v23.1.0 has unpredictable segfaults when running invalid JS files

[TheBrokenRail]

Example JS File

a.b.c.d;

Example Output

$ ./tjs run test.js
ReferenceError: 'a' is not defined
    at <anonymous> (test.js:1)
    at evalFile (native)
    at <anonymous> (run-main.js:120)

$ ./tjs run test.js
Segmentation fault
$ ./tjs run test.js
ReferenceError: 'a' is not defined
    at <anonymous> (test.js:1)
    at evalFile (native)
    at <anonymous> (run-main.js:120)

$ ./tjs run test.js
Segmentation fault
$ ./tjs run test.js
ReferenceError: 'a' is not defined
    at <anonymous> (test.js:1)
    at evalFile (native)
    at <anonymous> (run-main.js:120)

GDB Backtrace

(gdb) bt
#0  0x00005624d3833c04 in list_del (el=0x5624d3c329b8) at txiki.js/deps/quickjs/src/list.h:75
#1  __JS_FreeValueRT (rt=0x5624d3a4e3a0, v=...) at txiki.js/deps/quickjs/src/quickjs.c:5510
#2  0x00005624d3847cff in __JS_FreeValue (v=..., ctx=0x5624d3a4ecf0) at txiki.js/build/txiki.js/deps/quickjs/src/quickjs.c:5552
#3  JS_FreeValue (v=..., ctx=0x5624d3a4ecf0) at txiki.js/deps/quickjs/include/quickjs.h:648
#4  JS_CallFree (ctx=0x5624d3a4ecf0, func_obj=..., this_obj=..., argc=<optimized out>, argv=0x0) at txiki.js/deps/quickjs/src/quickjs.c:18725
#5  0x00005624d3847ed1 in js_evaluate_module (ctx=ctx@entry=0x5624d3a4ecf0, m=m@entry=0x5624d3c2e300) at txiki.js/deps/quickjs/src/quickjs.c:28334
#6  0x00005624d38c7928 in JS_EvalFunctionInternal (sf=0x0, var_refs=0x0, this_obj=..., fun_obj=..., ctx=0x5624d3a4ecf0) at txiki.js/deps/quickjs/src/quickjs.c:33533
#7  JS_EvalFunction (ctx=ctx@entry=0x5624d3a4ecf0, fun_obj=...) at txiki.js/deps/quickjs/src/quickjs.c:33548
#8  0x00005624d3807e68 in tjs__eval_bytecode (ctx=0x5624d3a4ecf0, buf=<optimized out>, buf_len=<optimized out>) at txiki.js/src/eval.c:43
#9  0x00005624d381be06 in TJS_Run (qrt=qrt@entry=0x5624d3a4dd70) at txiki.js/src/vm.c:366
#10 0x00005624d38043c3 in main (argc=<optimized out>, argv=<optimized out>) at txiki.js/src/cli.c:36

Valgrind Output

==3938325== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==3938325==  Access not within mapped region at address 0x8
==3938325==    at 0x153C04: list_del (list.h:75)
==3938325==    by 0x153C04: __JS_FreeValueRT (quickjs.c:5510)
==3938325==    by 0x167CFE: __JS_FreeValue (quickjs.c:5552)
==3938325==    by 0x167CFE: JS_FreeValue (quickjs.h:648)
==3938325==    by 0x167CFE: JS_CallFree (quickjs.c:18725)
==3938325==    by 0x167ED0: js_evaluate_module (quickjs.c:28334)
==3938325==    by 0x1E7927: JS_EvalFunctionInternal (quickjs.c:33533)
==3938325==    by 0x1E7927: JS_EvalFunction (quickjs.c:33548)
==3938325==    by 0x127E67: tjs__eval_bytecode (eval.c:43)
==3938325==    by 0x13BE05: TJS_Run (vm.c:366)
==3938325==    by 0x1243C2: main (cli.c:36)

Build Information

I've tested and reproduced this on two different build configurations:

• Plain cmake .. on Ubuntu 22.04 (using GCC)
• On Android 13 using the Android NDK (which uses Clang)
• This does not seem to occur with v22.11.1.

[saghul]

Can you please try #360 ?

[TheBrokenRail]

Yeah, it seems to have fixed it! That bug definitely seems weird, I wonder if it's an issue with QuickJS itself?

[saghul]

I think it is yeah, but it feels quite obscure TBH.