at first thanks for your code ;
I use your code , but when I have a request that how could I accomplish the function like setTimeout?
the setTimeout's first paramiter maybe a lambda, so , how could I run this lambda? wait for your apply!

many thanks!

Hello,

in current release the function above is broken. You'll get always NaN when trying to get time timestamp via (new Date()).getTime()

Can you confirm this?

ParseInt is specced to work with radix values 2 through 36, Line 53 of jsbuiltin.c allows only 2 through 32.

Yay or nay?

Poking around the codebase I noticed it is modeled after Lua (sans register VM) in many regards and it might be worth it to continue in this trend.

I do realize this is basically introducing bloat and non-standard extension, however the two $SUBJ features are the key selling points of Lua - and will be missed by anybody who ports Lua scripting to use mujs. Some might also consider these two making js suck (vastly) less.

Question is, would be code submissions of this sort considered or are they better kept in side fork as the goal of mujs is to be strictly minimal ecma implementation, with no compromises made which would introduce nonstandard features?

Regarding technicalities, superficially it seems that no big refactoring would be necessary and all the changes would be quite self contained, with the exception js_State->{stack,top,bot} which would have to go into new js_Thread (and original references to js_State should be made via js_Thread->J)

Tailcall optimization would be enabled by scope flag (as it is a nonstandard semantic).

Coroutines as a package call, very similiar to Lua, including unability to yield across C stack. As a side benefit, ES6 generators could be then done simply by adding syntactic sugar to this.

Are there any plans to create builds specifically targeted at running on embedded systems? Something like Espruino or micropython come to mind.

Just a small note on standards compliance... not sure if anyone even uses this function.

$ mujs
> var a = 'ab';
> var b = 'Ab';
> a.localeCompare(b, 'en', {'sensitivity': 'base'});
32
> b = 'ab';
ab
> a.localeCompare(b, 'en', {'sensitivity': 'base'});
0
> a = 'Ab';
Ab
> a.localeCompare(b, 'en', {'sensitivity': 'base'});
-32

Expected result:

All three should return 0, since they are meant to be equal when case-sensitivity is base.

E.g. JSON.stringify(x, null, 2) should format the value of x with new-lines and 2 spaces indentation. In practice, it doesn't use spaces or new-lines at all (i.e. no white spaces at all).

Failing example: '{"empty": []}'

diff --git a/json.c b/json.c
index 4864c42..a7c8e49 100644
--- a/json.c
+++ b/json.c
@@ -45,8 +45,8 @@ static void jsonvalue(js_State *J)
        case '{':
                js_newobject(J);
                jsonnext(J);
-               if (J->lookahead == '}')
-                       return;
+               if (jsonaccept(J, '}'))
+                 return;
                do {
                        if (J->lookahead != TK_STRING)
                                js_syntaxerror(J, "JSON: unexpected token: %s (expected string)", jsY_tokenstring(J->l
@@ -63,8 +63,8 @@ static void jsonvalue(js_State *J)
                js_newarray(J);
                jsonnext(J);
                i = 0;
-               if (J->lookahead == ']')
-                       return;
+               if (jsonaccept(J, ']'))
+                 return;
                do {
                        jsonvalue(J);
                        js_setindex(J, -2, i++);

interesting, and you can organize your work with precompiled script?
in other words, build it into an executable type and store it in memory, and when accessing read directly from memory?

I can include MuJS as follows:

extern "C" {
  #include <mujs.h>
}

But then I get the error:

ccxvii/mujs/1.11.0/mujs.h:150:106: error: expected ')'
void js_newuserdatax(js_State *J, const char *tag, void *data, js_HasProperty has, js_Put put, js_Delete delete, js_Finalize finalize);

Renaming delete to d solves the issue.

Perhaps this change should be integrated in the library for C++ users?

print(parseInt("0x1000")); // returns 0, should return 4096

If radix is undefined or 0, it is assumed to be 10 except when the number begins with the character pairs 0x or 0X, in which case a radix of 16 is assumed.

print("TEST" == "test".toUpperCase()); // returns false, should return true

possible solution for string 'Sp_toLowerCase' and 'Sp_toUpperCase' functions is to use calloc instead of malloc which will zero destination memory block.

so, when I change from:

char *dst = malloc(UTFmax * strlen(src) + 1);

to

char *dst = calloc(UTFmax * strlen(src) + 1, sizeof(char));

everything works as expected.

var re = /[\s]+/;
var re1 = /[\S]+/;
SyntaxError: regular expression: invalid character class range
[string]:1: in function ''
[C]: in function '?'

