segmentation fault if setting opaque on constructor

[boot2linux]

Please check below code. I want to hide class ID, so plan to retrieve class from opaque. It works well if using context opaque, but it does not works well for multiple class directly.

#include "quickjs.h"
#include <stdio.h>
#include <stdlib.h>


// static JSClassID globalClassID;
static JSValue js_class_constructor(JSContext *ctx, JSValueConst new_target, int argc, JSValueConst *argv) {

    JSClassID id;
    id=(JSClassID)(intptr_t)JS_GetAnyOpaque(new_target, &id);
    printf("Class ID: %d fetched from opaque\n", id);

    // JSClassID id=globalClassID;
    // crash here
    JSValue obj = JS_NewObjectClass(ctx, id);
    if (JS_IsException(obj)) {
        return obj;
    }

    return obj;
}

int main(int argc, char **argv) {
    JSRuntime *rt;
    JSContext *ctx;
    JSClassID js_class_id =0;

    rt = JS_NewRuntime();
    ctx = JS_NewContext(rt);

    JS_NewClassID(rt, &js_class_id);
    printf("Class ID %d is created!\n", js_class_id);
    // globalClassID = js_class_id;

    JSClassDef js_class = {
        .class_name = "MyClass",
    };
    JS_NewClass(rt, js_class_id, &js_class);

    JSValue constructor = JS_NewCFunction2(ctx, js_class_constructor, "MyClass", 0, JS_CFUNC_constructor, 0);

    void *opaque = (void *)(intptr_t)js_class_id;
    JS_SetOpaque(constructor, opaque);

    JS_SetPropertyStr(ctx, JS_GetGlobalObject(ctx), "MyClass", constructor);

    const char *script =
        "const obj = new MyClass();\n";

    JSValue result = JS_Eval(ctx, script, strlen(script), "<input>", JS_EVAL_TYPE_GLOBAL);

    if (JS_IsException(result)) {
        JSValue exception = JS_GetException(ctx);
        JSValue message = JS_GetPropertyStr(ctx, exception, "message");
        const char *str = JS_ToCString(ctx, message);
        printf("Exception: %s\n", str);
        JS_FreeCString(ctx, str);
    }

    JS_FreeValue(ctx, result);
    JS_FreeContext(ctx);
    JS_FreeRuntime(rt);

    return 0;
}

clang cutils.c libbf.c libregexp.c quickjs-libc.c quickjs.c libunicode.c t.c -o t && ./t
Class ID 59 is created!
Class ID: 59 fetched from opaque
[1]    2046 segmentation fault  ./t

It's crashed on function JS_NewObjectClass, but I don't know.

[saghul]

Looks like memory corruption, look at ctx:

(lldb) r
There is a running process, kill it and restart?: [Y/n] y
Process 39659 exited with status = 9 (0x00000009) killed
Process 40984 launched: '/Users/saghul/src/quickjs/t' (arm64)
Class ID 59 is created!
Class ID: 59 fetched from opaque
Process 40984 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7b)
    frame #0: 0x000000010003fbdc t`JS_NewObjectClass(ctx=0x000000000000003b, class_id=59) at quickjs.c:5000:45
   4997
   4998	JSValue JS_NewObjectClass(JSContext *ctx, int class_id)
   4999	{
-> 5000	    return JS_NewObjectProtoClass(ctx, ctx->class_proto[class_id], class_id);
   5001	}
   5002
   5003	JSValue JS_NewObjectProto(JSContext *ctx, JSValue proto)
Target 0: (t) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7b)
  * frame #0: 0x000000010003fbdc t`JS_NewObjectClass(ctx=0x000000000000003b, class_id=59) at quickjs.c:5000:45
    frame #1: 0x00000001000f87cc t`js_class_constructor(ctx=0x000000000000003b, new_target=JSValue @ 0x000000016fdfc610, argc=0, argv=0x000000016fdfc9d0) at t.c:15:19
    frame #2: 0x00000001000360d4 t`js_call_c_function(ctx=0x000000000000003b, func_obj=JSValue @ 0x000000016fdfc870, this_obj=JSValue @ 0x000000016fdfc860, argc=0, argv=0x000000016fdfc9d0, flags=1) at quickjs.c:14650:19
    frame #3: 0x000000010005b36c t`JS_CallConstructorInternal(ctx=0x0000000123f04630, func_obj=JSValue @ 0x000000016fdfc970, new_target=JSValue @ 0x000000016fdfc960, argc=0, argv=0x000000016fdfc9d0, flags=1) at quickjs.c:17499:16
    frame #4: 0x00000001000500c8 t`JS_CallInternal(caller_ctx=0x0000000123f04630, func_obj=JSValue @ 0x000000016fdfe830, this_obj=JSValue @ 0x000000016fdfe820, new_target=JSValue @ 0x000000016fdfe810, argc=0, argv=0x0000000000000000, flags=2) at quickjs.c:15258:27
    frame #5: 0x0000000100042054 t`JS_CallFree(ctx=0x0000000123f04630, func_obj=JSValue @ 0x000000016fdfe980, this_obj=JSValue @ 0x000000016fdfe970, argc=0, argv=0x0000000000000000) at quickjs.c:17394:19
    frame #6: 0x000000010005d3ec t`JS_EvalFunctionInternal(ctx=0x0000000123f04630, fun_obj=JSValue @ 0x000000016fdfea40, this_obj=JSValue @ 0x000000016fdfea30, var_refs=0x0000000000000000, sf=0x0000000000000000) at quickjs.c:33193:19
    frame #7: 0x0000000100067288 t`__JS_EvalInternal(ctx=0x0000000123f04630, this_obj=JSValue @ 0x000000016fdfebe0, input="const obj = new MyClass();\n", input_len=27, filename="<input>", flags=0, scope_idx=-1) at quickjs.c:33326:19
    frame #8: 0x000000010005d690 t`JS_EvalInternal(ctx=0x0000000123f04630, this_obj=JSValue @ 0x000000016fdfec50, input="const obj = new MyClass();\n", input_len=27, filename="<input>", flags=0, scope_idx=-1) at quickjs.c:33344:12
    frame #9: 0x000000010005d5d4 t`JS_EvalThis(ctx=0x0000000123f04630, this_obj=JSValue @ 0x000000016fdfecc0, input="const obj = new MyClass();\n", input_len=27, filename="<input>", eval_flags=0) at quickjs.c:33374:11
    frame #10: 0x000000010005d6f4 t`JS_Eval(ctx=0x0000000123f04630, input="const obj = new MyClass();\n", input_len=27, filename="<input>", eval_flags=0) at quickjs.c:33382:12
    frame #11: 0x00000001000f86a8 t`main(argc=1, argv=0x000000016fdff0a8) at t.c:50:22
    frame #12: 0x00000001811f3154 dyld`start + 2476

[saghul]

Hum I think I see what's up.

JSObject has an opaque field, which is part of a union. The fields in that union for a C function, what you created, are as follows:

        struct { /* JS_CLASS_C_FUNCTION: 12/20 bytes */
            JSContext *realm;
            JSCFunctionType c_function;
            uint8_t length;
            uint8_t cproto;
            int16_t magic;
        } cfunc;

Note how the first field, realm, is the context.

So it looks like JS_SetOpaque can't work in this case.

@bnoordhuis Thoughts on this? Looks like calling set opaque in any class < JS_CLASS_INIT_COUNT is bound to be problematic.

I guess we could make the function return int, and fail in that case? Keep it void and throw an internal error?

[boot2linux]

@saghul thank you for explaining.

[boot2linux]

@saghul @bnoordhuis
Is it possible to move opaque from union u to top member of struct JSObject. I like this solution:

1. CFuntion is also object. It make sense to set opaque.
2. such as jscore engine, it supports to set opaque on constructor also.

If you think it's OK, I can send a pull request.

[saghul]

That means every object gets larger, which we don't want to do.

You can set the opaque in the object itself.