_LIGHTFUNC_BUILTINS: true
DUK_USE_BUFFEROBJECT_SUPPORT: true
DUK_USE_FASTINT: true
DUK_USE_JSON_STRINGIFY_FASTPATH: true
DUK_USE_GLOBAL_BINDING: true
DUK_USE_PROMISE_BUILTIN: true

DUK_USE_FATAL_HANDLER:
  verbatim: |
    #define DUK_USE_FATAL_HANDLER(udata,msg) do { \
            const char *fatal_msg = (msg); /* avoid double evaluation */ \
            (void) udata; \
            fprintf(stderr, "*** FATAL ERROR: %s\n", fatal_msg ? fatal_msg : "no message"); \
            fflush(stderr); \
            abort(); \
        } while (0)

^{Found by Fuzzinator with grammarinator.}

The text was updated successfully, but these errors were encountered:

svaarala · 2019-03-31T00:48:30Z

Fixed in #2065.

svaarala added the bug label Mar 28, 2019

svaarala mentioned this issue Mar 31, 2019

Use bare arrays in compiler, fixing some assertions with memory unsafe behavior #2065

Merged

svaarala added this to the v2.4.0 milestone Mar 31, 2019

svaarala closed this as completed Mar 31, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

assertion failed: duk_get_hstring(thr, idx) != NULL in duk_known_hstring #2031

assertion failed: duk_get_hstring(thr, idx) != NULL in duk_known_hstring #2031

renatahodovan commented Jan 16, 2019

svaarala commented Mar 31, 2019

assertion failed: duk_get_hstring(thr, idx) != NULL in duk_known_hstring #2031

assertion failed: duk_get_hstring(thr, idx) != NULL in duk_known_hstring #2031

Comments

renatahodovan commented Jan 16, 2019

Duktape version:

OS:

Test case:

Backtrace:

Build script:

duktape-fuzzinator-options.yaml:

svaarala commented Mar 31, 2019