Fix is in regexp.c in function addrange_S, delete line 226, which declares an invalid range.

var start = new Date();
var p = 0;
for(var i = 0; i < 2000000; i++) {
   p = p + 1;
}
var end = new Date();
var diff = end - start;

print(diff);

the result (diff) is always rounded to thousand which is not precise enough

possible solution:

// jsdate.c
static double Now(void)
{
    struct timeval tp;
    gettimeofday(&tp, NULL);

    double tms = 
        (unsigned long long)(tp.tv_sec) * 1000 +
        (unsigned long long)(tp.tv_usec) / 1000;

    return tms;
}

'gettimeofday' function for windows:

static const unsigned __int64 epoch = 116444736000000000;

int gettimeofday(struct timeval * tp, struct timezone * tzp)
{
    FILETIME file_time;
    SYSTEMTIME system_time;
    ULARGE_INTEGER ularge;

    GetSystemTime(&system_time);
    SystemTimeToFileTime(&system_time, &file_time);
    ularge.LowPart = file_time.dwLowDateTime;
    ularge.HighPart = file_time.dwHighDateTime;

    tp->tv_sec = (long)((ularge.QuadPart - epoch) / 10000000L);
    tp->tv_usec = (long)(system_time.wMilliseconds * 1000);

    return 0;
}

E.g. JSON.parse("true") results in SyntaxError: JSON:1: unexpected character: 't'
And the same goes for any other cases where true or false are used as values.

Other JSON parsers do parse it correctly.

When ftell() is used on a file opened in text mode that contains only linefeeds (0x0A) with no carriage returns (0x0D), ftell() may return an incorrect value on the first call, causing all subsequent return values to be wrong as well. Opening the file in binary mode eliminates this problem. A text file, by definition, contains CR-LF pairs that are condensed to single LF (linefeed) characters on input. A file that contains LF characters with no CR (carriage return) characters is an ill-formed text file and should be processed in binary mode.

It works for me when I change from:

f = fopen(filename, "r");

to

f = fopen(filename, "rb");

Do you plan on pinning any commits to a version number?

   function F (a,b,c) { print (a,b,c) }; var Fa = F.bind (null, 123);

TypeError: 'prototype' is read-only
[C]: in function 'bind'
[string]:1: in function ''
[C]: in function '?'

Javascript source code should be in unicode characters. But when I tried to compile the source file in UTF16 format (either big endian or little endian) , it complaint about syntax error when it read the first byte of the source file (which contains the 0xFEFF Byte Order Mark).

Does mujs support unicode at all? In particular, how should I code text strings having unicode characters?

Hi @ccxvii, thanks again for the quick solving of the two bugs I reported yesterday. Incredible work.

Would you please mind tagging v1.0.2 so that distributions will pick it up and start building it? It has a fixed ton of bugs over v1.0.1. 👍

Thanks for your hard work.

Hello,

I would like to ask if there exists any compiling flag or setup that makes MuJS be optimised for speed. This possibility is mentioned on the main web page for MuJS https://mujs.com/

Thanks.

Kind regards,
Asier Rivera.

  1 if(true){
  2   function foo(){
  3     print('this is foo');
  4   }
  5 }
  6 foo();
  7 print('done.');

test2.js:2: warning: function statements are not standard

Timer resolution on Macs is always "000". Maybe this line is the culprit:

Result:

$ mujs
> Date.now()
1512947603000
> Date.now()
1512947607000
> Date.now()
1512947608000
> Date.now()
1512947608000
> Date.now()
1512947609000
> Date.now()
1512947610000
> Date.now()
1512947610000
> Date.now()
1512947610000
> Date.now()
1512947611000

I am interested in testing the engine against the standard ECMAScript conformance test suite mainly to verify my own modifications to the engine. How should I do it?

