Assertion 'ECMA_PROPERTY_IS_PROPERTY_PAIR (prop_iter_p)' failed at ./jerryscript/jerry-core/ecma/base/ecma-property-hashmap.c(ecma_property_hashmap_create) #5084
Description
JerryScript revision
Commit: 05dbbd1
Version: v3.0.0
Build platform
Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
Build steps
python ./tools/build.py --clean --debug --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --system-allocator=on --logging=on --line-info=on --stack-limit=20Test case
testcase
var r = function ( func0 , a ) {
for ( var v in a || { } ) {
r [ v ] = a [ v ] ;
} return r ;
} ;
var a = [ ] ;
for ( var v = 0 ; v < 256 ; v ++ ) {
var n = Object . create ( null ) ;
a . push ( n , a ) ;
n . v = 1 ;
n . o = 1 ;
n = new WeakSet ( a ) ;
n . t = 1 ;
n . o = 1 ;
}
n . i = 1 ;
if ( ! a ) throw new Test262Error ( " out " ) ;
n . O = 1 ;
n . m = 1 ;
n = JSON . stringify ( JSON . stringify ( n , a ) ) ;
if ( r . deref != 1 ) throw new Test262Error ( " digit " ) ;
n . h = 1 ;
n . T = 1 ;
n . U = 1 ;
n . g = 1 ;
n . j = 1 ;
n . k = 1 ;
n . m = 1 ;
n . p = 1 ;
n . q = 1 ;
n . A = 1 ;
n . B = 1 ;
n . as = 1 ;
n . C = 1 ;
n . A = 1 ;
n . q = 0.1 ;
n . D = 1 ;
n . F = 1 ;
n . G = 1 ;
n . ax = 1 ;
n . ax = 1 ;
n . H = 1 ;
n . I = 1 ;
n . J = 1 ;
n . K = 1 ;
n . L = 1 ;
n . M = 1 ;
n . N = 1 ;
var o = Object . create ( n ) ;
var f = r ( { } , o ) ;
for ( var t in f ) {
if ( f [ t ] !== f [ " " ] ) {
if ( f [ t ] !== f [ " " + t ] ) {
throw new Error ( " OUT " ) ;
}
}
}// poc.js
var a = [ ] ;
for ( var v = 0 ; v < 256 ; v ++ ) {
var n = Object . create ( null ) ;
a . push ( n , a ) ;
n = new WeakSet ( a ) ;
n . o = 1 ;
}Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js
ICE: Assertion 'ECMA_PROPERTY_IS_PROPERTY_PAIR (prop_iter_p)' failed at ./jerryscript/jerry-core/ecma/base/ecma-property-hashmap.c(ecma_property_hashmap_create):146.
Error: JERRY_FATAL_FAILED_ASSERTION
Aborted
Backtrace
(gdb) bt
#0 0xf7fcfd99 in __kernel_vsyscall ()
#1 0xf7ca4276 in raise () from /lib32/libc.so.6
#2 0xf7c8c3f7 in abort () from /lib32/libc.so.6
#3 0x083ecca3 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at ./jerryscript/jerry-port/common/jerry-port-process.c:29
#4 0x08260d02 in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at ./jerryscript/jerry-core/jrt/jrt-fatals.c:63
#5 0x08260d64 in jerry_assert_fail (assertion=0x8418d00 <str> "ECMA_PROPERTY_IS_PROPERTY_PAIR (prop_iter_p)",
file=0x8418d60 <str> "./jerryscript/jerry-core/ecma/base/ecma-property-hashmap.c", function=0x8418de0 <__func__.ecma_property_hashmap_create> "ecma_property_hashmap_create",
line=146) at ./jerryscript/jerry-core/jrt/jrt-fatals.c:83
#6 0x081a3e63 in ecma_property_hashmap_create (object_p=0xf5500880) at ./jerryscript/jerry-core/ecma/base/ecma-property-hashmap.c:146
#7 0x081a4342 in ecma_property_hashmap_insert (object_p=0xf5500880, name_p=0x3815, property_pair_p=0xf2d1a140, property_index=0)
at ./jerryscript/jerry-core/ecma/base/ecma-property-hashmap.c:236
#8 0x08189d0a in ecma_create_property (object_p=<optimized out>, name_p=<optimized out>, type_and_flags=<optimized out>, value=..., out_prop_p=<optimized out>)
at ./jerryscript/jerry-core/ecma/base/ecma-helpers.c:448
#9 0x0818836a in ecma_create_named_data_property (object_p=0xf5500880, name_p=0x3815, prop_attributes=7 '\a', out_prop_p=0x0)
at ./jerryscript/jerry-core/ecma/base/ecma-helpers.c:536
