Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

assertion failed: pt->line >= 1 in duk_lexer_setpoint #2035

Closed
renatahodovan opened this issue Jan 17, 2019 · 2 comments
Closed

assertion failed: pt->line >= 1 in duk_lexer_setpoint #2035

renatahodovan opened this issue Jan 17, 2019 · 2 comments
Labels
bug
Milestone
v2.4.0

Comments

@renatahodovan
Copy link

Duktape version:
Checked revision: b062b50a
OS:
Ubuntu 18.04, x86_64
Test case:
Object.defineProperty(Array.prototype, 2, { get : Math.random, set : function f ( ) { } } ) ; 
eval ( "function\u0009\u2029w(\u000C)\u00A0{\u000D};" ) ;
Backtrace:
*** FATAL ERROR: assertion failed: pt->line >= 1 (prep/fuzz/duktape.c:82130)

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff7686801 in __GI_abort () at abort.c:79
#2  0x0000555555557b4b in duk_default_fatal_handler (udata=0x0, 
    msg=0x555555770bd0 "assertion failed: pt->line >= 1 (prep/fuzz/duktape.c:82130)") at prep/fuzz/duktape.c:11792
#3  0x0000555555639b6c in duk_lexer_setpoint (lex_ctx=0x7fffffff93c8, pt=0x7fffffff8e60) at prep/fuzz/duktape.c:82130
#4  0x0000555555606f43 in duk__parse_func_like_fnum (comp_ctx=0x7fffffff93b8, flags=9) at prep/fuzz/duktape.c:72717
#5  0x000055555560538b in duk__parse_stmt (comp_ctx=0x7fffffff93b8, res=0x7fffffff9030, allow_source_elem=1)
    at prep/fuzz/duktape.c:71404
#6  0x0000555555605cdc in duk__parse_stmts (comp_ctx=0x7fffffff93b8, allow_source_elem=1, expect_eof=1, regexp_after=1)
    at prep/fuzz/duktape.c:71866
#7  0x0000555555606781 in duk__parse_func_body (comp_ctx=0x7fffffff93b8, expect_eof=1, implicit_return_value=1, regexp_after=1, 
    expect_token=-1) at prep/fuzz/duktape.c:72441
#8  0x0000555555607941 in duk__js_compile_raw (thr=0x555555991680, udata=0x7fffffff93b0) at prep/fuzz/duktape.c:72959
#9  0x00005555555f9b41 in duk__handle_safe_call_inner (thr=0x555555991680, func=0x555555607456 <duk__js_compile_raw>, 
    udata=0x7fffffff93b0, entry_valstack_bottom_byteoff=128, entry_callstack_top=2, entry_curr_thread=0x555555991680, 
    entry_thread_state=2 '\002', idx_retbase=1, num_stack_rets=1) at prep/fuzz/duktape.c:64542
#10 0x00005555555fa95e in duk_handle_safe_call (thr=0x555555991680, func=0x555555607456 <duk__js_compile_raw>, 
    udata=0x7fffffff93b0, num_stack_args=1, num_stack_rets=1) at prep/fuzz/duktape.c:64787
#11 0x000055555556085e in duk_safe_call (thr=0x555555991680, func=0x555555607456 <duk__js_compile_raw>, udata=0x7fffffff93b0, 
    nargs=1, nrets=1) at prep/fuzz/duktape.c:14520
#12 0x0000555555607aab in duk_js_compile (thr=0x555555991680, src_buffer=0x55555599e920 "function\t\342\200\251w(\f) {\r};", 
    src_length=22, flags=8) at prep/fuzz/duktape.c:73001
#13 0x00005555555c7cee in duk_bi_global_object_eval (thr=0x555555991680) at prep/fuzz/duktape.c:33944
#14 0x00005555555f8c81 in duk__handle_call_raw (thr=0x555555991680, idx_func=1, call_flags=24) at prep/fuzz/duktape.c:64335
#15 0x00005555555f9802 in duk_handle_call_unprotected (thr=0x555555991680, idx_func=1, call_flags=12) at prep/fuzz/duktape.c:64489
#16 0x000055555560c40c in duk__executor_handle_call (thr=0x555555991680, idx=1, nargs=1, call_flags=12)
    at prep/fuzz/duktape.c:75751
#17 0x0000555555631497 in duk__js_execute_bytecode_inner (entry_thread=0x555555991680, entry_act=0x55555599f7a0)
    at prep/fuzz/duktape.c:77825
#18 0x000055555560c80e in duk_js_execute_bytecode (exec_thr=0x555555991680) at prep/fuzz/duktape.c:76013
#19 0x00005555555f8aea in duk__handle_call_raw (thr=0x555555991680, idx_func=3, call_flags=0) at prep/fuzz/duktape.c:64307
#20 0x00005555555f9802 in duk_handle_call_unprotected (thr=0x555555991680, idx_func=3, call_flags=0) at prep/fuzz/duktape.c:64489
#21 0x000055555555edc1 in duk_call_method (thr=0x555555991680, nargs=0) at prep/fuzz/duktape.c:14352
#22 0x00005555556463ce in wrapped_compile_execute (ctx=0x555555991680, udata=0x0) at examples/cmdline/duk_cmdline.c:301
#23 0x00005555555f9b41 in duk__handle_safe_call_inner (thr=0x555555991680, func=0x555555646129 <wrapped_compile_execute>, 
    udata=0x0, entry_valstack_bottom_byteoff=0, entry_callstack_top=0, entry_curr_thread=0x0, entry_thread_state=1 '\001', 
    idx_retbase=0, num_stack_rets=1) at prep/fuzz/duktape.c:64542
#24 0x00005555555fa95e in duk_handle_safe_call (thr=0x555555991680, func=0x555555646129 <wrapped_compile_execute>, udata=0x0, 
    num_stack_args=4, num_stack_rets=1) at prep/fuzz/duktape.c:64787
#25 0x000055555556085e in duk_safe_call (thr=0x555555991680, func=0x555555646129 <wrapped_compile_execute>, udata=0x0, nargs=4, 
    nrets=1) at prep/fuzz/duktape.c:14520
#26 0x0000555555646601 in handle_fh (ctx=0x555555991680, f=0x5555559a3280, filename=0x7fffffffe488 "test.js", 
    bytecode_filename=0x0) at examples/cmdline/duk_cmdline.c:632
#27 0x00005555556467ce in handle_file (ctx=0x555555991680, filename=0x7fffffffe488 "test.js", bytecode_filename=0x0)
    at examples/cmdline/duk_cmdline.c:691
#28 0x000055555564724b in main (argc=2, argv=0x7fffffffe1a8) at examples/cmdline/duk_cmdline.c:1465
Build script:
#!/bin/bash

