Open
Description
🔎 Search Terms
Hi
This is another follow-up ticket from the fuzzing crashes discussion and
the first debug failure report
Search terms:
transpileModuledebug failure- crash
🕗 Version & Regression Information
- This is a crash I found and reproduced in version 5.2.0
⏯ Playground Link
No response
💻 Code
const ts = require('typescript');
const input = 'c(_L\u0000\u0000for[.znst___r__p,,,,5,,,,,,,\u001c\u001cimport\u000cde<entrt<,{nroto__\u0001\u0000\u0000\u0000@+fo';
const transpileOptions = {};
ts.transpileModule(input, transpileOptions);As before, both input and transpileOptions options are fuzzer generated values I hard-coded for simplicity. The PoC is a minimized version of the original fuzzing harness.
🙁 Actual behavior
Stack trace
This is the fuzzer found stack trace
==6190== Uncaught Exception: Jazzer.js: Debug Failure. False expression.
Error: Debug Failure. False expression.
at visitIterationBody (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:86142:11)
at fn (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:86801:13)
at visitEachChild (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:86171:35)
at visitTypeScript (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:89047:18)
at visitorWorker (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:88828:16)
at f (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:88843:18)
at saveStateAndInvoke (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:88793:23)
at visitor (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:88833:14)
at visitArrayWorker (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:85983:51)
at nodesVisitor (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:85954:21)
at visitLexicalEnvironment (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:86010:18)
at f (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:89054:9)
at saveStateAndInvoke (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:88793:23)
at transformSourceFile (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:88783:23)
at transform2 (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:88768:14)
at transformation (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:109610:16)
at transformRoot (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:109633:73)
at transformNodes (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:109618:71)
at emitJsFileOrBundle (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:110205:26)
at action (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:110140:7)
at forEachEmittedFile (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:109894:26)
at emitFiles (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:110114:5)
at emitWorker (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:117550:26)
at func (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:117535:53)
at runWithCancellationToken (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:117624:16)
at Object.emit (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:117535:22)
at Object.transpileModule (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:132991:13)
at module.exports.fuzz (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/fuzz_transpile_module.js:28:8)
at /Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/@jazzer.js/core/core.ts:411:15
at /Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/@jazzer.js/core/core.ts:179:38Affected code
// node_modules/typescript/lib/typescript.js:86142
function visitIterationBody(body, visitor, context, nodeVisitor = visitNode) {
context.startBlockScope();
const updated = nodeVisitor(body, visitor, isStatement, context.factory.liftToBlock);
Debug.assert(updated); // This crashes🙂 Expected behavior
Not crash the Node.js runtime
Additional information about the issue
No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment