Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

assertion failed duk_get_hstring(thr, idx) != NULL in duk_known_hstring #2202

Closed
renatahodovan opened this issue Nov 25, 2019 · 0 comments · Fixed by #2324
Closed

assertion failed duk_get_hstring(thr, idx) != NULL in duk_known_hstring #2202

renatahodovan opened this issue Nov 25, 2019 · 0 comments · Fixed by #2324
Milestone
v3.0.0

Comments

@renatahodovan
Copy link

Duktape version:
Checked revision: 60018880
OS:
Linux-4.15.0-62-generic-x86_64-with-Ubuntu-18.04-bionic
Test case:
Object.defineProperty(Array.prototype, 0, { set: function () { } })
String(JSON.stringify({ }, [ 0, 0]))
Backtrace:
*** FATAL ERROR: assertion failed: duk_get_hstring(thr, idx) != NULL (prep/fuzz/duktape.c:20624)

bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff7686801 in __GI_abort () at abort.c:79
#2  0x00005555555572bc in duk_default_fatal_handler (msg=<optimized out>, msg@entry=0x5555555c4d60 "assertion failed: duk_get_hstring(thr, idx) != NULL (prep/fuzz/duktape.c:20624)", udata=udata@entry=0x5555555c4d60) at prep/fuzz/duktape.c:11887
#3  0x000055555556a86a in duk_known_hstring (thr=0x55555583d6c0, idx=-1) at prep/fuzz/duktape.c:20624
#4  0x00005555555a8a1a in duk__enc_object (js_ctx=js_ctx@entry=0x7fffffffcd00) at prep/fuzz/duktape.c:38157
#5  0x00005555555a919c in duk__enc_value (js_ctx=js_ctx@entry=0x7fffffffcd00, idx_holder=idx_holder@entry=6) at prep/fuzz/duktape.c:38491
#6  0x00005555555af962 in duk_bi_json_stringify_helper (thr=0x55555583d6c0, idx_value=idx_value@entry=0, idx_replacer=idx_replacer@entry=1, idx_space=idx_space@entry=2, flags=flags@entry=0) at prep/fuzz/duktape.c:39479
#7  0x00005555555afdf8 in duk_bi_json_object_stringify (thr=<optimized out>) at prep/fuzz/duktape.c:39533
#8  0x00005555555738d3 in duk__handle_call_raw (call_flags=<optimized out>, idx_func=0, thr=0x55555583d6c0) at prep/fuzz/duktape.c:67012
#9  duk_handle_call_unprotected (thr=thr@entry=0x55555583d6c0, idx_func=idx_func@entry=4, call_flags=call_flags@entry=8) at prep/fuzz/duktape.c:1622
#10 0x000055555557d242 in duk__executor_handle_call (thr=0x55555583d6c0, idx=4, nargs=<optimized out>, call_flags=8) at prep/fuzz/duktape.c:78461
#11 0x00005555555592c8 in duk__js_execute_bytecode_inner (entry_act=entry_act@entry=0x55555584b890, entry_thread=<optimized out>) at prep/fuzz/duktape.c:80552
#12 0x00005555555717d8 in duk_js_execute_bytecode (exec_thr=exec_thr@entry=0x55555583d6c0) at prep/fuzz/duktape.c:78736
#13 0x00005555555732a0 in duk__handle_call_raw (call_flags=<optimized out>, idx_func=<optimized out>, thr=0x55555583d6c0) at prep/fuzz/duktape.c:66982
#14 duk_handle_call_unprotected (thr=0x55555583d6c0, idx_func=<optimized out>, call_flags=<optimized out>) at prep/fuzz/duktape.c:1622
#15 0x00005555555b8f3f in wrapped_compile_execute (ctx=ctx@entry=0x55555583d6c0, udata=udata@entry=0x0) at examples/cmdline/duk_cmdline.c:287
#16 0x00005555555776d8 in duk__handle_safe_call_inner (num_stack_rets=1, idx_retbase=0, entry_thread_state=1 '\001', entry_curr_thread=0x0, entry_callstack_top=0, entry_valstack_bottom_byteoff=0, udata=0x0, func=0x5555555b8dd0 <wrapped_compile_execute>, thr=0x55555583d6c0) at prep/fuzz/duktape.c:67211
#17 duk_handle_safe_call (thr=0x55555583d6c0, func=0x5555555b8dd0 <wrapped_compile_execute>, udata=0x0, num_stack_args=<optimized out>, num_stack_rets=1) at prep/fuzz/duktape.c:1920
#18 0x00005555555b8cb3 in handle_fh (ctx=0x55555583d6c0, f=0x55555584f390, filename=0x7fffffffddc1 "/home/reni/.fuzzinator_23727//duktape/picireny/96274576712685091390375720206691563497.js", bytecode_filename=0x0) at examples/cmdline/duk_cmdline.c:617
#19 0x0000555555557ef2 in handle_file (bytecode_filename=0x0, filename=0x7fffffffddc1 "/home/reni/.fuzzinator_23727//duktape/picireny/96274576712685091390375720206691563497.js", ctx=0x55555583d6c0) at examples/cmdline/duk_cmdline.c:676
#20 main (argc=2, argv=0x7fffffffd978) at examples/cmdline/duk_cmdline.c:1453
Build script:
#!/bin/bash

git reset --hard origin/master
git pull origin master
rm -rf prep/fuzz duk
mkdir -p prep/fuzz

python2 tools/configure.py --output-directory prep/fuzz --source-directory src-input --config-metadata config --option-file $(dirname $0)/duktape-fuzzinator-options.yaml

gcc -o duk \
    -std=c99 -D_POSIX_C_SOURCE=200809L -fstrict-aliasing \
    -O2 -g -ggdb \
    -Iprep/fuzz \
    -Iexamples/cmdline \
    -Iexamples/alloc-logging \
    -Iexamples/alloc-torture \
    -Iexamples/alloc-hybrid \
    -Iexamples/debug-trans-socket \
    -Iextras/print-alert \
    -Iextras/console \
    -Iextras/logging \
    -Iextras/module-duktape \
    -Iextras/cbor \
    -Ilinenoise \
    prep/fuzz/duktape.c \
    examples/cmdline/duk_cmdline.c \
    examples/alloc-logging/duk_alloc_logging.c \
    examples/alloc-torture/duk_alloc_torture.c \
    examples/alloc-hybrid/duk_alloc_hybrid.c \
    examples/debug-trans-socket/duk_trans_socket_unix.c \
    extras/print-alert/duk_print_alert.c \
    extras/console/duk_console.c \
    extras/logging/duk_logging.c \
    extras/module-duktape/duk_module_duktape.c \
    linenoise/linenoise.c \
    -lm
duktape-fuzzinator-options.yaml:
DUK_USE_ASSERTIONS: true
DUK_USE_DEBUG: false

DUK_USE_ES6_OBJECT_PROTO_PROPERTY: true
DUK_USE_JX: true
DUK_USE_JC: true

DUK_USE_NONSTD_ARRAY_SPLICE_DELCOUNT: true
DUK_USE_NONSTD_JSON_ESC_U2028_U2029: true
DUK_USE_NONSTD_STRING_FROMCHARCODE_32BIT: true
DUK_USE_ES6_OBJECT_PROTO_PROPERTY: true
DUK_USE_ES6_OBJECT_SETPROTOTYPEOF: true
DUK_USE_ES6_PROXY: true
DUK_USE_ZERO_BUFFER_DATA: true
DUK_USE_SETJMP: true
DUK_USE_LIGHTFUNC_BUILTINS: true
DUK_USE_BUFFEROBJECT_SUPPORT: true
DUK_USE_FASTINT: true
DUK_USE_JSON_STRINGIFY_FASTPATH: true
DUK_USE_GLOBAL_BINDING: true
DUK_USE_PROMISE_BUILTIN: true

DUK_USE_FATAL_HANDLER:
  verbatim: |
    #define DUK_USE_FATAL_HANDLER(udata,msg) do { \
            const char *fatal_msg = (msg); /* avoid double evaluation */ \
            (void) udata; \
            fprintf(stderr, "*** FATAL ERROR: %s\n", fatal_msg ? fatal_msg : "no message"); \
            fflush(stderr); \
            abort(); \
        } while (0)

Found by Fuzzinator with grammarinator.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v3.0.0
Development

Successfully merging a pull request may close this issue.

Fix JSON.stringify() inherited array index bug svaarala/duktape
2 participants
@renatahodovan @svaarala