git reset --hard origin/master
git pull origin master
rm -rf prep/fuzz duk
mkdir -p prep/fuzz

python2 tools/configure.py --output-directory prep/fuzz --source-directory src-input --config-metadata config --option-file $(dirname $0)/duktape-fuzzinator-options.yaml

gcc -o duk \
    -Iprep/fuzz \
    -D_POSIX_C_SOURCE=200809L \
    -pedantic -ansi -std=c99 -fstrict-aliasing -Wall -Wextra -Wunused-result -Wdeclaration-after-statement -Wunused-function -Wcast-qual -Wcast-align -Wshadow -Wunreachable-code   -Wmissing-prototypes -Wsign-conversion -Wsuggest-attribute=noreturn -fmax-errors=3 \
    -Ilinenoise \
    -Iexamples/cmdline \
    -Iexamples/alloc-logging \
    -Iexamples/alloc-torture \
    -Iexamples/alloc-hybrid \
    -Iexamples/debug-trans-socket \
    -Iextras/print-alert \
    -Iextras/console \
    -Iextras/logging \
    -Iextras/module-duktape \
    -Iextras/cbor \
    -O0 -g -ggdb \
    prep/fuzz/duktape.c \
    examples/cmdline/duk_cmdline.c \
    examples/alloc-logging/duk_alloc_logging.c \
    examples/alloc-torture/duk_alloc_torture.c \
    examples/alloc-hybrid/duk_alloc_hybrid.c \
    extras/print-alert/duk_print_alert.c \
    extras/console/duk_console.c \
    extras/logging/duk_logging.c \
    extras/module-duktape/duk_module_duktape.c \
    extras/cbor/duk_cbor.c \
    examples/debug-trans-socket/duk_trans_socket_unix.c \
    linenoise/linenoise.c \
    -lm
duktape-fuzzinator-options.yaml:
DUK_USE_ASSERTIONS: true
DUK_USE_DEBUG: false

DUK_USE_ES6_OBJECT_PROTO_PROPERTY: true
DUK_USE_JX: true
DUK_USE_JC: true

DUK_USE_NONSTD_ARRAY_SPLICE_DELCOUNT: true
DUK_USE_NONSTD_JSON_ESC_U2028_U2029: true
DUK_USE_NONSTD_STRING_FROMCHARCODE_32BIT: true
DUK_USE_ES6_OBJECT_PROTO_PROPERTY: true
DUK_USE_ES6_OBJECT_SETPROTOTYPEOF: true
DUK_USE_ES6_PROXY: true
DUK_USE_ZERO_BUFFER_DATA: true
DUK_USE_SETJMP: true
DUK_USE_LIGHTFUNC_BUILTINS: true
DUK_USE_BUFFEROBJECT_SUPPORT: true
DUK_USE_FASTINT: true
DUK_USE_JSON_STRINGIFY_FASTPATH: true
DUK_USE_GLOBAL_BINDING: true
DUK_USE_PROMISE_BUILTIN: true

DUK_USE_FATAL_HANDLER:
  verbatim: |
    #define DUK_USE_FATAL_HANDLER(udata,msg) do { \
            const char *fatal_msg = (msg); /* avoid double evaluation */ \
            (void) udata; \
            fprintf(stderr, "*** FATAL ERROR: %s\n", fatal_msg ? fatal_msg : "no message"); \
            fflush(stderr); \
            abort(); \
        } while (0)

Found by Fuzzinator with grammarinator.

@svaarala svaarala added the bug label Jan 17, 2019
@svaarala
Copy link
Owner

This too is most likely related to the compiler not using bare arrays for its internals.

@svaarala svaarala mentioned this issue Mar 31, 2019
Merged
@svaarala svaarala added this to the v2.4.0 milestone Mar 31, 2019
@svaarala
Copy link
Owner

Fixed in #2065.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
v2.4.0
Development

No branches or pull requests
2 participants
@renatahodovan @svaarala