`transpileModule`: debug failure crash

[0xricksanchez]

🔎 Search Terms

Hi

This is another follow-up ticket from the fuzzing crashes discussion and
the first debug failure report

Search terms:

• transpileModule
• debug failure
• crash

🕗 Version & Regression Information

• This is a crash I found and reproduced in version 5.2.0

⏯ Playground Link

No response

💻 Code

const ts = require('typescript');
const input = 'c(_L\u0000\u0000for[.znst___r__p,,,,5,,,,,,,\u001c\u001cimport\u000cde<entrt<,{nroto__\u0001\u0000\u0000\u0000@+fo';
const transpileOptions = {};
ts.transpileModule(input, transpileOptions);

As before, both input and transpileOptions options are fuzzer generated values I hard-coded for simplicity. The PoC is a minimized version of the original fuzzing harness.

🙁 Actual behavior

Stack trace

This is the fuzzer found stack trace

==6190== Uncaught Exception: Jazzer.js: Debug Failure. False expression.
Error: Debug Failure. False expression.
    at visitIterationBody (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:86142:11)
    at fn (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:86801:13)
    at visitEachChild (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:86171:35)
    at visitTypeScript (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:89047:18)
    at visitorWorker (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:88828:16)
    at f (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:88843:18)
    at saveStateAndInvoke (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:88793:23)
    at visitor (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:88833:14)
    at visitArrayWorker (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:85983:51)
    at nodesVisitor (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:85954:21)
    at visitLexicalEnvironment (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:86010:18)
    at f (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:89054:9)
    at saveStateAndInvoke (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:88793:23)
    at transformSourceFile (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:88783:23)
    at transform2 (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:88768:14)
    at transformation (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:109610:16)
    at transformRoot (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:109633:73)
    at transformNodes (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:109618:71)
    at emitJsFileOrBundle (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:110205:26)
    at action (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:110140:7)
    at forEachEmittedFile (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:109894:26)
    at emitFiles (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:110114:5)
    at emitWorker (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:117550:26)
    at func (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:117535:53)
    at runWithCancellationToken (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:117624:16)
    at Object.emit (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:117535:22)
    at Object.transpileModule (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/typescript/lib/typescript.js:132991:13)
    at module.exports.fuzz (/Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/fuzz_transpile_module.js:28:8)
    at /Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/@jazzer.js/core/core.ts:411:15
    at /Users/0x434b/Git/work/oss-fuzz-onboarding-projects/TypeScript/node_modules/@jazzer.js/core/core.ts:179:38

Affected code

// node_modules/typescript/lib/typescript.js:86142
function visitIterationBody(body, visitor, context, nodeVisitor = visitNode) {
  context.startBlockScope();
  const updated = nodeVisitor(body, visitor, isStatement, context.factory.liftToBlock);
  Debug.assert(updated); // This crashes

🙂 Expected behavior

Not crash the Node.js runtime

Additional information about the issue

No response

[Krytan]

I would like to solve this problem, if it is still an issue and nobody is working on it.
Do you mind if I start? @andrewbranch

[andrewbranch]

Go for it 👉 https://github.com/microsoft/TypeScript/blob/main/CONTRIBUTING.md#issue-claiming