Assertion 'context_p->token.type != LEXER_RIGHT_PAREN' failed at ./jerryscript/jerry-core/parser/js/js-parser-statm.c(parser_parse_for_statement_start)

JerryScript revision

Commit: https://github.com/jerryscript-project/jerryscript/commit/05dbbd134c3b9e2482998f267857dd3722001cd7 Version: v3.0.0

Build platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build steps

python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20

Test case

testcase

```javascript var r = { } ; var t = [ r , r , r , r , r , r , r , r , r , r , r , r , r , r , r ] ; var a = [ ] ; const e = 8 ; for ( var n = 0 ; n < 8 ; ++ n ) { for ( var o = 0 ; o < t . length ; ++ o ) { a . push ( String . prototype . indexOf . call ( t [ n ] , " object " ) ) ; } } a [ 8 ] = a = [ ] ; 8 * t , f . length ; var c = class extends c { static { } ; } ; for ( var n = 0 ; n < a . length ; ++ n ) { var f = { } , t = f ; r = 0 ; r += a [ n ] ; 1 ; } ```

// poc.js
var c = class extends c { static { } ; } ;
for ( var n = 0 ; n < a . length ; ++ n ) {
        r += a [ n ] ;
}

Execution steps & Output

$ ./jerryscript/build/bin/jerry poc.js
ICE: Assertion 'context_p->token.type != LEXER_RIGHT_PAREN' failed at ./jerryscript/jerry-core/parser/js/js-parser-statm.c(parser_parse_for_statement_start):1502.
Error: JERRY_FATAL_FAILED_ASSERTION
Aborted

Backtrace

(gdb) bt
#0  0xf7fcfd99 in __kernel_vsyscall ()
#1  0xf7ca4276 in raise () from /lib32/libc.so.6
#2  0xf7c8c3f7 in abort () from /lib32/libc.so.6
#3  0x083ecca3 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION)
    at ./jerryscript/jerry-port/common/jerry-port-process.c:29
#4  0x08260d02 in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION)
    at ./jerryscript/jerry-core/jrt/jrt-fatals.c:63
#5  0x08260d64 in jerry_assert_fail (assertion=0x8479a60 <str> "context_p->token.type != LEXER_RIGHT_PAREN",
    file=0x84789e0 <str> "./jerryscript/jerry-core/parser/js/js-parser-statm.c",
    function=0x8479b20 <__func__.parser_parse_for_statement_start> "parser_parse_for_statement_start", line=1502)
    at ./jerryscript/jerry-core/jrt/jrt-fatals.c:83
#6  0x083d5567 in parser_parse_for_statement_start (context_p=<optimized out>)
    at ./jerryscript/jerry-core/parser/js/js-parser-statm.c:1502
#7  parser_parse_statements (context_p=<optimized out>)
    at ./jerryscript/jerry-core/parser/js/js-parser-statm.c:2851
#8  0x08284a26 in parser_parse_source (source_p=0xffffd030, parse_opts=<optimized out>, options_p=0xffffd100)
    at ./jerryscript/jerry-core/parser/js/js-parser.c:2280
#9  0x08282c70 in parser_parse_script (source_p=0xffffd030, parse_opts=0, options_p=0xffffd100)
    at ./jerryscript/jerry-core/parser/js/js-parser.c:3326
#10 0x08129a7d in jerry_parse_common (source_p=0xffffd030, options_p=<optimized out>, parse_opts=0)
    at ./jerryscript/jerry-core/api/jerryscript.c:412
#11 0x08129698 in jerry_parse (source_p=<optimized out>, source_size=<optimized out>, options_p=<optimized out>)
    at ./jerryscript/jerry-core/api/jerryscript.c:480
#12 0x083ea952 in jerryx_source_parse_script (path_p=<optimized out>)
    at ./jerryscript/jerry-ext/util/sources.c:52
#13 0x083eac12 in jerryx_source_exec_script (path_p=0xffffd5da "poc.js")
    at ./jerryscript/jerry-ext/util/sources.c:63
#14 0x0812162d in main (argc=<optimized out>, argv=<optimized out>)
    at ./jerryscript/jerry-main/main-desktop.c:156
(gdb)

Credits: @Ye0nny, @EJueon of the seclab-yonsei.

jerryscript-project / jerryscript