jerryscript-project / jerryscript

Ultra-lightweight JavaScript engine for the Internet of Things.
https://jerryscript.net
Apache License 2.0
6.95k stars 672 forks source link

Assertion 'ecma_is_lexical_environment (object_p)' failed at ecma-helpers.c (ecma_get_lex_env_type). #4900

Open hope-fly opened 2 years ago

hope-fly commented 2 years ago
JerryScript revision

Commit: 42523bd6

Version: v3.0.0

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps
python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --linker-flag=-fuse-ld=gold --profile=es2015-subset --stack-limit=20

ASAN closed

Test case
var i = 0;
var a = [];
var JSEtest = [];

JSEtest.__defineGetter__(0, function NaN() {
  if (i++ > 2) {
    return;
  }

  JSEtest.shift();
  gc();
  a.push(0);
  a.concat(JSEtest);
});

JSEtest[0];

Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js

ICE: Assertion 'ecma_is_lexical_environment (object_p)' failed at /home/f1yh0p/jerryscript/jerry-core/ecma/base/ecma-helpers.c(ecma_get_lex_env_type):291.
Error: ERR_FAILED_INTERNAL_ASSERTION

Credits: Found by OWL337 team.

rerobika commented 2 years ago

Note about the issue: Due to the recursive first property access in Array.prototype.shift the after the property is deleted by the operation, the previous call frames function object/lexical environment become invalid memory reference.