#10 0x08217e4e in ecma_op_object_put_apply_receiver (receiver=<optimized out>, property_name_p=<optimized out>, value=<optimized out>, is_throw=<optimized out>)
at ./jerryscript/jerry-core/ecma/operations/ecma-objects.c:1241
#11 0x08216a71 in ecma_op_object_put_with_receiver (object_p=<optimized out>, property_name_p=<optimized out>, value=<optimized out>, receiver=<optimized out>, is_throw=<optimized out>)
at ./jerryscript/jerry-core/ecma/operations/ecma-objects.c:1595
#12 0x08214f3a in ecma_op_object_put (object_p=0xf5500880, property_name_p=0x3815, value=<optimized out>, is_throw=<optimized out>)
at ./jerryscript/jerry-core/ecma/operations/ecma-objects.c:1143
#13 ecma_op_object_put_by_index (object_p=0xf5500880, index=448, value=4117759059, is_throw=<optimized out>) at ./jerryscript/jerry-core/ecma/operations/ecma-objects.c:1109
#14 0x0830d9b1 in ecma_builtin_array_prototype_object_push (argument_list_p=<optimized out>, arguments_number=2, obj_p=0xf5500880, length=448)
at ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:465
#15 ecma_builtin_array_prototype_dispatch_routine (builtin_routine_id=<optimized out>, this_arg=<optimized out>, arguments_list_p=<optimized out>, arguments_number=<optimized out>)
at ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2839
#16 0x081b94a5 in ecma_builtin_dispatch_routine (func_obj_p=<optimized out>, this_arg_value=<optimized out>, arguments_list_p=0xffffce30, arguments_list_len=<optimized out>)
at ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
#17 ecma_builtin_dispatch_call (obj_p=<optimized out>, this_arg_value=<optimized out>, arguments_list_p=<optimized out>, arguments_list_len=<optimized out>)
at ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
#18 0x081fb6b8 in ecma_op_function_call_native_built_in (func_obj_p=0xf5500790, this_arg_value=4115662979, arguments_list_p=0xffffd054, arguments_list_len=2)
at ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
#19 0x081fa81d in ecma_op_function_call (func_obj_p=0xf5500790, this_arg_value=4115662979, arguments_list_p=0xffffd054, arguments_list_len=2)
at ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
#20 0x081fa5cf in ecma_op_function_validated_call (callee=4115662739, this_arg_value=4115662979, arguments_list_p=0xffffd054, arguments_list_len=2)
at ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1371
#21 0x082d7631 in opfunc_call (frame_ctx_p=<optimized out>) at ./jerryscript/jerry-core/vm/vm.c:758
#22 vm_execute (frame_ctx_p=0xffffd020) at ./jerryscript/jerry-core/vm/vm.c:5217
#23 0x082d4f62 in vm_run (shared_p=0xffffd110, this_binding_value=4119870595, lex_env_p=0xf57007b0) at ./jerryscript/jerry-core/vm/vm.c:5312
#24 0x082d4c39 in vm_run_global (bytecode_p=<optimized out>, function_object_p=<optimized out>) at ./jerryscript/jerry-core/vm/vm.c:286
#25 0x0812a4e5 in jerry_run (script=4115663075) at ./jerryscript/jerry-core/api/jerryscript.c:548
#26 0x083eac3f in jerryx_source_exec_script (path_p=0xffffd5df "poc.js") at ./jerryscript/jerry-ext/util/sources.c:68
#27 0x0812162d in main (argc=<optimized out>, argv=<optimized out>) at ./jerryscript/jerry-main/main-desktop.c:156
(gdb)
with release mode
Outputs
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1512811==ERROR: AddressSanitizer: SEGV on unknown address 0x0000023e (pc 0x5659bb0f bp 0xff8ef1d8 sp 0xff8ef190 T0)
==1512811==The signal is caused by a READ memory access.