The functions numtostr, js_isiterator, js_rot4, jsR_dumpstack, jsR_dumpenvironment and js_trap are only used inside their respected files and don't have declarations elsewhere, but are not defined as static.

This could generate some warnings depending on warning level.

Setting them to static removes the warnings.

mujs:

> function myFunction (a,b,c) { return [a,b,c] };
> typeof myFunction
function
> typeof myFunction.name
undefined
> Object.getOwnPropertyNames (myFunction)
length,prototype

Chromium :

function myFunction (a, b, c) { return [a,b,c] }
myFunction(a, b, c) { return [a,b,c] }
Object.getOwnPropertyNames (myFunction)
["length", "name", "arguments", "caller", "prototype"]

So the function properties name, arguments and caller are are not implemented.

mujs has some weird array issue...

> var arr = [];
> for (var i = 0; i <= 1000; ++i) { arr.push('foo'+i); }
1001
> arr.sort();
stack overflow

The https://github.com/ccxvii/mujs/blob/master/jsarray.c sort function doesn't look recursive so I don't understand why the stack is overflowing. Perhaps some function adds stuff to the stack but forgets to remove it?

parseInt("x"); // returns: 0, should return: NaN
123.456.toExponential(6); // returns: 1.234560e+002, should return: 1.234560e+2
new Date(Date.UTC(0, 0, 0)).toDateString(); // returns: Feb 06 2036, should return: Dec 31 1899

other than that... any plans to export functions for use in other languages?

Hello,
I was using American Fuzzy Lop (afl-fuzz) to fuzz input the mujs program on Linux. Is fixing the crashes from these input files something you're interested in? The input files can be found here: https://github.com/rwhitworth/mujs-fuzz/tree/master/2017-05-12.

The files can be executed as ./mujs id_filename to cause seg faults.

Let me know if I can provide any more information to help narrow down this issue. I tried to use valgrind to narrow the problems down, but without any luck.

how to call a have variable argument lists c language function , i want call like 'printf(fmt,...)' function from javascript, how to implement

Hello,

I am trying to use MuJS within an SGX enclave to execute a simple JavaScript code but I get "stack underflow!" error when calling "js_call". I commented all the "printf" and "putchar" like functions because they are not allowed by SGX and removed the JSDATE functionalities.

The code is the following:

js_State *J = js_newstate(NULL, NULL, JS_STRICT);
 //Load scripts
js_loadstring(J, "", "function myFn(){return 40;}");
js_pushundefined(J);
js_call(J, 0); /* execute the script function that defines myFunction */
js_getglobal(J, "myFn"); /* get the  mainFunction object */
js_pushglobal(J);
js_call(J, 0); /* call with 0 arguments */
ret = js_tostring(J, -1); /* read return value */

I found that in the function "jsR_run" gets stuck in the "while(1)" after the first "stack underflow!" because the "opcode" keeps being the case "OP_POP" and it is all the time calling "js_pop" which shows the error.
Any idea why this is happening?

Thanks for your help.

It would be good if source files moved into src or lib (just example) and it would be useful if docs are there.

Some test results:

{}+[]
0
{}+""
0
""+{}
[object Object]

But in Firefox and Chrome result of {}+[] and {}+"" are both [object Object]
My understanding is that when any 1 of the operands of a + is an object, both operands are converted to string using .toString(). For an empty object {}, the default .toString() is called which returns the string "object Object". An empty array [] is converted to an empty string. The + is then considered as a string concatenation yielding "[object Object]".

As I continue to test my JS code with mujs, I found this problem:

Object.prototype.toString fails for values null and undefined :

    > Object.prototype.toString.call (null)
    TypeError: cannot convert null to object
            [C]: in function 'toString'
            [C]: in function 'call'
            [string]:1: in function ''
            [C]: in function '?'
    > Object.prototype.toString.call (undefined)
    TypeError: cannot convert undefined to object
            [C]: in function 'toString'
            [C]: in function 'call'
            [string]:1: in function ''
            [C]: in function '?'

