saghul/txiki.js

Invalid writes on ffi module

saghul opened this issue · 6 comments

saghul commented 
❯ valgrind --leak-check=full --show-leak-kinds=all ./build/tjs -- run tests/test-ffi.js
==13145== Memcheck, a memory error detector
==13145== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==13145== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
==13145== Command: ./build/tjs -- run tests/test-ffi.js
==13145==
==13145== Conditional jump or move depends on uninitialised value(s)
==13145==    at 0x1794A1: find_line_num (quickjs.c:6346)
==13145==    by 0x179B39: build_backtrace (quickjs.c:6469)
==13145==    by 0x17A38E: JS_ThrowError2 (quickjs.c:6575)
==13145==    by 0x17A474: JS_ThrowError (quickjs.c:6592)
==13145==    by 0x17A61F: JS_ThrowTypeError (quickjs.c:6612)
==13145==    by 0x18EA19: js_throw_type_error (quickjs.c:13024)
==13145==    by 0x192846: js_call_c_function (quickjs.c:14212)
==13145==    by 0x19315E: JS_CallInternal (quickjs.c:14416)
==13145==    by 0x19F577: JS_CallFree (quickjs.c:16863)
==13145==    by 0x17BFC3: JS_GetPropertyInternal2 (quickjs.c:7114)
==13145==    by 0x19A0E4: JS_CallInternal (quickjs.c:15685)
==13145==    by 0x1952BF: JS_CallInternal (quickjs.c:14788)
==13145==
==13145== Invalid write of size 8
==13145==    at 0x1680BA: ffi_call_unix64 (in /home/saghul/src/txiki.js/build/tjs)
==13145==    by 0x1669FE: ffi_call_int (in /home/saghul/src/txiki.js/build/tjs)
==13145==    by 0x13ACD2: js_ffi_cif_call (ffi.c:708)
==13145==    by 0x192846: js_call_c_function (quickjs.c:14212)
==13145==    by 0x19315E: JS_CallInternal (quickjs.c:14416)
==13145==    by 0x19F4F8: JS_Call (quickjs.c:16856)
==13145==    by 0x1D3D7F: js_function_apply (quickjs.c:35870)
==13145==    by 0x1959A6: JS_CallInternal (quickjs.c:14866)
==13145==    by 0x19563B: JS_CallInternal (quickjs.c:14824)
==13145==    by 0x1952BF: JS_CallInternal (quickjs.c:14788)
==13145==    by 0x1952BF: JS_CallInternal (quickjs.c:14788)
==13145==    by 0x1A0201: async_func_resume (quickjs.c:17113)
==13145==  Address 0x5fc7c00 is 0 bytes inside a block of size 4 alloc'd
==13145==    at 0x4843788: malloc (vg_replace_malloc.c:442)
==13145==    by 0x16C179: js_def_malloc (quickjs.c:1671)
==13145==    by 0x16B752: js_malloc_rt (quickjs.c:1353)
==13145==    by 0x16B881: js_malloc (quickjs.c:1391)
==13145==    by 0x13ACB6: js_ffi_cif_call (ffi.c:706)
==13145==    by 0x192846: js_call_c_function (quickjs.c:14212)
==13145==    by 0x19315E: JS_CallInternal (quickjs.c:14416)
==13145==    by 0x19F4F8: JS_Call (quickjs.c:16856)
==13145==    by 0x1D3D7F: js_function_apply (quickjs.c:35870)
==13145==    by 0x1959A6: JS_CallInternal (quickjs.c:14866)
==13145==    by 0x19563B: JS_CallInternal (quickjs.c:14824)
==13145==    by 0x1952BF: JS_CallInternal (quickjs.c:14788)
==13145==
==13145== Invalid write of size 1
==13145==    at 0x4AA12D7: __vsprintf_internal (iovsprintf.c:68)
==13145==    by 0x4A823C4: sprintf (sprintf.c:30)
==13145==    by 0x168051: ffi_call_unix64 (in /home/saghul/src/txiki.js/build/tjs)
==13145==    by 0x1669FE: ffi_call_int (in /home/saghul/src/txiki.js/build/tjs)
==13145==    by 0x13ACD2: js_ffi_cif_call (ffi.c:708)
==13145==    by 0x192846: js_call_c_function (quickjs.c:14212)
==13145==    by 0x19315E: JS_CallInternal (quickjs.c:14416)
==13145==    by 0x19F4F8: JS_Call (quickjs.c:16856)
==13145==    by 0x1D3D7F: js_function_apply (quickjs.c:35870)
==13145==    by 0x1959A6: JS_CallInternal (quickjs.c:14866)
==13145==    by 0x19563B: JS_CallInternal (quickjs.c:14824)
==13145==    by 0x1952BF: JS_CallInternal (quickjs.c:14788)
==13145==  Address 0x5fd8f8e is 0 bytes after a block of size 14 alloc'd
==13145==    at 0x4843788: malloc (vg_replace_malloc.c:442)
==13145==    by 0x16C179: js_def_malloc (quickjs.c:1671)
==13145==    by 0x16B752: js_malloc_rt (quickjs.c:1353)
==13145==    by 0x16B7FC: js_mallocz_rt (quickjs.c:1374)
==13145==    by 0x16B8D5: js_mallocz (quickjs.c:1403)
==13145==    by 0x201625: js_array_buffer_constructor3 (quickjs.c:48031)