==1512811==Hint: address points to the zero page.
#0 0x5659bb0e in ecma_gc_mark_properties ./jerryscript/jerry-core/ecma/base/ecma-gc.c:287
#1 0x5659e95d in ecma_gc_run ./jerryscript/jerry-core/ecma/base/ecma-gc.c:2158
#2 0x565f3d83 in jmem_heap_gc_and_alloc_block ./jerryscript/jerry-core/jmem/jmem-heap.c:285
#3 0x566365ad in ecma_alloc_property_pair ./jerryscript/jerry-core/ecma/base/ecma-alloc.c:253
#4 0x565ac30d in ecma_create_property ./jerryscript/jerry-core/ecma/base/ecma-helpers.c:457
#5 0x565d424d in ecma_create_iter_result_object ./jerryscript/jerry-core/ecma/operations/ecma-iterator-object.c:98
#6 0x56636d82 in ecma_builtin_array_iterator_prototype_object_next ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-iterator-prototype.c:172
#7 0x56636d82 in ecma_builtin_array_iterator_prototype_dispatch_routine ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-iterator-prototype.c:211
#8 0x565bba28 in ecma_builtin_dispatch_routine ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
#9 0x565bba28 in ecma_builtin_dispatch_call ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
#10 0x565d0db7 in ecma_op_function_call_native_built_in ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1217
#11 0x565d2c84 in ecma_op_function_call ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1411
#12 0x565d449d in ecma_op_iterator_next ./jerryscript/jerry-core/ecma/operations/ecma-iterator-object.c:317
#13 0x565d46d3 in ecma_op_iterator_step ./jerryscript/jerry-core/ecma/operations/ecma-iterator-object.c:559
#14 0x565ca92e in ecma_op_container_create ./jerryscript/jerry-core/ecma/operations/ecma-container-object.c:435
#15 0x56657dbd in ecma_builtin_weakset_dispatch_construct ./jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-weakset.c:62
#16 0x565d3086 in ecma_op_function_construct_built_in ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1537
#17 0x565d3086 in ecma_op_function_construct ./jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1717
#18 0x56634c33 in opfunc_construct ./jerryscript/jerry-core/vm/vm.c:840
#19 0x56634c33 in vm_execute ./jerryscript/jerry-core/vm/vm.c:5236
#20 0x56635152 in vm_run ./jerryscript/jerry-core/vm/vm.c:5312
#21 0x5663538f in vm_run_global ./jerryscript/jerry-core/vm/vm.c:286
#22 0x5659382e in jerry_run ./jerryscript/jerry-core/api/jerryscript.c:548
#23 0x5668871b in jerryx_source_exec_script ./jerryscript/jerry-ext/util/sources.c:68
#24 0x5658bd04 in main ./jerryscript/jerry-main/main-desktop.c:156
#25 0xf76ceed4 in __libc_start_main (/lib32/libc.so.6+0x1aed4)
#26 0x5658efb4 in _start (/./jerryscript/build/bin/jerry+0x12fb4)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ./jerryscript/jerry-core/ecma/base/ecma-gc.c:287 in ecma_gc_mark_properties
==1512811==ABORTING