search

jerryscript-project / jerryscript

Ultra-lightweight JavaScript engine for the Internet of Things.
https://jerryscript.net
Apache License 2.0
6.87k stars 666 forks source link

Segmentation Fault in release. Assertion 'context_p->next_scanner_info_p->type == SCANNER_TYPE_FUNCTION' failed on debug. #5104

Open anbu1024 opened 8 months ago

anbu1024 commented 8 months ago

jerryScript version 3.0.0: commit 05dbbd134c3b9e2482998f267857dd3722001cd7

Build platform: Ubuntu 20.04

Build cmd:

python tools/build.py --debug --profile=es.next --lto=off --compile-flag=-D_POSIX_C_SOURCE=200809 --compile-flag=-Wno-strict-prototypes --stack-limit=15

Test case

class Foo {
    valueOf(m, n) {
        var a;

        try { a = this.valueOf(); } catch (e) {}

        var b = `
            class Bar extends m {
                constructor(a21, a22) {
                }
                static {
                    for (let i25 = 0; i25 < 5;) {
                    }
                }
                /*
                constructor(a31) {
                    /0()*/;
                    isNaN(a);
                }
                */
            }
        `;
        eval(b, eval, this, a);
    }
}

var c = new Foo();

c.valueOf();

Error message:

SEGV on ASAN version 

AddressSanitizer:DEADLYSIGNAL
=================================================================
==505902==ERROR: AddressSanitizer: SEGV on unknown address 0x000000002cee (pc 0x55ca4212e04b bp 0x7ffc2cef5740 sp 0x7ffc2cef56a0 T0)
==505902==The signal is caused by a READ memory access.

Aborted with assertion error in debug version:

ICE: Assertion 'context_p->next_scanner_info_p->type == SCANNER_TYPE_FUNCTION' failed at jerry-core/parser/js/js-parser.c(parser_parse_function_arguments):1587.
Error: JERRY_FATAL_FAILED_ASSERTION
Aborted (core dumped)