The specification requires and the Chromium browser returns :
Object.prototype.toString.call(null)
"[object Null]"
Object.prototype.toString.call(undefined)
"[object Undefined]

My fix in file jsobject.c, function Op_toString

static void Op_toString(js_State *J)
{
    js_Object *self;

    if (js_isnull (J, 0)) { 
        js_pushliteral (J, "[object Null]"); 
        return; 
    }

    if (js_isundefined (J, 0)) {
        js_pushliteral (J, "[object Undefined]"); 
        return;
    }

    switch ((self = js_toobject (J, 0))->type) {
    case JS_COBJECT: js_pushliteral(J, "[object Object]"); break;
    case JS_CARRAY: js_pushliteral(J, "[object Array]"); break;

Resulting in :

> Object.prototype.toString.call (null)
[object Null]
> Object.prototype.toString.call (undefined)
[object Undefined]

gcc -v

Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/i686-pc-linux-gnu/4.6.4/lto-wrapper
Target: i686-pc-linux-gnu
Configured with: ./configure --prefix=/usr
Thread model: posix
gcc version 4.6.4 (GCC)

make | grep warning

jsarray.c: In function 'Ap_join':
jsarray.c:95:14: warning: variable 'sep' might be clobbered by 'longjmp' or 'vfork' [-Wclobbered]
jsarray.c:97:15: warning: variable 'seplen' might be clobbered by 'longjmp' or 'vfork' [-Wclobbered]
jsdump.c: In function 'js_dumpvalue':
jsdump.c:808:3: warning: format '%p' expects argument of type 'void *', but argument 2 has type 'struct js_Object *' [-Wformat]
jsdump.c:809:3: warning: format '%p' expects argument of type 'void *', but argument 2 has type 'struct js_Object *' [-Wformat]
jsdump.c:815:5: warning: format '%p' expects argument of type 'void *', but argument 2 has type 'struct js_Object *' [-Wformat]
jsdump.c:818:3: warning: format '%p' expects argument of type 'void *', but argument 2 has type 'js_CFunction' [-Wformat]
jsdump.c:823:3: warning: format '%p' expects argument of type 'void *', but argument 2 has type 'struct js_Object *' [-Wformat]
jsdump.c:827:3: warning: format '%p' expects argument of type 'void *', but argument 2 has type 'struct js_Object *' [-Wformat]
jsfunction.c: In function 'jsB_Function':
jsfunction.c:11:14: warning: variable 'body' might be clobbered by 'longjmp' or 'vfork' [-Wclobbered]
jsstring.c: In function 'Sp_concat':
jsstring.c:103:15: warning: variable 'n' might be clobbered by 'longjmp' or 'vfork' [-Wclobbered]
regex.c: In function 'compile':
regex.c:686:14: warning: 'inst' may be used uninitialized in this function [-Wuninitialized]
regex.c: In function 'lex':
regex.c:279:13: warning: 'save' may be used uninitialized in this function [-Wuninitialized]
regex.c:248:7: note: 'save' was declared here
In file included from one.c:7:0:
jsdump.c: In function 'js_dumpvalue':
jsdump.c:808:3: warning: format '%p' expects argument of type 'void *', but argument 2 has type 'struct js_Object *' [-Wformat]
jsdump.c:809:3: warning: format '%p' expects argument of type 'void *', but argument 2 has type 'struct js_Object *' [-Wformat]
jsdump.c:815:5: warning: format '%p' expects argument of type 'void *', but argument 2 has type 'struct js_Object *' [-Wformat]
jsdump.c:818:3: warning: format '%p' expects argument of type 'void *', but argument 2 has type 'js_CFunction' [-Wformat]
jsdump.c:823:3: warning: format '%p' expects argument of type 'void *', but argument 2 has type 'struct js_Object *' [-Wformat]
jsdump.c:827:3: warning: format '%p' expects argument of type 'void *', but argument 2 has type 'struct js_Object *' [-Wformat]
In file included from one.c:24:0:
regex.c: In function 'lex':
regex.c:279:13: warning: 'save' may be used uninitialized in this function [-Wuninitialized]
regex.c:248:7: note: 'save' was declared here
regex.c: In function 'compile':
regex.c:686:14: warning: 'inst' may be used uninitialized in this function [-Wuninitialized]
In file included from one.c:22:0:
jsstring.c: In function 'Sp_concat':
jsstring.c:103:15: warning: variable 'n' might be clobbered by 'longjmp' or 'vfork' [-Wclobbered]
In file included from one.c:23:0:
jsvalue.c: In function 'js_instanceof':
jsrun.c:155:14: warning: assuming signed overflow does not occur when assuming that (X - c) > X is always false [-Wstrict-overflow]
In file included from one.c:1:0:
jsarray.c: In function 'Ap_join':
jsarray.c:95:14: warning: variable 'sep' might be clobbered by 'longjmp' or 'vfork' [-Wclobbered]
jsarray.c:97:15: warning: variable 'seplen' might be clobbered by 'longjmp' or 'vfork' [-Wclobbered]
jsarray.c: In function 'Ap_sort':
jsrun.c:155:14: warning: assuming signed overflow does not occur when assuming that (X - c) > X is always false [-Wstrict-overflow]
In file included from one.c:9:0:
jsfunction.c: In function 'jsB_Function':
jsfunction.c:11:14: warning: variable 'body' might be clobbered by 'longjmp' or 'vfork' [-Wclobbered]

static void Np_toString(js_State *J)
{

	/* lame number to string conversion for any radix from 2 to 36 */
	{
		static const char digits[36] = "0123456789abcdefghijklmnopqrstuvwxyz";

In jsnumber.c, the above function defines digits as 36 chars, but the initializer has 37 char because of the null-terminator. When we compile the source as cpp code (but not c) in VC++, the compilation error appear.

It is useful to compile the code as C++ since I want to use STL and other C++ features in my own modifications.

Hello,
I'm trying to enable the support for the mpv player's js backend (which uses MuJS) on the brew package manager.
The issue is, the version variable in the MuJS makefile relies on the presence of the .git folder, which is absent on releases' tarballs (used by brew for softwares' stable releases), so it simply doesn't write any version string in the .pc file, making softwares such as mpv that checks specific versions of the library via pkg-config fail to pick it up.
Is there any way to make possible to have the version string written in the .pc in such cases?

Hi, I'm reading the following:

It seems to only set the length property. It doesn't actually delete the indexes. Is that correct? Many people use arr.length = 0 to erase everything in an array but the MuJS code doesn't seem to have that effect.

Unlike Array.splice(), from the same file, which calls "delindex" on every index.

Here's what the spec says:

http://www.ecma-international.org/ecma-262/5.1/#sec-15.4.5.2

The length property of this Array object is a data property whose value is always numerically greater than the name of every deletable property whose name is an array index.

The length property initially has the attributes { [[Writable]]: true, [[Enumerable]]: false, [[Configurable]]: false }.

NOTE Attempting to set the length property of an Array object to a value that is numerically less than or equal to the largest numeric property name of an existing array indexed non-deletable property of the array will result in the length being set to a numeric value that is one greater than that largest numeric property name. See 15.4.5.1.

In some random tests, I found that the character U+02aa is not recognized as a valid identifier character.

var \u02aa="s";
\u02aa + "3";

SyntaxError: mujs\testjs.js:2: unexpected character: \u02AA

But U+02aa is listed as Lowercase character here:

http://www.fileformat.info/info/unicode/category/Ll/list.htm

fyi, javascript identifiers can consist of characters from these categories: Uppercase letter, Lowercase letter, Titlecase letter, and some more. I am not able to comprehend the various tables used in utftype.c, but it looks like the lower case ranges in this source file are incomplete.

Note that it is possible for Javascript obfuscators to turn an ordinary long ASCII identifier to a single 16bit unicode character. So it is very possible that identifiers may contain odd characters like \u02aa.

When trying to convert an object which has no "toString()" nor "valueOf()" method to string, the ECMAScript 5.1 spec specifies the js system should throw a TypeError exception (point 5 below). Testing shows that mujs returns the string "[object]" instead. Is it an intended non-standard behaviour?

