search

jerryscript-project / jerryscript

Ultra-lightweight JavaScript engine for the Internet of Things.
https://jerryscript.net
Apache License 2.0
6.88k stars 666 forks source link

Error: JERRY_FATAL_REF_COUNT_LIMIT at jerryscript/jerry-core/ecma/base/ecma-helpers.c:1465 (ecma_bytecode_ref) #5079

Open Ye0nny opened 1 year ago

Ye0nny commented 1 year ago
JerryScript revision

Commit: https://github.com/jerryscript-project/jerryscript/commit/05dbbd134c3b9e2482998f267857dd3722001cd7 Version: v3.0.0

Build platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build steps
python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20
Test case
testcase

```javascript Array . isArray ( [ ] ) ; Array . isArray ( { } ) , Array . isArray ( null ) , Array . isArray ( 0 ) , Array . isArray ( 0.1 ) , Array . isArray ( " " ) , Array . isArray ( void 0 ) , Array . isArray ( new Proxy ( [ ] , { } ) ) , Array . isArray ( new Proxy ( { } , { } ) ) , Array . isArray ( new Proxy ( new Proxy ( [ ] , { } ) , { } ) ) , Array . isArray ( new Proxy ( new Proxy ( { } , { } ) , { } ) ) ; for ( var r = new Proxy ( [ ] , { } ) , y = 0 ; y < 131072 ; y ++ ) r = new Proxy ( r , function ( ) { } ) ; Array . isArray ( r ) , RangeError ; ``` 

// poc.js
for ( var r = new Proxy ( [ ] , { } ) , y = 0 ; y < 131072 ; y ++ )
    r = new Proxy ( r , function ( ) { } ) ;
Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js
Error: JERRY_FATAL_REF_COUNT_LIMIT
Aborted
Backtrace
(gdb) bt
#0  0xf7fcfd99 in __kernel_vsyscall ()
#1  0xf7ca4276 in raise () from /lib32/libc.so.6
#2  0xf7c8c3f7 in abort () from /lib32/libc.so.6
#3  0x083ecca3 in jerry_port_fatal (code=JERRY_FATAL_REF_COUNT_LIMIT)
    at ./jerryscript/jerry-port/common/jerry-port-process.c:29
#4  0x08260d02 in jerry_fatal (code=JERRY_FATAL_REF_COUNT_LIMIT) at ./jerryscript/jerry-core/jrt/jrt-fatals.c:63
#5  0x0818eb23 in ecma_bytecode_ref (bytecode_p=0xf5500910)
    at ./jerryscript/jerry-core/ecma/base/ecma-helpers.c:1465
#6  0x081f8cd8 in ecma_op_create_function_object (scope_p=0xf57007b0, bytecode_data_p=0xf5500910, proto_id=ECMA_BUILTIN_ID_FUNCTION_PROTOTYPE)
    at ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:412
#7  0x081f8ec4 in ecma_op_create_any_function_object (scope_p=0xf57007b0, bytecode_data_p=0xf5500910)
    at ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:587
#8  0x0830386c in vm_construct_literal_object (frame_ctx_p=<optimized out>, lit_value=0)
    at ./jerryscript/jerry-core/vm/vm.c:470
#9  0x082f366c in vm_loop (frame_ctx_p=0xffffd000) at ./jerryscript/jerry-core/vm/vm.c:1177
#10 0x082d6b83 in vm_execute (frame_ctx_p=0xffffd000) at ./jerryscript/jerry-core/vm/vm.c:5211
#11 0x082d4f62 in vm_run (shared_p=0xffffd110, this_binding_value=4119870595, lex_env_p=0xf57007b0)
    at ./jerryscript/jerry-core/vm/vm.c:5312
#12 0x082d4c39 in vm_run_global (bytecode_p=<optimized out>, function_object_p=<optimized out>)
    at ./jerryscript/jerry-core/vm/vm.c:286
#13 0x0812a4e5 in jerry_run (script=4115663027) at ./jerryscript/jerry-core/api/jerryscript.c:548
#14 0x083eac3f in jerryx_source_exec_script (path_p=0xffffd5d5 "poc.js")
    at ./jerryscript/jerry-ext/util/sources.c:68
#15 0x0812162d in main (argc=<optimized out>, argv=<optimized out>) at ./jerryscript/jerry-main/main-desktop.c:156

Credits: @Ye0nny, @EJueon of the seclab-yonsei.