Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

assertion failed: !DUK_TVAL_IS_UNUSED(tv) in duk_js_tonumber #2036

Closed
renatahodovan opened this issue Jan 17, 2019 · 2 comments
Closed

assertion failed: !DUK_TVAL_IS_UNUSED(tv) in duk_js_tonumber #2036

renatahodovan opened this issue Jan 17, 2019 · 2 comments
Labels
bug
Milestone
v2.4.0

Comments

@renatahodovan
Copy link

Duktape version:
Checked revision: b062b50a
OS:
Ubuntu 18.04, x86_64
Test case:
Object.defineProperty(Array.prototype, 0, { get : Math.asin, set : function f( ) { } });
eval('([ 123 ] / 2)');
Backtrace:
*** FATAL ERROR: assertion failed: !DUK_TVAL_IS_UNUSED(tv) (prep/fuzz/duktape.c:78571)

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff7686801 in __GI_abort () at abort.c:79
#2  0x000055555555759f in duk_default_fatal_handler (msg=<optimized out>, msg@entry=0x5555558dd5d0 "assertion failed: !DUK_TVAL_IS_UNUSED(tv) (prep/fuzz/duktape.c:78571)", udata=udata@entry=0x5555558dd5d0) at prep/fuzz/duktape.c:11792
#3  0x000055555560a9bc in duk_js_tonumber (thr=thr@entry=0x555555bc7680, tv=tv@entry=0x555555bc79f0) at prep/fuzz/duktape.c:78571
#4  0x00005555556858f8 in duk_to_number (thr=thr@entry=0x555555bc7680, idx=5, idx@entry=-1) at prep/fuzz/duktape.c:20400
#5  0x0000555555686712 in duk_to_number_m1 (thr=thr@entry=0x555555bc7680) at prep/fuzz/duktape.c:20410
#6  0x000055555556b6bc in duk__vm_arith_binary_op (opcode=64, idx_z=<optimized out>, tv_y=0x555555bd8c40, tv_x=<optimized out>, thr=0x555555bc7680) at prep/fuzz/duktape.c:73395
#7  duk__js_execute_bytecode_inner (entry_act=entry_act@entry=0x555555bd5d60, entry_thread=<optimized out>) at prep/fuzz/duktape.c:11344
#8  0x0000555555614f86 in duk_js_execute_bytecode (exec_thr=exec_thr@entry=0x555555bc7680) at prep/fuzz/duktape.c:76013
#9  0x000055555561db30 in duk__handle_call_raw (thr=thr@entry=0x555555bc7680, idx_func=idx_func@entry=2, call_flags=call_flags@entry=16) at prep/fuzz/duktape.c:64307
#10 0x000055555584cdee in duk_handle_call_unprotected (call_flags=<optimized out>, idx_func=2, thr=0x555555bc7680) at prep/fuzz/duktape.c:64489
#11 duk_handle_call_unprotected_nargs (call_flags=<optimized out>, nargs=0, thr=0x555555bc7680) at prep/fuzz/duktape.c:64481
#12 duk_bi_global_object_eval (thr=0x555555bc7680) at prep/fuzz/duktape.c:34052
#13 0x000055555561cb0f in duk__handle_call_raw (thr=thr@entry=0x555555bc7680, idx_func=idx_func@entry=1, call_flags=24, call_flags@entry=12) at prep/fuzz/duktape.c:64335
#14 0x000055555556116d in duk_handle_call_unprotected (call_flags=12, idx_func=1, thr=0x555555bc7680) at prep/fuzz/duktape.c:64489
#15 duk__executor_handle_call (call_flags=12, nargs=1, idx=1, thr=0x555555bc7680) at prep/fuzz/duktape.c:10215
#16 duk__js_execute_bytecode_inner (entry_act=entry_act@entry=0x555555bd57a0, entry_thread=<optimized out>) at prep/fuzz/duktape.c:12289
#17 0x0000555555614f86 in duk_js_execute_bytecode (exec_thr=exec_thr@entry=0x555555bc7680) at prep/fuzz/duktape.c:76013
#18 0x000055555561db30 in duk__handle_call_raw (thr=0x555555bc7680, idx_func=<optimized out>, call_flags=0) at prep/fuzz/duktape.c:64307
#19 0x00005555558930b7 in wrapped_compile_execute (ctx=ctx@entry=0x555555bc7680, udata=udata@entry=0x0) at examples/cmdline/duk_cmdline.c:301
#20 0x00005555556370a7 in duk__handle_safe_call_inner (num_stack_rets=1, idx_retbase=0, entry_thread_state=1 '\001', entry_curr_thread=0x0, entry_callstack_top=0, entry_valstack_bottom_byteoff=0, udata=0x0, func=0x555555892cf0 <wrapped_compile_execute>, thr=0x555555bc7680) at prep/fuzz/duktape.c:64542
#21 duk_handle_safe_call (thr=0x555555bc7680, func=0x555555892cf0 <wrapped_compile_execute>, udata=0x0, num_stack_args=<optimized out>, num_stack_rets=1) at prep/fuzz/duktape.c:64787
#22 0x0000555555893a53 in handle_fh (ctx=0x555555bc7680, f=0x555555bd9280, filename=0x7fffffffe1be "test5.js", bytecode_filename=0x0) at examples/cmdline/duk_cmdline.c:632
#23 0x000055555555b51b in handle_file (bytecode_filename=<optimized out>, filename=0x7fffffffe1be "test5.js", ctx=0x555555bc7680) at examples/cmdline/duk_cmdline.c:691
#24 main (argc=2, argv=0x7fffffffdde8) at examples/cmdline/duk_cmdline.c:1465
Build script:
#!/bin/bash