==13145==    by 0x2017D0: js_array_buffer_constructor2 (quickjs.c:48066)
==13145==    by 0x201815: js_array_buffer_constructor1 (quickjs.c:48075)
==13145==    by 0x208346: js_typed_array_constructor (quickjs.c:50173)
==13145==    by 0x1928CC: js_call_c_function (quickjs.c:14225)
==13145==    by 0x19FA34: JS_CallConstructorInternal (quickjs.c:16968)
==13145==    by 0x19547C: JS_CallInternal (quickjs.c:14806)
==13145==
==13145==
==13145== HEAP SUMMARY:
==13145==     in use at exit: 5,176 bytes in 2 blocks
==13145==   total heap usage: 93,149 allocs, 93,147 frees, 7,691,211 bytes allocated
==13145==
==13145== 56 bytes in 1 blocks are still reachable in loss record 1 of 2
==13145==    at 0x4843788: malloc (vg_replace_malloc.c:442)
==13145==    by 0x165AB7: tramp_table_alloc (in /home/saghul/src/txiki.js/build/tjs)
==13145==    by 0x165E10: ffi_tramp_get_libffi (in /home/saghul/src/txiki.js/build/tjs)
==13145==    by 0x165F18: ffi_tramp_is_supported (in /home/saghul/src/txiki.js/build/tjs)
==13145==    by 0x162FE4: dlmmap.constprop.0 (in /home/saghul/src/txiki.js/build/tjs)
==13145==    by 0x164A49: ffi_closure_alloc (in /home/saghul/src/txiki.js/build/tjs)
==13145==    by 0x13BBEB: js_ffi_closure_create (ffi.c:957)
==13145==    by 0x192846: js_call_c_function (quickjs.c:14212)
==13145==    by 0x19FA34: JS_CallConstructorInternal (quickjs.c:16968)
==13145==    by 0x19547C: JS_CallInternal (quickjs.c:14806)
==13145==    by 0x19FB25: JS_CallConstructorInternal (quickjs.c:16981)
==13145==    by 0x19547C: JS_CallInternal (quickjs.c:14806)
==13145==
==13145== 5,120 bytes in 1 blocks are still reachable in loss record 2 of 2
==13145==    at 0x4843788: malloc (vg_replace_malloc.c:442)
==13145==    by 0x165AD7: tramp_table_alloc (in /home/saghul/src/txiki.js/build/tjs)
==13145==    by 0x165E10: ffi_tramp_get_libffi (in /home/saghul/src/txiki.js/build/tjs)
==13145==    by 0x165F18: ffi_tramp_is_supported (in /home/saghul/src/txiki.js/build/tjs)
==13145==    by 0x162FE4: dlmmap.constprop.0 (in /home/saghul/src/txiki.js/build/tjs)
==13145==    by 0x164A49: ffi_closure_alloc (in /home/saghul/src/txiki.js/build/tjs)
==13145==    by 0x13BBEB: js_ffi_closure_create (ffi.c:957)
==13145==    by 0x192846: js_call_c_function (quickjs.c:14212)
==13145==    by 0x19FA34: JS_CallConstructorInternal (quickjs.c:16968)
==13145==    by 0x19547C: JS_CallInternal (quickjs.c:14806)
==13145==    by 0x19FB25: JS_CallConstructorInternal (quickjs.c:16981)
==13145==    by 0x19547C: JS_CallInternal (quickjs.c:14806)
==13145==
==13145== LEAK SUMMARY:
==13145==    definitely lost: 0 bytes in 0 blocks
==13145==    indirectly lost: 0 bytes in 0 blocks
==13145==      possibly lost: 0 bytes in 0 blocks
==13145==    still reachable: 5,176 bytes in 2 blocks
==13145==         suppressed: 0 bytes in 0 blocks
==13145==
==13145== Use --track-origins=yes to see where uninitialised values come from
==13145== For lists of detected and suppressed errors, rerun with: -s
==13145== ERROR SUMMARY: 9 errors from 3 contexts (suppressed: 0 from 0)
saghul commented

@lal12 I need some help here. This is blocking #456

Looks like the size calculation for some elements is wrong. When I make it return at least 8 here:

txiki.js/src/ffi.c

Line 126 in c911cd7

return type->size;
the crash is fixed (I assume most ffi number types might end up in a 64bit integer), but the sprintf return code is broken next...

lal12 commented

Will look into it this week

  • ❤️1
saghul commented

@lal12 Did you have a chance to take a look>?

lal12 commented

Sorry didn't came to it before holidays, have it on the agenda for this week though

  • 👍1
lal12 commented

There are still some reachable notices, but that seems to be libffi internals and not freeable from outside.

saghul commented

That's ok. The problem manifests in a bad way on Debug builds when using mimalloc, because it aborts. So if there is libffi global state that is freed at application close, that's ok.