search

jerryscript-project / jerryscript

Ultra-lightweight JavaScript engine for the Internet of Things.
https://jerryscript.net
Apache License 2.0
6.89k stars 669 forks source link

stack overflow at jerry-core/ecma/base/ecma-helpers-value.c #5013

Closed anbu1024 closed 1 year ago

anbu1024 commented 2 years ago

Commit

0d4969661810b9e618485c284c361e597144e9b9

(The newest Jerry release 2.4.0 is affected.)

Build platform

Ubuntu 20.04

Build steps

python tools/build.py --debug --logging=on --error-messages=on --line-info=on

POC

function foo() {
    var a;
    function* bar() {
        try {
            yield* b;
        } catch (e) {
            a = e;
        }
    }
    var b = bar();
    b.next();

    return a;
}

foo();

Error Log

A stack overflow.

Segmentation fault.

If I build jerry with sanitizer,like

python  ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --system-allocator=on --logging=on --linker-flag=-fuse-ld=gold --error-messages=on --line-info=on --stack-limit=10

There is a ICE in ecma-builtin-generator-prototype.c

ICE: Assertion 'generator_object_p->frame_ctx.stack_top_p[-1] == ECMA_VALUE_UNDEFINED || ecma_is_value_object (generator_object_p->frame_ctx.stack_top_p[-1])' failed at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-generator-prototype.c(ecma_builtin_generator_prototype_object_do):123.
Error: JERRY_FATAL_FAILED_ASSERTION
zherczeg commented 2 years ago

Hi! Thank you for submitting an issue for the project. We are also welcoming talented contributors to the project, fixing bugs is a good first step in this road. We can help you if you want to learn about the source code.