search

bellard / quickjs

Public repository of the QuickJS Javascript Engine.
https://bellard.org/quickjs
Other
8.51k stars 892 forks source link

Assertion Error on JS_FreeRuntime #277

Closed Qbtly closed 4 months ago

Qbtly commented 7 months ago
Version

3b45d155c77bbdfe9177b1e03db830d2aff0b2a8

Build platform

Ubuntu 22.04.3

Build steps
CONFIG_ASAN=y make qjs
Test case
function a() {
    return {};
}
var o = new Proxy(this, new Proxy(new Proxy(this, new Proxy(this, {get: 0})), {get: a}));

print(o);
Execution steps
./qjs poc.js
Output
TypeError: not a function
    at print (native)
    at <eval> (/js/poc.js:6)

qjs: quickjs.c:1997: void JS_FreeRuntime(JSRuntime *): Assertion `list_empty(&rt->gc_obj_list)' failed.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2332589==ERROR: AddressSanitizer: ABRT on unknown address 0x03e8002397ad (pc 0x7fd25e9fb9fc bp 0x0000002397ad sp 0x7fff9c40ed50 T0)
    #0 0x7fd25e9fb9fc in __pthread_kill_implementation nptl/pthread_kill.c:44:76
    #1 0x7fd25e9fb9fc in __pthread_kill_internal nptl/pthread_kill.c:78:10
    #2 0x7fd25e9fb9fc in pthread_kill nptl/pthread_kill.c:89:10
    #3 0x7fd25e9a7475 in gsignal signal/../sysdeps/posix/raise.c:26:13
    #4 0x7fd25e98d7f2 in abort stdlib/abort.c:79:7
    #5 0x7fd25e98d71a in __assert_fail_base assert/assert.c:92:3
    #6 0x7fd25e99ee95 in __assert_fail assert/assert.c:101:3
    #7 0x5613a97c3c22 in JS_FreeRuntime /quickjs/quickjs.c:1997:5
    #8 0x5613a97bc592 in main /quickjs/qjs.c:562:5
    #9 0x7fd25e98ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #10 0x7fd25e98ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #11 0x5613a96fb6f4 in _start (/quickjs/qjs+0x4c6f4) (BuildId: 4466830005a83e88bca3c9bb84fc0eb15d5a5115)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT nptl/pthread_kill.c:44:76 in __pthread_kill_implementation
==2332589==ABORTING
humenda commented 4 months ago

This bug has led to the removal of quickjs from Debian testing (and hence the next stable release), due to CVE-2024-33263.

I would like to request that this issue could be fixed as soon as convenient so that QuickJS would come to Debian again and with it the packages that depend on it.

The corresponding Debian bug is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070373 .

Thanks

saghul commented 4 months ago

Unless I'm missing something that report is quite bogus.

The crash happens when the interpreter shuts down, as it does some sanity checks. Building with NDEBUG would also not exhibit the problem because the assert won't do anything.

humenda commented 4 months ago

If it is indeed bogus, I would like to see this issue as being closed and likewise the CVE. This would help me re-uploading the package to Debian testing.

saghul commented 4 months ago

I suppose you could float this patch: https://github.com/xeioex/quickjs/commit/28512c51e993c1acc443c91ffe0171d19fc2cd3c

chqrlie commented 4 months ago

@humenda: I committed the fix, this should solve the problem. Thank you for your support.

humenda commented 4 months ago

Thanks, now QuickJS is back in Debian :).