boa-dev/boa

panic: environment must be declarative

langston-barrett opened this issue · 3 comments

langston-barrett commented

Found with tree-crasher on 0e01a74. Let me know if you still want more bug reports, I'll stop posting for now to avoid spamming you!

with({ p1:1,  }) {k[oa>>2]=d;}
{
  let a12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = 1,
      b = "";
}
Uncaught: ReferenceError: k is not defined
thread 'main' panicked at 'environment must be declarative', boa_engine/src/environments/runtime.rs:248:14
stack backtrace:
   0: rust_begin_unwind
             at /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/std/src/panicking.rs:575:5
   1: core::panicking::panic_fmt
             at /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/core/src/panicking.rs:64:14
   2: core::panicking::panic_display
             at /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/core/src/panicking.rs:147:5
   3: core::panicking::panic_str
             at /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/core/src/panicking.rs:131:5
   4: core::option::expect_failed
             at /rustc/2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74/library/core/src/option.rs:1924:5
   5: boa_engine::environments::runtime::DeclarativeEnvironmentStack::put_value
   6: <boa_engine::vm::opcode::define::DefInitLet as boa_engine::vm::opcode::Operation>::execute
   7: boa_engine::vm::<impl boa_engine::context::Context>::run
   8: boa_engine::context::Context::execute
   9: boa_engine::context::Context::eval_script
  10: boa::main
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
jasonwilliams commented

Hey @langston-barrett this fuzzer is interesting, do you have a guide or steps on how you’re using this with Boa?

the reference error seems correct but the panic shouldn’t be there.

langston-barrett commented

Thanks for the interest @jasonwilliams! Good news is, it's really easy! The simplest set-up would be:

tree-crasher-javascript corpus/ boa

where corpus/ is a big collection of JavaScript files. This will only find really fatal errors like segfaults, though.

The one I actually use is:

systemd-run --scope -p MemoryMax=16G -p MemorySwapMax=0B --user unshare -Umn tree-crasher-javascript --interesting-stderr "(?m)^thread 'main' panicked at" corpus/ boa

That limits the RAM and network access of the fuzzed processes and also finds panics in additions to segfaults. I usually use a corpus of files that boa was able to successfully parse/execute.

Documentation is available here: https://langston-barrett.github.io/tree-crasher/

jedel1043 commented

This is fixed, just needs to be added to our tests to avoid regressions.