Assertion `0 && "Attempting to pause parser in error state"' failed in http_parser_pause
renatahodovan opened this issue · comments
Renáta Hodován commented
IoT.js version:
Checked revision: bc9a5da
Build command: CC=clang-7 \
tools/build.py --clean \
--buildtype=debug \
--compile-flag="-D'IOTJS_ASSERT(x)=assert(x)'" \
--compile-flag=-O2 --compile-flag=-fno-common --no-snapshot \
--compile-flag=-fsanitize=address --compile-flag=-fno-omit-frame-pointer \
--jerry-cmake-param=-DFEATURE_SYSTEM_ALLOCATOR=ON --target-arch=i686 \
--profile=test/profiles/host-linux.profile --jerry-profile=es2015-subset \
--jerry-cmake-param=-DEXTERNAL_COMPILE_FLAGS=-Wno-conversion
OS:
Linux-4.15.0-54-generic-x86_64-with-Ubuntu-18.04-bionic
Test case:
var http_common = require('http_common')
var v0 = http_common.createHTTPParser(1)
v0.execute(Buffer(6083374109688862375))
v0.resume()
Backtrace:
iotjs: iotjs/deps/http-parser/http_parser.c:2426: void http_parser_pause(http_parser *, int): Assertion `0 && "Attempting to pause parser in error state"' failed.
Program received signal SIGABRT, Aborted.
0xf7fd3939 in __kernel_vsyscall ()
(gdb) bt
#0 0xf7fd3939 in __kernel_vsyscall ()
#1 0xf7c90182 in raise () from /lib/i386-linux-gnu/libc.so.6
#2 0xf7c7a2b6 in abort () from /lib/i386-linux-gnu/libc.so.6
#3 0xf7c7a1c1 in ?? () from /lib/i386-linux-gnu/libc.so.6
#4 0xf7c87fd9 in __assert_fail () from /lib/i386-linux-gnu/libc.so.6
#5 0x082e9038 in http_parser_pause (parser=0xf4b02d44, paused=0) at iotjs/deps/http-parser/http_parser.c:2426
#6 0x081738d7 in iotjs_http_parser_pause (jthis=<optimized out>, paused=0)
at iotjs/src/modules/iotjs_module_http_parser.c:424
#7 js_func_resume (jfunc=<optimized out>, jthis=<optimized out>, jargv=<optimized out>, jargc=<optimized out>)
at iotjs/src/modules/iotjs_module_http_parser.c:435
#8 0x081b60dd in ecma_op_function_call (func_obj_p=0xf570dc30, this_arg_value=4119889171, arguments_list_p=0xffffbde4,
arguments_list_len=0) at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:815
#9 0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#10 vm_execute (frame_ctx_p=0xffffbe50, arg_p=0xffffbe83, arg_list_len=3) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#11 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>,
parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#12 0x081b6443 in ecma_op_function_call (func_obj_p=0xf570be30, this_arg_value=4119885075, arguments_list_p=0x0, arguments_list_len=3)
at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792
#13 0x081eaa81 in ecma_builtin_function_prototype_dispatch_routine (builtin_routine_id=<optimized out>, this_arg_value=<optimized out>,
arguments_list=<optimized out>, arguments_number=<optimized out>)
at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:212
#14 0x0820b10b in ecma_builtin_dispatch_routine (builtin_object_id=<optimized out>, builtin_routine_id=<optimized out>,
this_arg_value=<optimized out>, arguments_list_p=<optimized out>, arguments_list_len=<optimized out>)
at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:1016
#15 ecma_builtin_dispatch_call (obj_p=<optimized out>, this_arg_value=<optimized out>, arguments_list_p=<optimized out>,
arguments_list_len=<optimized out>) at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:1041
#16 0x081b6471 in ecma_op_function_call (func_obj_p=0xf5703ee0, this_arg_value=4117806643, arguments_list_p=0xffffc258,
arguments_list_len=4) at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:716
#17 0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#18 vm_execute (frame_ctx_p=0xffffc2d0, arg_p=0xffffc303, arg_list_len=2) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#19 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>,
parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#20 0x081b6443 in ecma_op_function_call (func_obj_p=0xf570b320, this_arg_value=4119885107, arguments_list_p=0x0, arguments_list_len=2)
at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792
#21 0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#22 vm_execute (frame_ctx_p=0xffffc590, arg_p=0xffffc5c3, arg_list_len=2) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#23 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>,
parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#24 0x081b6443 in ecma_op_function_call (func_obj_p=0xf570b410, this_arg_value=4117776835, arguments_list_p=0x0, arguments_list_len=2)
at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792
#25 0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#26 vm_execute (frame_ctx_p=0xffffc810, arg_p=0xffffc843, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#27 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>,
parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#28 0x081b6443 in ecma_op_function_call (func_obj_p=0xf570b2f0, this_arg_value=4117776835, arguments_list_p=0x0, arguments_list_len=0)
at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792
#29 0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#30 vm_execute (frame_ctx_p=0xffffcab0, arg_p=0xffffcae3, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#31 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>,
parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#32 0x081b63f0 in ecma_op_function_call (func_obj_p=0xf57010c0, this_arg_value=72, arguments_list_p=0xffffccc4, arguments_list_len=0)
at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:792
#33 0x08277fc9 in opfunc_call (frame_ctx_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:565
#34 vm_execute (frame_ctx_p=0xffffcd30, arg_p=0xffffcd63, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:3478
#35 0x082187ad in vm_run (bytecode_header_p=<optimized out>, this_binding_value=<optimized out>, lex_env_p=<optimized out>,
parse_opts=<optimized out>, arg_list_p=0x0, arg_list_len=<optimized out>)
at iotjs/deps/jerry/jerry-core/vm/vm.c:3611
#36 0x08199d86 in vm_run_global (bytecode_p=<optimized out>) at iotjs/deps/jerry/jerry-core/vm/vm.c:266
#37 jerry_run (func_val=4117762291) at iotjs/deps/jerry/jerry-core/api/jerry.c:550
#38 0x081569e0 in iotjs_jhelper_eval (name=0x833c700 <str> "iotjs.js", name_len=8,
data=0x837a460 <iotjs_s> "/* Copyright 2015-present Samsung Electronics Co., Ltd. and other contributors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance w"..., size=4730,
strict_mode=<optimized out>) at iotjs/src/iotjs_binding.c:379
#39 0x08155156 in iotjs_run (env=0x88ccee0 <current_env>) at iotjs/src/iotjs.c:175
#40 0x081552ea in iotjs_start (env=<optimized out>) at iotjs/src/iotjs.c:224
#41 iotjs_entry (argc=2, argv=0xffffcfa4) at iotjs/src/iotjs.c:312
#42 0xf7c7b751 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
#43 0x08080872 in _start ()
Found by Fuzzinator with JsProFuzz.