search

jerryscript-project / iotjs

Platform for Internet of Things with JavaScript http://www.iotjs.net
Other
2.6k stars 438 forks source link

Assertion `uv__stream_fd(stream) >= 0' failed in uv_read_start #1908

Open renatahodovan opened 5 years ago

renatahodovan commented 5 years ago
IoT.js version:
Checked revision: bc9a5da

Build command: CC=clang-7 \
tools/build.py --clean \
--buildtype=debug \
--compile-flag="-D'IOTJS_ASSERT(x)=assert(x)'" \
--compile-flag=-O2 --compile-flag=-fno-common --no-snapshot \
--compile-flag=-fsanitize=address --compile-flag=-fno-omit-frame-pointer \
--jerry-cmake-param=-DFEATURE_SYSTEM_ALLOCATOR=ON --target-arch=i686 \
--profile=test/profiles/host-linux.profile --jerry-profile=es2015-subset \
--jerry-cmake-param=-DEXTERNAL_COMPILE_FLAGS=-Wno-conversion
OS:
Linux-4.15.0-54-generic-x86_64-with-Ubuntu-18.04-bionic
Test case:
var net = require('net')
var v0 = new (net.connect(1).constructor)()
try { var $ = v0.connect() } catch ($) { }
try { var $ = v0._handle.readStart() } catch ($) { }
Backtrace:
iotjs: iotjs/deps/libtuv/src/unix/stream.c:1574: int uv_read_start(uv_stream_t *, uv_alloc_cb, uv_read_cb): Assertion `uv__stream_fd(stream) >= 0' failed.

Thread 1 "iotjs" received signal SIGABRT, Aborted.
0xf7fd3939 in __kernel_vsyscall ()
(gdb) bt
#0  0xf7fd3939 in __kernel_vsyscall ()
#1  0xf7c90182 in raise () from /lib/i386-linux-gnu/libc.so.6
#2  0xf7c7a2b6 in abort () from /lib/i386-linux-gnu/libc.so.6
#3  0xf7c7a1c1 in ?? () from /lib/i386-linux-gnu/libc.so.6
#4  0xf7c87fd9 in __assert_fail () from /lib/i386-linux-gnu/libc.so.6
#5  0x082c7202 in uv_read_start (stream=0xf4d15b80, alloc_cb=0x8186510 <on_alloc>, read_cb=0x8186590 <on_read>)
    at iotjs/deps/libtuv/src/unix/stream.c:1574
#6  0x0818578b in tcp_read_start (jfunc=<optimized out>, jthis=<optimized out>, jargv=<optimized out>, jargc=<optimized out>)
    at iotjs/src/modules/iotjs_module_tcp.c:308
#7  0x081b60dd in ecma_op_function_call (func_obj_p=0xf570e020, this_arg_value=4119902451, arguments_list_p=0xffffbdec, 
    arguments_list_len=0) at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:815
#8  0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#9  vm_execute (frame_ctx_p=0xffffbe50, arg_p=0xffffbe83, arg_list_len=3) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#10 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>, 
    parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
    at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#11 0x081b63f0 in ecma_op_function_call (func_obj_p=0xf570be90, this_arg_value=4119885075, arguments_list_p=0xffffc25c, 
    arguments_list_len=3) at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792
#12 0x081eaa81 in ecma_builtin_function_prototype_dispatch_routine (builtin_routine_id=<optimized out>, this_arg_value=<optimized out>, 
    arguments_list=<optimized out>, arguments_number=<optimized out>)
    at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:212
#13 0x0820b10b in ecma_builtin_dispatch_routine (builtin_object_id=<optimized out>, builtin_routine_id=<optimized out>, 
    this_arg_value=<optimized out>, arguments_list_p=<optimized out>, arguments_list_len=<optimized out>)
    at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:1016
#14 ecma_builtin_dispatch_call (obj_p=<optimized out>, this_arg_value=<optimized out>, arguments_list_p=<optimized out>, 
    arguments_list_len=<optimized out>) at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:1041
#15 0x081b6471 in ecma_op_function_call (func_obj_p=0xf5703ee0, this_arg_value=4117806739, arguments_list_p=0xffffc258, 
    arguments_list_len=4) at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:716
#16 0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#17 vm_execute (frame_ctx_p=0xffffc2d0, arg_p=0xffffc303, arg_list_len=2) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#18 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>, 
    parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
    at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#19 0x081b6443 in ecma_op_function_call (func_obj_p=0xf570b320, this_arg_value=4119885107, arguments_list_p=0x0, arguments_list_len=2)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792
#20 0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#21 vm_execute (frame_ctx_p=0xffffc590, arg_p=0xffffc5c3, arg_list_len=2) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#22 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>, 
    parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
    at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#23 0x081b6443 in ecma_op_function_call (func_obj_p=0xf570b410, this_arg_value=4117776835, arguments_list_p=0x0, arguments_list_len=2)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792
#24 0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#25 vm_execute (frame_ctx_p=0xffffc810, arg_p=0xffffc843, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#26 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>, 
    parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
    at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#27 0x081b6443 in ecma_op_function_call (func_obj_p=0xf570b2f0, this_arg_value=4117776835, arguments_list_p=0x0, arguments_list_len=0)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792
#28 0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#29 vm_execute (frame_ctx_p=0xffffcab0, arg_p=0xffffcae3, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#30 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>, 
    parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
    at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#31 0x081b63f0 in ecma_op_function_call (func_obj_p=0xf57010c0, this_arg_value=72, arguments_list_p=0xffffccc4, arguments_list_len=0)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792
#32 0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#33 vm_execute (frame_ctx_p=0xffffcd30, arg_p=0xffffcd63, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#34 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>, 
    parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
    at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#35 0x08199d86 in vm_run_global (bytecode_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:266
#36 jerry_run (func_val=4117762291) at iotjs/deps/jerry/jerry-core/api/jerry.c:550
#37 0x081569e0 in iotjs_jhelper_eval (name=0x833c700 <str> "iotjs.js", name_len=8, 
    data=0x837a460 <iotjs_s> "/* Copyright 2015-present Samsung Electronics Co., Ltd. and other contributors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance w"..., size=4730, 
    strict_mode=<optimized out>) at iotjs/src/iotjs_binding.c:379
#38 0x08155156 in iotjs_run (env=0x88ccee0 <current_env>) at iotjs/src/iotjs.c:175
#39 0x081552ea in iotjs_start (env=<optimized out>) at iotjs/src/iotjs.c:224
#40 iotjs_entry (argc=2, argv=0xffffcfa4) at iotjs/src/iotjs.c:312
#41 0xf7c7b751 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
#42 0x08080872 in _start ()

Found by Fuzzinator with JsProFuzz.