Abort in uv__async_send
renatahodovan opened this issue · comments
IoT.js version:
Checked revision: bc9a5da
Build command: CC=clang-7 \
tools/build.py --clean \
--buildtype=debug \
--compile-flag="-D'IOTJS_ASSERT(x)=assert(x)'" \
--compile-flag=-O2 --compile-flag=-fno-common --no-snapshot \
--compile-flag=-fsanitize=address --compile-flag=-fno-omit-frame-pointer \
--jerry-cmake-param=-DFEATURE_SYSTEM_ALLOCATOR=ON --target-arch=i686 \
--profile=test/profiles/host-linux.profile --jerry-profile=es2015-subset \
--jerry-cmake-param=-DEXTERNAL_COMPILE_FLAGS=-Wno-conversion
OS:
Linux-4.15.0-54-generic-x86_64-with-Ubuntu-18.04-bionic
Test case:
var fs = require('fs')
fs.close.prototype.constructor(Uint32Array.BYTES_PER_ELEMENT, setTimeout.constructor)Backtrace:
Thread 2 "iotjs" received signal SIGABRT, Aborted.
[Switching to Thread 0xf36ffb40 (LWP 19774)]
0xf7fd3939 in __kernel_vsyscall ()
(gdb) bt
#0 0xf7fd3939 in __kernel_vsyscall ()
#1 0xf7c90182 in raise () from /lib/i386-linux-gnu/libc.so.6
#2 0xf7c7a2b6 in abort () from /lib/i386-linux-gnu/libc.so.6
#3 0x082a3094 in uv__async_send (wa=0x88ce7c0 <default_loop_struct+224>) at iotjs/deps/libtuv/src/unix/async.c:201
#4 0x082a2e0c in uv_async_send (handle=0x88ce740 <default_loop_struct+96>) at iotjs/deps/libtuv/src/unix/async.c:90
#5 0x0829ba2f in worker (arg=0x0) at iotjs/deps/libtuv/src/threadpool.c:116
#6 0x0812f653 in __asan::AsanThread::ThreadStart(unsigned long long, __sanitizer::atomic_uintptr_t*) ()
#7 0x0810c248 in asan_thread_start(void*) ()
#8 0xf7e6d004 in start_thread () from /lib/i386-linux-gnu/libpthread.so.0
#9 0xf7d5ca16 in clone () from /lib/i386-linux-gnu/libc.so.6
Found by Fuzzinator with JsProFuzz.