git reset --hard origin/master
git pull origin master
rm -rf prep/fuzz duk
mkdir -p prep/fuzz

python2 tools/configure.py --output-directory prep/fuzz --source-directory src-input --config-metadata config --option-file $(dirname $0)/duktape-fuzzinator-options.yaml

gcc -o duk \
    -Iprep/fuzz \
    -D_POSIX_C_SOURCE=200809L \
    -pedantic -ansi -std=c99 -fstrict-aliasing -Wall -Wextra -Wunused-result -Wdeclaration-after-statement -Wunused-function -Wcast-qual -Wcast-align -Wshadow -Wunreachable-code   -Wmissing-prototypes -Wsign-conversion -Wsuggest-attribute=noreturn -fmax-errors=3 \
    -Ilinenoise \
    -Iexamples/cmdline \
    -Iexamples/alloc-logging \
    -Iexamples/alloc-torture \
    -Iexamples/alloc-hybrid \
    -Iexamples/debug-trans-socket \
    -Iextras/print-alert \
    -Iextras/console \
    -Iextras/logging \
    -Iextras/module-duktape \
    -Iextras/cbor \
    -O0 -g -ggdb \
    prep/fuzz/duktape.c \
    examples/cmdline/duk_cmdline.c \
    examples/alloc-logging/duk_alloc_logging.c \
    examples/alloc-torture/duk_alloc_torture.c \
    examples/alloc-hybrid/duk_alloc_hybrid.c \
    extras/print-alert/duk_print_alert.c \
    extras/console/duk_console.c \
    extras/logging/duk_logging.c \
    extras/module-duktape/duk_module_duktape.c \
    extras/cbor/duk_cbor.c \
    examples/debug-trans-socket/duk_trans_socket_unix.c \
    linenoise/linenoise.c \
    -lm
duktape-fuzzinator-options.yaml:
DUK_USE_ASSERTIONS: true
DUK_USE_DEBUG: false

DUK_USE_ES6_OBJECT_PROTO_PROPERTY: true
DUK_USE_JX: true
DUK_USE_JC: true

DUK_USE_NONSTD_ARRAY_SPLICE_DELCOUNT: true
DUK_USE_NONSTD_JSON_ESC_U2028_U2029: true
DUK_USE_NONSTD_STRING_FROMCHARCODE_32BIT: true
DUK_USE_ES6_OBJECT_PROTO_PROPERTY: true
DUK_USE_ES6_OBJECT_SETPROTOTYPEOF: true
DUK_USE_ES6_PROXY: true
DUK_USE_ZERO_BUFFER_DATA: true
DUK_USE_SETJMP: true
DUK_USE_LIGHTFUNC_BUILTINS: true
DUK_USE_BUFFEROBJECT_SUPPORT: true
DUK_USE_FASTINT: true
DUK_USE_JSON_STRINGIFY_FASTPATH: true
DUK_USE_GLOBAL_BINDING: true
DUK_USE_PROMISE_BUILTIN: true

DUK_USE_FATAL_HANDLER:
  verbatim: |
    #define DUK_USE_FATAL_HANDLER(udata,msg) do { \
            const char *fatal_msg = (msg); /* avoid double evaluation */ \
            (void) udata; \
            fprintf(stderr, "*** FATAL ERROR: %s\n", fatal_msg ? fatal_msg : "no message"); \
            fflush(stderr); \
            abort(); \
        } while (0)

Found by Fuzzinator with grammarinator.

@svaarala
Copy link
Owner

This too is most likely related to the compiler not using bare arrays for its internals.

@svaarala svaarala added the bug label Jan 17, 2019
@svaarala svaarala mentioned this issue Mar 31, 2019
Merged
@svaarala svaarala added this to the v2.4.0 milestone Mar 31, 2019
@svaarala
Copy link
Owner

Fixed in #2065.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
v2.4.0
Development

No branches or pull requests
2 participants
@renatahodovan @svaarala