The relevant paragraphs of the ECMAScript 5.1 spec are here:

8.12.8 [[DefaultValue]] (hint)
When the [[DefaultValue]] internal method of O is called with hint String, the following steps are taken:
1. Let toString be the result of calling the [[Get]] internal method of object O with argument "toString".
2. If IsCallable(toString) is true then,
a. Let str be the result of calling the [[Call]] internal method of toString, with O as the this value and
an empty argument list.
b. If str is a primitive value, return str.
3. Let valueOf be the result of calling the [[Get]] internal method of object O with argument "valueOf".
4. If IsCallable(valueOf) is true then,
a. Let val be the result of calling the [[Call]] internal method of valueOf, with O as the this value and
an empty argument list.
b. If val is a primitive value, return val.
5. Throw a TypeError exception

gcc -v

Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/i686-pc-linux-gnu/4.6.4/lto-wrapper
Target: i686-pc-linux-gnu
Configured with: ./configure --prefix=/usr
Thread model: posix
gcc version 4.6.4 (GCC)

regex.c: In function 'compile':
regex.c:692:14: warning: 'inst' may be used uninitialized in this function [-Wuninitialized]
regex.c: In function 'lex':
regex.c:286:13: warning: 'save' may be used uninitialized in this function [-Wuninitialized]
regex.c:255:7: note: 'save' was declared here

and another platform:

gcc -v

Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/i686-pc-linux-gnu/4.9.0/lto-wrapper
Target: i686-pc-linux-gnu
Configured with: ./configure --prefix=/usr
Thread model: posix
gcc version 4.9.0 20131027 (experimental) (GCC)

jsrun.c: In function 'js_call':
jsrun.c:328:5: warning: assuming signed overflow does not occur when assuming that (X - c) > X is always false
[-Wstrict-overflow]
if (TOP < BOT) {
^
gcc -O2 -std=gnu99 -D_GNU_SOURCE -DLINUX -Wall -o ../../../.build/jsstate.o -c jsstate.c
gcc -O2 -std=gnu99 -D_GNU_SOURCE -DLINUX -Wall -o ../../../.build/jsstring.o -c jsstring.c
gcc -O2 -std=gnu99 -D_GNU_SOURCE -DLINUX -Wall -o ../../../.build/jsvalue.o -c jsvalue.c
gcc -O2 -std=gnu99 -D_GNU_SOURCE -DLINUX -Wall -o ../../../.build/utf.o -c utf.c
gcc -O2 -std=gnu99 -D_GNU_SOURCE -DLINUX -Wall -o ../../../.build/utftype.o -c utftype.c
gcc -O2 -std=gnu99 -D_GNU_SOURCE -DLINUX -Wall -o ../../../.build/regex.o -c regex.c
regex.c: In function 'lex':
regex.c:275:14: warning: 'save' may be used uninitialized in this function [-Wmaybe-uninitialized]
addrange(g, save, '-');
^
regex.c:255:7: note: 'save' was declared here
Rune save;
^

where is find samples of callback procedure?
Shematics analogue javascript xhr. Where is writen to C# callback called javascript function?

please, example.. sanks

print(NaN <= NaN); // returns true, should return false
print(NaN >= NaN); // returns true, should return false

possible solution:

case OP_LE: 
    b = js_compare(J);
    if (b == 0) {
        b = js_equal(J) ? 0 : 1;
    }
    js_pop(J, 2); 
    js_pushboolean(J, b <= 0); 
    break;
case OP_GE: 
    b = js_compare(J); 
    if (b == 0) {
        b = js_equal(J) ? 0 : -1;
    }
    js_pop(J, 2); 
    js_pushboolean(J, b >= 0); 
    break;

Hello,
I am trying to develop a simple code that runs a javascript function that gets two int values as input and returns the sum of those int values. Simple. I am trying to follow the documentation and I have the following code:

#include <stdio.h>
#include <mujs.h>

int main(int argc, char **argv)
{
        double ret = 0;
        js_State *J = js_newstate(NULL, NULL, JS_STRICT);
        //Push the function
        js_loadstring(J, "myfun", "function myFunction(p1, p2) { return p1+p2; }");
        //js_getglobal(J, "myfun");
        //Push the "this" value
        js_pushglobal(J);
        //Push the variables
        js_pushnumber(J,2);
        js_pushnumber(J,3);
        //Call the function
        js_call(J,2);
        ret = js_tonumber(J, -1);
        printf("The sum is: %lf", ret);
        js_freestate(J);
}

As you can imagine, this does not work, I followed the steps in the reference page:

To call a function, you must use the following protocol: 1) push the function to call onto the stack, 2) push the this value to be used by the function, 3) push the arguments to the function in order, 4) finally, call js_call with the number of arguments pushed in step 3.

