Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assertion `0 && "Attempting to pause parser in error state"' failed in http_parser_pause #1910

Open
renatahodovan opened this issue Jul 5, 2019 · 0 comments

Comments

@renatahodovan
Copy link
Contributor

IoT.js version:
Checked revision: bc9a5da

Build command: CC=clang-7 \
tools/build.py --clean \
--buildtype=debug \
--compile-flag="-D'IOTJS_ASSERT(x)=assert(x)'" \
--compile-flag=-O2 --compile-flag=-fno-common --no-snapshot \
--compile-flag=-fsanitize=address --compile-flag=-fno-omit-frame-pointer \
--jerry-cmake-param=-DFEATURE_SYSTEM_ALLOCATOR=ON --target-arch=i686 \
--profile=test/profiles/host-linux.profile --jerry-profile=es2015-subset \
--jerry-cmake-param=-DEXTERNAL_COMPILE_FLAGS=-Wno-conversion
OS:
Linux-4.15.0-54-generic-x86_64-with-Ubuntu-18.04-bionic
Test case:
var http_common = require('http_common')
var v0 = http_common.createHTTPParser(1)
v0.execute(Buffer(6083374109688862375))
v0.resume()
Backtrace:
iotjs: iotjs/deps/http-parser/http_parser.c:2426: void http_parser_pause(http_parser *, int): Assertion `0 && "Attempting to pause parser in error state"' failed.

Program received signal SIGABRT, Aborted.
0xf7fd3939 in __kernel_vsyscall ()
(gdb) bt
#0  0xf7fd3939 in __kernel_vsyscall ()
#1  0xf7c90182 in raise () from /lib/i386-linux-gnu/libc.so.6
#2  0xf7c7a2b6 in abort () from /lib/i386-linux-gnu/libc.so.6
#3  0xf7c7a1c1 in ?? () from /lib/i386-linux-gnu/libc.so.6
#4  0xf7c87fd9 in __assert_fail () from /lib/i386-linux-gnu/libc.so.6
#5  0x082e9038 in http_parser_pause (parser=0xf4b02d44, paused=0) at iotjs/deps/http-parser/http_parser.c:2426
#6  0x081738d7 in iotjs_http_parser_pause (jthis=<optimized out>, paused=0)
    at iotjs/src/modules/iotjs_module_http_parser.c:424
#7  js_func_resume (jfunc=<optimized out>, jthis=<optimized out>, jargv=<optimized out>, jargc=<optimized out>)
    at iotjs/src/modules/iotjs_module_http_parser.c:435
#8  0x081b60dd in ecma_op_function_call (func_obj_p=0xf570dc30, this_arg_value=4119889171, arguments_list_p=0xffffbde4, 
    arguments_list_len=0) at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:815
#9  0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#10 vm_execute (frame_ctx_p=0xffffbe50, arg_p=0xffffbe83, arg_list_len=3) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#11 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>, 
    parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
    at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#12 0x081b6443 in ecma_op_function_call (func_obj_p=0xf570be30, this_arg_value=4119885075, arguments_list_p=0x0, arguments_list_len=3)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792
#13 0x081eaa81 in ecma_builtin_function_prototype_dispatch_routine (builtin_routine_id=<optimized out>, this_arg_value=<optimized out>, 
    arguments_list=<optimized out>, arguments_number=<optimized out>)
    at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:212
#14 0x0820b10b in ecma_builtin_dispatch_routine (builtin_object_id=<optimized out>, builtin_routine_id=<optimized out>, 
    this_arg_value=<optimized out>, arguments_list_p=<optimized out>, arguments_list_len=<optimized out>)
    at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:1016
#15 ecma_builtin_dispatch_call (obj_p=<optimized out>, this_arg_value=<optimized out>, arguments_list_p=<optimized out>, 
    arguments_list_len=<optimized out>) at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:1041
#16 0x081b6471 in ecma_op_function_call (func_obj_p=0xf5703ee0, this_arg_value=4117806643, arguments_list_p=0xffffc258, 
    arguments_list_len=4) at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:716
#17 0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#18 vm_execute (frame_ctx_p=0xffffc2d0, arg_p=0xffffc303, arg_list_len=2) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#19 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>, 
    parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
    at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#20 0x081b6443 in ecma_op_function_call (func_obj_p=0xf570b320, this_arg_value=4119885107, arguments_list_p=0x0, arguments_list_len=2)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792
#21 0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#22 vm_execute (frame_ctx_p=0xffffc590, arg_p=0xffffc5c3, arg_list_len=2) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#23 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>, 
    parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
    at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#24 0x081b6443 in ecma_op_function_call (func_obj_p=0xf570b410, this_arg_value=4117776835, arguments_list_p=0x0, arguments_list_len=2)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792
#25 0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#26 vm_execute (frame_ctx_p=0xffffc810, arg_p=0xffffc843, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#27 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>, 
    parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
    at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#28 0x081b6443 in ecma_op_function_call (func_obj_p=0xf570b2f0, this_arg_value=4117776835, arguments_list_p=0x0, arguments_list_len=0)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792
#29 0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#30 vm_execute (frame_ctx_p=0xffffcab0, arg_p=0xffffcae3, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#31 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>, 
    parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
    at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#32 0x081b63f0 in ecma_op_function_call (func_obj_p=0xf57010c0, this_arg_value=72, arguments_list_p=0xffffccc4, arguments_list_len=0)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792
#33 0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#34 vm_execute (frame_ctx_p=0xffffcd30, arg_p=0xffffcd63, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#35 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>, 
    parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
    at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#36 0x08199d86 in vm_run_global (bytecode_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:266
#37 jerry_run (func_val=4117762291) at iotjs/deps/jerry/jerry-core/api/jerry.c:550
#38 0x081569e0 in iotjs_jhelper_eval (name=0x833c700 <str> "iotjs.js", name_len=8, 
    data=0x837a460 <iotjs_s> "/* Copyright 2015-present Samsung Electronics Co., Ltd. and other contributors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance w"..., size=4730, 
    strict_mode=<optimized out>) at iotjs/src/iotjs_binding.c:379
#39 0x08155156 in iotjs_run (env=0x88ccee0 <current_env>) at iotjs/src/iotjs.c:175
#40 0x081552ea in iotjs_start (env=<optimized out>) at iotjs/src/iotjs.c:224
#41 iotjs_entry (argc=2, argv=0xffffcfa4) at iotjs/src/iotjs.c:312
#42 0xf7c7b751 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
#43 0x08080872 in _start ()

Found by Fuzzinator with JsProFuzz.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant