search

jerryscript-project / iotjs

Platform for Internet of Things with JavaScript http://www.iotjs.net
Other
2.6k stars 438 forks source link

Assertion `jerry_value_is_number(jval)' failed in iotjs_jval_as_number #1917

Closed renatahodovan closed 5 years ago

renatahodovan commented 5 years ago
IoT.js version:
Checked revision: bc9a5da

Build command: CC=clang-7 \
tools/build.py --clean \
--buildtype=debug \
--compile-flag="-D'IOTJS_ASSERT(x)=assert(x)'" \
--compile-flag=-O2 --compile-flag=-fno-common --no-snapshot \
--compile-flag=-fsanitize=address --compile-flag=-fno-omit-frame-pointer \
--jerry-cmake-param=-DFEATURE_SYSTEM_ALLOCATOR=ON --target-arch=i686 \
--profile=test/profiles/host-linux.profile --jerry-profile=es2015-subset \
--jerry-cmake-param=-DEXTERNAL_COMPILE_FLAGS=-Wno-conversion
OS:
Linux-4.15.0-54-generic-x86_64-with-Ubuntu-18.04-bionic
Test case:
var fs = require('fs')
setInterval(fs.fstatSync(1).isFile, 1)
Backtrace:
iotjs: iotjs/src/iotjs_binding.c:81: double iotjs_jval_as_number(jerry_value_t): Assertion `jerry_value_is_number(jval)' failed.

Program received signal SIGABRT, Aborted.
0xf7fd3939 in __kernel_vsyscall ()
(gdb) bt
#0  0xf7fd3939 in __kernel_vsyscall ()
#1  0xf7c90182 in raise () from /lib/i386-linux-gnu/libc.so.6
#2  0xf7c7a2b6 in abort () from /lib/i386-linux-gnu/libc.so.6
#3  0xf7c7a1c1 in ?? () from /lib/i386-linux-gnu/libc.so.6
#4  0xf7c87fd9 in __assert_fail () from /lib/i386-linux-gnu/libc.so.6
#5  0x0815588c in iotjs_jval_as_number (jval=72) at iotjs/src/iotjs_binding.c:81
#6  0x0816be78 in stats_is_typeof (stats=<optimized out>, type=32768) at iotjs/src/modules/iotjs_module_fs.c:454
#7  fs_stats_is_file (jfunc=4117781683, jthis=4119890451, jargv=0xffffcb98, jargc=0)
    at iotjs/src/modules/iotjs_module_fs.c:470
#8  0x081b60dd in ecma_op_function_call (func_obj_p=0xf5705cb0, this_arg_value=4119890451, arguments_list_p=0xffffcb98, 
    arguments_list_len=0) at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:815
#9  0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#10 vm_execute (frame_ctx_p=0xffffcbf0, arg_p=0xffffcc23, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#11 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>, 
    parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
    at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#12 0x081b63f0 in ecma_op_function_call (func_obj_p=0xf570cca0, this_arg_value=4119890419, arguments_list_p=0x0, arguments_list_len=0)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792
#13 0x081b0439 in jerry_invoke_function (is_invoke_as_constructor=<optimized out>, func_obj_val=4117810339, this_val=4119890419, 
    args_p=0x0, args_count=0) at iotjs/deps/jerry/jerry-core/api/jerry.c:2405
#14 0x081b007e in jerry_call_function (func_obj_val=4117810339, this_val=4119890419, args_p=0x0, args_count=0)
    at iotjs/deps/jerry/jerry-core/api/jerry.c:2431
#15 0x08156fe4 in iotjs_invoke_callback_with_result (jfunc=4117810339, jthis=4119890419, jargv=0x0, jargc=0)
    at iotjs/src/iotjs_binding_helper.c:121
#16 0x08156f77 in iotjs_invoke_callback (jfunc=4117810339, jthis=4119890419, jargv=0x0, jargc=0)
    at iotjs/src/iotjs_binding_helper.c:106
#17 0x081870e0 in timeout_handler (handle=0xf4f00e90) at iotjs/src/modules/iotjs_module_timer.c:38
#18 0x082d2d3c in uv__run_timers (loop=0x88ce6e0 <default_loop_struct>) at iotjs/deps/libtuv/src/unix/timer.c:203
#19 0x082a4870 in uv_run (loop=0x88ce6e0 <default_loop_struct>, mode=UV_RUN_ONCE)
    at iotjs/deps/libtuv/src/unix/core.c:319
#20 0x08155328 in iotjs_start (env=<optimized out>) at iotjs/src/iotjs.c:233
#21 iotjs_entry (argc=2, argv=0xffffcf94) at iotjs/src/iotjs.c:312
#22 0xf7c7b751 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
#23 0x08080872 in _start ()

Found by Fuzzinator with JsProFuzz.