search

jerryscript-project / jerryscript

Ultra-lightweight JavaScript engine for the Internet of Things.
https://jerryscript.net
Apache License 2.0
6.89k stars 669 forks source link

Assertion index <= ECMA_DIRECT_STRING_MAX_IMM in ecma_fast_array_convert_to_normal #5000

Open renatahodovan opened 2 years ago

renatahodovan commented 2 years ago
JerryScript revision

0d496966

Build platform

Linux-5.4.0-104-generic-x86_64-with-glibc2.29

Build steps
./tools/build.py --clean --debug --profile=es.next  --error-messages=ON --logging=ON
Test case
let x = [ ]; let k = 1 ; for ( ; ; ) { k = k * 2 ; x [ k ] = k }
Output
ICE: Assertion 'index <= ECMA_DIRECT_STRING_MAX_IMM' failed at jerryscript/jerry-core/ecma/operations/ecma-array-object.c(ecma_fast_array_convert_to_normal):321.
Error: JERRY_FATAL_FAILED_ASSERTION
AddressSanitizer:DEADLYSIGNAL
=================================================================
==699588==ERROR: AddressSanitizer: ABRT on unknown address 0x03e9000aacc4 (pc 0x7f59ddac303b bp 0x7ffdc60e4d60 sp 0x7ffdc60e4af0 T0)
    #0 0x7f59ddac303b in raise /build/glibc-sMfBJT/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:51:1
    #1 0x7f59ddaa2858 in abort /build/glibc-sMfBJT/glibc-2.31/stdlib/abort.c:79:7
    #2 0x806f07 in jerry_port_fatal jerryscript/jerry-port/common/jerry-port-process.c:29:5
    #3 0x6281ca in jerry_fatal jerryscript/jerry-core/jrt/jrt-fatals.c:63:3
    #4 0x627f7a in jerry_assert_fail jerryscript/jerry-core/jrt/jrt-fatals.c:83:3
    #5 0x587ef3 in ecma_fast_array_convert_to_normal jerryscript/jerry-core/ecma/operations/ecma-array-object.c:321:5
    #6 0x588b40 in ecma_fast_array_set_property jerryscript/jerry-core/ecma/operations/ecma-array-object.c:385:5
    #7 0x5d8eb3 in ecma_op_object_put_with_receiver jerryscript/jerry-core/ecma/operations/ecma-objects.c:1378:18
    #8 0x6f4829 in vm_op_set_value jerryscript/jerry-core/vm/vm.c:224:16
    #9 0x6ed5e4 in vm_loop jerryscript/jerry-core/vm/vm.c:4741:43
    #10 0x6bb8f1 in vm_execute jerryscript/jerry-core/vm/vm.c:5211:37
    #11 0x6b975b in vm_run jerryscript/jerry-core/vm/vm.c:5312:10
    #12 0x6b91b7 in vm_run_global jerryscript/jerry-core/vm/vm.c:286:25
    #13 0x4ce357 in jerry_run jerryscript/jerry-core/api/jerryscript.c:548:24
    #14 0x8052c9 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:68:14
    #15 0x4c4cb6 in main jerryscript/jerry-main/main-desktop.c:156:20
    #16 0x7f59ddaa40b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    #17 0x41c53d in _start (jerryscript/build/bin/jerry+0x41c53d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT /build/glibc-sMfBJT/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:51:1 in raise
==699588==ABORTING
Backtrace
bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7c33859 in __GI_abort () at abort.c:79
#2  0x0000000000806f08 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at jerryscript/jerry-port/common/jerry-port-process.c:29
#3  0x00000000006281cb in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at jerryscript/jerry-core/jrt/jrt-fatals.c:63
#4  0x0000000000627f7b in jerry_assert_fail (assertion=0x83e3e0 <str> "index <= ECMA_DIRECT_STRING_MAX_IMM", file=0x83e020 <str> "jerryscript/jerry-core/ecma/operations/ecma-array-object.c", function=0x83e380 <__func__.ecma_fast_array_convert_to_normal> "ecma_fast_array_convert_to_normal", line=321) at jerryscript/jerry-core/jrt/jrt-fatals.c:83
#5  0x0000000000587ef4 in ecma_fast_array_convert_to_normal (object_p=0x11dfa38 <jerry_global_heap+824>) at jerryscript/jerry-core/ecma/operations/ecma-array-object.c:321
#6  0x0000000000588b41 in ecma_fast_array_set_property (object_p=0x11dfa38 <jerry_global_heap+824>, index=131072, value=2097152) at jerryscript/jerry-core/ecma/operations/ecma-array-object.c:385
#7  0x00000000005d8eb4 in ecma_op_object_put_with_receiver (object_p=0x11dfa38 <jerry_global_heap+824>, property_name_p=0x11dfa48 <jerry_global_heap+840>, value=2097152, receiver=827, is_throw=false) at jerryscript/jerry-core/ecma/operations/ecma-objects.c:1378
#8  0x00000000006f482a in vm_op_set_value (base=827, property=2097152, value=2097152, is_strict=false) at jerryscript/jerry-core/vm/vm.c:224
#9  0x00000000006ed5e5 in vm_loop (frame_ctx_p=0x7fffffffd240) at jerryscript/jerry-core/vm/vm.c:4741
#10 0x00000000006bb8f2 in vm_execute (frame_ctx_p=0x7fffffffd240) at jerryscript/jerry-core/vm/vm.c:5211
#11 0x00000000006b975c in vm_run (shared_p=0x7fffffffd460, this_binding_value=11, lex_env_p=0x11df9f0 <jerry_global_heap+752>) at jerryscript/jerry-core/vm/vm.c:5312
#12 0x00000000006b91b8 in vm_run_global (bytecode_p=0x11dfc58 <jerry_global_heap+1368>, function_object_p=0x11df9e0 <jerry_global_heap+736>) at jerryscript/jerry-core/vm/vm.c:286
#13 0x00000000004ce358 in jerry_run (script=739) at jerryscript/jerry-core/api/jerryscript.c:548
#14 0x00000000008052ca in jerryx_source_exec_script (path_p=0x7fffffffde38 "/run/user/1001/fuzzinator/697673/699585-FileWriterDecorator-a1ff659e50ab42cb9b802f43f58d16fc/0.js") at jerryscript/jerry-ext/util/sources.c:68
#15 0x00000000004c4cb7 in main (argc=2, argv=0x7fffffffdb08) at jerryscript/jerry-main/main-desktop.c:156

Found by Fuzzinator with grammarinator.