search

jerryscript-project / jerryscript

Ultra-lightweight JavaScript engine for the Internet of Things.
https://jerryscript.net
Apache License 2.0
6.92k stars 669 forks source link

Segmentation fault in ecma_promise_resolve_handler #1996

Closed renatahodovan closed 7 years ago

renatahodovan commented 7 years ago
Jerry version:
Checked revision: 7905422
Build command: ./tools/build.py --clean --debug --profile=es2015-subset
OS:
Ubuntu 16.04.3 LTS
Test case:
new Promise(function(f) {
    f.apply()
})
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00000000004357e6 in ecma_promise_resolve_handler (function=419, this=72, argv=0x0, argc=0)
    at jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:290
290   if (argv[0] == promise)
bt
#0  0x00000000004357e6 in ecma_promise_resolve_handler (function=435, this=72, argv=0x0, argc=0) at jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:290
#1  0x000000000043b049 in ecma_op_function_call (func_obj_p=0x96c100 <jerry_global_heap+432>, this_arg_value=72, arguments_list_p=0x0, arguments_list_len=0) at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:501
#2  0x000000000040ffde in ecma_builtin_function_prototype_object_apply (this_arg=435, arg1=72, arg2=72) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:100
#3  0x000000000040fe9b in ecma_builtin_function_prototype_dispatch_routine (builtin_routine_id=59, this_arg_value=435, arguments_list=0x7fffffffc940, arguments_number=0) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.inc.h:41
#4  0x000000000045e882 in ecma_builtin_dispatch_routine (builtin_object_id=ECMA_BUILTIN_ID_FUNCTION_PROTOTYPE, builtin_routine_id=59, this_arg_value=435, arguments_list=0x7fffffffc940, arguments_number=0) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.inc.h:108
#5  0x000000000045eea9 in ecma_builtin_dispatch_call (obj_p=0x96c1d8 <jerry_global_heap+648>, this_arg_value=435, arguments_list_p=0x7fffffffc940, arguments_list_len=0) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:844
#6  0x000000000043ae21 in ecma_op_function_call (func_obj_p=0x96c1d8 <jerry_global_heap+648>, this_arg_value=435, arguments_list_p=0x7fffffffc940, arguments_list_len=0) at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:419
#7  0x000000000041ef61 in opfunc_call.lto_priv.245 (frame_ctx_p=0x7fffffffc980) at jerryscript/jerry-core/vm/vm.c:408
#8  0x0000000000413328 in vm_execute (frame_ctx_p=0x7fffffffc980, arg_p=0x7fffffffcb00, arg_list_len=1) at jerryscript/jerry-core/vm/vm.c:2743
#9  0x00000000004135a9 in vm_run (bytecode_header_p=0x96c200 <jerry_global_heap+688>, this_binding_value=27, lex_env_p=0x96bf80 <jerry_global_heap+48>, is_eval_code=false, arg_list_p=0x7fffffffcb00, arg_list_len=2) at jerryscript/jerry-core/vm/vm.c:2823
#10 0x000000000043afd1 in ecma_op_function_call (func_obj_p=0x96c080 <jerry_global_heap+304>, this_arg_value=72, arguments_list_p=0x7fffffffcb00, arguments_list_len=2) at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:482
#11 0x0000000000435e33 in ecma_op_create_promise_object (executor=307, type=ECMA_PROMISE_EXECUTOR_FUNCTION) at jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:519
#12 0x0000000000443e15 in ecma_builtin_promise_dispatch_construct (arguments_list_p=0x7fffffffcd34, arguments_list_len=1) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-promise.c:686
#13 0x000000000045f561 in ecma_builtin_dispatch_construct (obj_p=0x96c060 <jerry_global_heap+272>, arguments_list_p=0x7fffffffcd34, arguments_list_len=1) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.inc.h:474
#14 0x000000000043b5b9 in ecma_op_function_construct (func_obj_p=0x96c060 <jerry_global_heap+272>, arguments_list_p=0x7fffffffcd34, arguments_list_len=1) at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:681
#15 0x0000000000415f8f in opfunc_construct.lto_priv.244 (frame_ctx_p=0x7fffffffcd70) at jerryscript/jerry-core/vm/vm.c:466
#16 0x0000000000413364 in vm_execute (frame_ctx_p=0x7fffffffcd70, arg_p=0x0, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:2748
#17 0x00000000004135a9 in vm_run (bytecode_header_p=0x96c188 <jerry_global_heap+568>, this_binding_value=27, lex_env_p=0x96bf80 <jerry_global_heap+48>, is_eval_code=false, arg_list_p=0x0, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:2823
#18 0x000000000041ebd1 in vm_run_global (bytecode_p=0x96c188 <jerry_global_heap+568>) at jerryscript/jerry-core/vm/vm.c:231
#19 0x0000000000475d40 in jerry_run (func_val=259) at jerryscript/jerry-core/api/jerry.c:444
#20 0x0000000000474c37 in main (argc=3, argv=0x7fffffffd188) at jerryscript/jerry-main/main-unix.c:707

Found by Fuzzinator

jiangzidong commented 7 years ago

I will check it