Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assertion failed: args[1]->IsUint32() when slicing Blob with non-integer parameters #55139

Closed
daniellockyer opened this issue Sep 27, 2024 · 0 comments · Fixed by #55141
Closed

Assertion failed: args[1]->IsUint32() when slicing Blob with non-integer parameters #55139

daniellockyer opened this issue Sep 27, 2024 · 0 comments · Fixed by #55141
Labels
buffer Issues and PRs related to the buffer subsystem. confirmed-bug Issues with confirmed bugs.

Comments

@daniellockyer
Copy link

Version

20.17.0

Platform

Darwin x.home 24.0.0 Darwin Kernel Version 24.0.0: Mon Aug 12 20:52:18 PDT 2024; root:xnu-11215.1.10~2/RELEASE_ARM64_T8122 arm64

Subsystem

Buffer/Blob

What steps will reproduce the bug?

new Blob(['aaaaaaaa']).slice(0, 1.5)

How often does it reproduce? Is there a required condition?

Always, no special requirements needed.

What is the expected behavior? Why is that the expected behavior?

I would not expect Node to crash with a native error, as this is not possible/easy to catch.

What do you see instead?

$ node -e "new Blob(['aaaaaaaa']).slice(0, 1.5)"

  #  node[76610]: static void node::Blob::ToSlice(const FunctionCallbackInfo<v8::Value> &) at ../src/node_blob.cc:248
  #  Assertion failed: args[1]->IsUint32()

----- Native stack trace -----

 1: 0x1043430d4 node::Assert(node::AssertionInfo const&) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
 2: 0x10584e098 node::Blob::ToSlice(v8::FunctionCallbackInfo<v8::Value> const&) (.cold.1) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
 3: 0x104314e08 node::Blob::HasInstance(node::Environment*, v8::Local<v8::Value>) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
 4: 0x104539bc8 v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, unsigned long*, int) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
 5: 0x1045392c0 v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
 6: 0x104dc0b24 Builtins_CEntry_Return1_ArgvOnStack_BuiltinExit [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
 7: 0x104d383e4 Builtins_InterpreterEntryTrampoline [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
 8: 0x104d383e4 Builtins_InterpreterEntryTrampoline [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
 9: 0x104d3650c Builtins_JSEntryTrampoline [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
10: 0x104d361f4 Builtins_JSEntry [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
11: 0x10460dbc8 v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
12: 0x10460dda0 v8::internal::Execution::CallScript(v8::internal::Isolate*, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
13: 0x1044d3bb0 v8::Script::Run(v8::Local<v8::Context>, v8::Local<v8::Data>) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
14: 0x1043364f4 node::contextify::ContextifyScript::EvalMachine(v8::Local<v8::Context>, node::Environment*, long long, bool, bool, bool, v8::MicrotaskQueue*, v8::FunctionCallbackInfo<v8::Value> const&) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
15: 0x104335e08 node::contextify::ContextifyScript::RunInContext(v8::FunctionCallbackInfo<v8::Value> const&) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
16: 0x104539bc8 v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, unsigned long*, int) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
17: 0x1045392c0 v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
18: 0x104dc0b24 Builtins_CEntry_Return1_ArgvOnStack_BuiltinExit [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
19: 0x104d383e4 Builtins_InterpreterEntryTrampoline [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
20: 0x104d383e4 Builtins_InterpreterEntryTrampoline [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
21: 0x104d383e4 Builtins_InterpreterEntryTrampoline [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
22: 0x104d383e4 Builtins_InterpreterEntryTrampoline [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
23: 0x104d383e4 Builtins_InterpreterEntryTrampoline [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
24: 0x104d383e4 Builtins_InterpreterEntryTrampoline [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
25: 0x104d3650c Builtins_JSEntryTrampoline [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
26: 0x104d361f4 Builtins_JSEntry [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
27: 0x10460dbc8 v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
28: 0x10460d014 v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
29: 0x1044e7904 v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
30: 0x1043243e4 node::builtins::BuiltinLoader::CompileAndCall(v8::Local<v8::Context>, char const*, node::Realm*) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
31: 0x1043b414c node::Realm::ExecuteBootstrapper(char const*) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
32: 0x104307bb4 node::StartExecution(node::Environment*, std::__1::function<v8::MaybeLocal<v8::Value> (node::StartExecutionCallbackInfo const&)>) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
33: 0x1042713a4 node::LoadEnvironment(node::Environment*, std::__1::function<v8::MaybeLocal<v8::Value> (node::StartExecutionCallbackInfo const&)>, std::__1::function<void (node::Environment*, v8::Local<v8::Value>, v8::Local<v8::Value>)>) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
34: 0x104383394 node::NodeMainInstance::Run(node::ExitCode*, node::Environment*) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
35: 0x104383104 node::NodeMainInstance::Run() [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
36: 0x10430afa0 node::Start(int, char**) [/Users/neo/.nvm/versions/node/v20.17.0/bin/node]
37: 0x183130274 start [/usr/lib/dyld]

----- JavaScript stack trace -----

1: slice (node:internal/blob:265:21)
2: [eval]:1:24
3: runScriptInThisContext (node:internal/vm:209:10)
4: node:internal/process/execution:118:14
5: [eval]-wrapper:6:24
6: runScript (node:internal/process/execution:101:62)
7: evalScript (node:internal/process/execution:133:3)
8: node:internal/main/eval_string:51:3


Abort trap: 6

Additional information

The functionality of Node v20 seems to have changed as of v20.15.0. v20.14.0 does not crash with this repro.

I have tested with v22.9.0 and it experiences the same crash.

v18.20.4 does not crash.
@aduh95 aduh95 added confirmed-bug Issues with confirmed bugs. buffer Issues and PRs related to the buffer subsystem. labels Sep 27, 2024
@aduh95 aduh95 mentioned this issue Sep 27, 2024
Merged
targos pushed a commit that referenced this issue Oct 4, 2024
@aduh95 @targos
buffer: coerce extrema to int in blob.slice
e83ad0b 
PR-URL: #55141
Fixes: #55139
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
targos pushed a commit that referenced this issue Oct 4, 2024
@aduh95 @targos
buffer: coerce extrema to int in blob.slice
b1ebb0d 
PR-URL: #55141
Fixes: #55139
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
louwers pushed a commit to louwers/node that referenced this issue Nov 2, 2024
@aduh95 @louwers
buffer: coerce extrema to int in blob.slice
3d72697 
PR-URL: nodejs#55141
Fixes: nodejs#55139
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
tpoisseau pushed a commit to tpoisseau/node that referenced this issue Nov 21, 2024
@aduh95 @tpoisseau
buffer: coerce extrema to int in blob.slice
fc6b6db 
PR-URL: nodejs#55141
Fixes: nodejs#55139
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
buffer Issues and PRs related to the buffer subsystem. confirmed-bug Issues with confirmed bugs.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

buffer: coerce extrema to int in blob.slice aduh95/node
2 participants
@daniellockyer @aduh95