Assertion `slot.m_index != (18446744073709551615UL)' failed in Escargot::GlobalEnvironmentRecord::setMutableBindingByBindingSlot

Escargot

OS: Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
Revision : bd95de3c46e515a387ae1c3d0b214d9ddbd99e90

Build Steps

cmake -DESCARGOT_MODE=debug -DESCARGOT_OUTPUT=shell -GNinja

Describe the bug Assertion failure

Test case

testcase

```javascript var func0 = this. p1 = " a ", myObj = { p1 :! 0, del :! 1 } ; if ( eval ( " with ( myObj ) { del = delete p1 ; p1 ='a'; p1 = delete this. p1 } " ),! 0 === myObj. p1 ) throw new Test262Error ( " 1 : myObj. p1!== true " ) ; if ( void 0!== myObj. p1 ) throw new Test262Error ( " 2 : myObj. p1 === undefined. Actual : myObj. p1 === " + myObj. p1 ) ; if (! 0!== myObj. del ) throw new Test262Error ( " 2 : myObj. del === true. Actual : myObj. del === " + myObj. del ) ; if ( " a " === myObj. p1 ) throw new Test262Error ( " 4 : myObj. p1!=='a'" ) ; ```

// poc.js
var myObj = { p1 : 0, del : 1 } ;
eval ( " with ( myObj ) { delete p1 ; p1 ='a'; p1 = delete this. p1 } " ) ;

Execution steps & Output

$ ./escargot poc.js
escargot: src/runtime/EnvironmentRecord.cpp:127: virtual void Escargot::GlobalEnvironmentRecord::setMutableBindingByBindingSlot(Escargot::ExecutionState&, const Escargot::EnvironmentRecord::BindingSlot&, const Escargot::AtomicString&, const Escargot::Value&): Assertion `slot.m_index != (18446744073709551615UL)' failed.
Aborted

Backtrace

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7a70859 in __GI_abort () at abort.c:79
#2  0x00007ffff7a70729 in __assert_fail_base (fmt=0x7ffff7c06588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x555555b3d4f0 "slot.m_index != (18446744073709551615UL)", file=0x555555b3d2a0 "src/runtime/EnvironmentRecord.cpp", line=127,
    function=<optimized out>) at assert.c:92
#3  0x00007ffff7a81fd6 in __GI___assert_fail (assertion=0x555555b3d4f0 "slot.m_index != (18446744073709551615UL)", file=0x555555b3d2a0 "src/runtime/EnvironmentRecord.cpp", line=127,
    function=0x555555b3d418 "virtual void Escargot::GlobalEnvironmentRecord::setMutableBindingByBindingSlot(Escargot::ExecutionState&, const Escargot::EnvironmentRecord::BindingSlot&, const Escargot::AtomicString&, const Escargot"...) at assert.c:101
#4  0x00005555558d5cf7 in Escargot::GlobalEnvironmentRecord::setMutableBindingByBindingSlot (this=0xbecf0, state=..., slot=..., name=..., V=...) at src/runtime/EnvironmentRecord.cpp:127
#5  0x000055555571f4dd in Escargot::InterpreterSlowPath::storeByNameWithAddress (state=..., code=0x555555d14938, registerFile=0x7fffffffcef0) at src/interpreter/ByteCodeInterpreter.cpp:1849
#6  0x000055555571e52e in Escargot::Interpreter::interpret (state=0x9cd70, byteCodeBlock=0xc1e40, programCounter=93825000360248, registerFile=0x7fffffffcef0) at src/interpreter/ByteCodeInterpreter.cpp:1540
#7  0x000055555572954c in Escargot::InterpreterSlowPath::openLexicalEnvironment (state=@0x7fffffffc8a8: 0x7fffffffd030, programCounter=@0x7fffffffc898: 93825000359792, byteCodeBlock=0xc1e40, registerFile=0x7fffffffcef0)
    at src/interpreter/ByteCodeInterpreter.cpp:3668
#8  0x000055555571d91b in Escargot::Interpreter::interpret (state=0x7fffffffd030, byteCodeBlock=0xc1e40, programCounter=93825000359792, registerFile=0x7fffffffcef0) at src/interpreter/ByteCodeInterpreter.cpp:1279
#9  0x00005555557db76d in Escargot::Script::executeLocal (this=0xbccd0, state=..., thisValue=..., parentCodeBlock=0xbde30, isStrictModeOutside=false, isEvalCodeOnFunction=false) at src/parser/Script.cpp:628
#10 0x00005555558f4b2a in Escargot::GlobalObject::evalLocal (this=0xa35b0, state=..., arg=..., thisValue=..., parentCodeBlock=0xbde30, inWithOperation=false) at src/runtime/GlobalObject.cpp:218
#11 0x000055555572b434 in Escargot::InterpreterSlowPath::callFunctionComplexCase (state=..., code=0x555555d154f8, registerFile=0x7fffffffd9c0, byteCodeBlock=0xc1f50) at src/interpreter/ByteCodeInterpreter.cpp:3991
#12 0x000055555571dfd1 in Escargot::Interpreter::interpret (state=0x7fffffffd9f0, byteCodeBlock=0xc1f50, programCounter=93825000363256, registerFile=0x7fffffffd9c0) at src/interpreter/ByteCodeInterpreter.cpp:1425
#13 0x00005555557da97b in Escargot::Script::execute (this=0xbcee0, state=..., isExecuteOnEvalFunction=false, inStrictMode=false) at src/parser/Script.cpp:499
#14 0x0000555555643544 in Escargot::ScriptRef::execute (this=0xbcee0, state=0x7fffffffde80) at src/api/EscargotPublic.cpp:4706
#15 0x00005555559a3bc5 in <lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>::operator()(Escargot::ExecutionStateRef *, Escargot::ScriptRef *) const (__closure=0x0, state=0x7fffffffde80, script=0xbcee0) at src/shell/Shell.cpp:781
#16 0x00005555559a3bf0 in <lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>::_FUN(Escargot::ExecutionStateRef *, Escargot::ScriptRef *) () at src/shell/Shell.cpp:782
#17 0x00005555559a8f66 in Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<0ul>::apply<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&, Escargot::ExecutionStateRef*&, Escargot::ScriptRef*&> (f=@0x7fffffffdd88: 0x5555559a3bc7 <<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>::_FUN(Escargot::ExecutionStateRef *, Escargot::ScriptRef *)>) at src/api/EscargotPublic.h:521
#18 0x00005555559a8a1e in Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<1ul>::apply<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&, Escargot::ScriptRef*&> (f=@0x7fffffffdd88: 0x5555559a3bc7 <<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>::_FUN(Escargot::ExecutionStateRef *, Escargot::ScriptRef *)>, t=std::tuple containing = {...}) at src/api/EscargotPublic.h:510
#19 0x00005555559a829a in Escargot::EvaluatorUtil::ApplyTupleIntoArgumentsOfVariadicTemplateFunction<2ul>::apply<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&> (
    f=@0x7fffffffdd88: 0x5555559a3bc7 <<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>::_FUN(Escargot::ExecutionStateRef *, Escargot::ScriptRef *)>, t=std::tuple containing = {...}) at src/api/EscargotPublic.h:510
#20 0x00005555559a792d in Escargot::EvaluatorUtil::applyTupleIntoArgumentsOfVariadicTemplateFunction<Escargot::ValueRef* (*&)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), std::tuple<Escargot::ExecutionStateRef*, Escargot::ScriptRef*>&> (
    f=@0x7fffffffdd88: 0x5555559a3bc7 <<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>::_FUN(Escargot::ExecutionStateRef *, Escargot::ScriptRef *)>, t=std::tuple containing = {...}) at src/api/EscargotPublic.h:531
#21 0x00005555559a6bff in Escargot::Evaluator::executeImpl<Escargot::ContextRef, Escargot::ScriptRef*>(Escargot::ContextRef*, Escargot::ValueRef* (*)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), Escargot::ScriptRef*)::{lambda(Escargot::ExecutionStateRef*, void*, void*)#1}::operator()(Escargot::ExecutionStateRef*, void*, void*) const (this=0x0, state=0x7fffffffde80, tuplePtr=0x7fffffffe000,
    fnPtr=0x5555559a3bc7 <<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>::_FUN(Escargot::ExecutionStateRef *, Escargot::ScriptRef *)>) at src/api/EscargotPublic.h:612
#22 0x00005555559a6c46 in Escargot::Evaluator::executeImpl<Escargot::ContextRef, Escargot::ScriptRef*>(Escargot::ContextRef*, Escargot::ValueRef* (*)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), Escargot::ScriptRef*)::{lambda(Escargot::ExecutionStateRef*, void*, void*)#1}::_FUN(Escargot::ExecutionStateRef*, void*, void*) () at src/api/EscargotPublic.h:606
#23 0x0000555555641896 in Escargot::Evaluator::<lambda(Escargot::ExecutionState&, void*)>::operator()(Escargot::ExecutionState &, void *) const (__closure=0x0, state=..., data=0x7fffffffdf20) at src/api/EscargotPublic.cpp:1087
#24 0x00005555556418d0 in Escargot::Evaluator::<lambda(Escargot::ExecutionState&, void*)>::_FUN(Escargot::ExecutionState &, void *) () at src/api/EscargotPublic.cpp:1088
#25 0x0000555555958874 in Escargot::SandBox::run (this=0x7fffffffdf70, scriptRunner=0x5555556418a7 <Escargot::Evaluator::<lambda(Escargot::ExecutionState&, void*)>::_FUN(Escargot::ExecutionState &, void *)>, data=0x7fffffffdf20) at src/runtime/SandBox.cpp:111
#26 0x00005555556419a0 in Escargot::Evaluator::executeFunction (ctx=0xa3af0,
    runner=0x5555559a6c15 <Escargot::Evaluator::executeImpl<Escargot::ContextRef, Escargot::ScriptRef*>(Escargot::ContextRef*, Escargot::ValueRef* (*)(Escargot::ExecutionStateRef*, Escargot::ScriptRef*), Escargot::ScriptRef*)::{lambda(Escargot::ExecutionStateRef*, void*, void*)#1}::_FUN(Escargot::ExecutionStateRef*, void*, void*)>, data=0x7fffffffe000, data2=0x5555559a3bc7 <<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>::_FUN(Escargot::ExecutionStateRef *, Escargot::ScriptRef *)>)
    at src/api/EscargotPublic.cpp:1089
#27 0x00005555559a6cd7 in Escargot::Evaluator::executeImpl<Escargot::ContextRef, Escargot::ScriptRef*> (p=0xa3af0, fn=0x5555559a3bc7 <<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)>::_FUN(Escargot::ExecutionStateRef *, Escargot::ScriptRef *)>)
    at src/api/EscargotPublic.h:614
#28 0x00005555559a5e39 in Escargot::Evaluator::execute<Escargot::ScriptRef*, evalScript(Escargot::ContextRef*, Escargot::StringRef*, Escargot::StringRef*, bool, bool)::<lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)> >(Escargot::ContextRef *, <lambda(Escargot::ExecutionStateRef*, Escargot::ScriptRef*)> &&) (ctx=0xa3af0, closure=...) at src/api/EscargotPublic.h:585
#29 0x00005555559a3ecd in evalScript (context=0xa3af0, source=0xabf70, srcName=0x7a390, shouldPrintScriptResult=false, isModule=false) at src/shell/Shell.cpp:783
#30 0x00005555559a52bd in main (argc=2, argv=0x7fffffffe358) at src/shell/Shell.cpp:1130

when executed in release mode

Output

Segmentation fault

Expected behavior

true

Credits: @Ye0nny, @EJueon

Samsung / escargot

Assertion `slot.m_index != (18446744073709551615UL)' failed in Escargot::GlobalEnvironmentRecord::setMutableBindingByBindingSlot #1311