However, I am confused about what is the "filename" value in the "js_loadstring" function? I understand it gets the JavaScript value from the "source" variable (the 3rd variable given as input).

In addition, I would like to get the value returned by the javascript code in the C program.

Thanks for your time. Any suggestion will be welcome :)

Hi,
Back again with another fuzz test result from afl-fuzz. Let me know what other details I can provide to help. I had tried to use valgrind against this input, but it isn't producing anything helpful.

Input file can be found at https://github.com/rwhitworth/mujs-fuzz/tree/master/2017-05-20

*** stack smashing detected ***: ./mujs terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x731af)[0x7f16d78d91af]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f16d795eaa7]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x0)[0x7f16d795ea70]
./mujs[0x41e604]
./mujs[0x417646]
./mujs[0x4098f1]
./mujs[0x408b8e]
./mujs[0x455510]
./mujs[0x407b8a]
./mujs[0x40781a]
./mujs[0x407fcd]
./mujs[0x4021a8]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f16d7887b45]
./mujs[0x401f19]
======= Memory map: ========
00400000-0049d000 r-xp 00000000 08:01 179730                             /root/mujs/build/mujs
0069c000-0069e000 rw-p 0009c000 08:01 179730                             /root/mujs/build/mujs
0069e000-006ae000 rw-p 00000000 00:00 0
0205a000-0207f000 rw-p 00000000 00:00 0                                  [heap]
7f16d7650000-7f16d7666000 r-xp 00000000 08:01 15                         /lib/x86_64-linux-gnu/libgcc_s.so.1
7f16d7666000-7f16d7865000 ---p 00016000 08:01 15                         /lib/x86_64-linux-gnu/libgcc_s.so.1
7f16d7865000-7f16d7866000 rw-p 00015000 08:01 15                         /lib/x86_64-linux-gnu/libgcc_s.so.1
7f16d7866000-7f16d7a07000 r-xp 00000000 08:01 2803                       /lib/x86_64-linux-gnu/libc-2.19.so
7f16d7a07000-7f16d7c07000 ---p 001a1000 08:01 2803                       /lib/x86_64-linux-gnu/libc-2.19.so
7f16d7c07000-7f16d7c0b000 r--p 001a1000 08:01 2803                       /lib/x86_64-linux-gnu/libc-2.19.so
7f16d7c0b000-7f16d7c0d000 rw-p 001a5000 08:01 2803                       /lib/x86_64-linux-gnu/libc-2.19.so
7f16d7c0d000-7f16d7c11000 rw-p 00000000 00:00 0
7f16d7c11000-7f16d7d11000 r-xp 00000000 08:01 2807                       /lib/x86_64-linux-gnu/libm-2.19.so
7f16d7d11000-7f16d7f10000 ---p 00100000 08:01 2807                       /lib/x86_64-linux-gnu/libm-2.19.so
7f16d7f10000-7f16d7f11000 r--p 000ff000 08:01 2807                       /lib/x86_64-linux-gnu/libm-2.19.so
7f16d7f11000-7f16d7f12000 rw-p 00100000 08:01 2807                       /lib/x86_64-linux-gnu/libm-2.19.so
7f16d7f12000-7f16d7f32000 r-xp 00000000 08:01 2800                       /lib/x86_64-linux-gnu/ld-2.19.so
7f16d8124000-7f16d8127000 rw-p 00000000 00:00 0
7f16d812e000-7f16d8132000 rw-p 00000000 00:00 0
7f16d8132000-7f16d8133000 r--p 00020000 08:01 2800                       /lib/x86_64-linux-gnu/ld-2.19.so
7f16d8133000-7f16d8134000 rw-p 00021000 08:01 2800                       /lib/x86_64-linux-gnu/ld-2.19.so
7f16d8134000-7f16d8135000 rw-p 00000000 00:00 0
7ffd41721000-7ffd41742000 rw-p 00000000 00:00 0                          [stack]
7ffd417c9000-7ffd417cb000 r-xp 00000000 00:00 0                          [vdso]
7ffd417cb000-7ffd417cd000 r--p 00000000 00:00 0                          [vvar]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted