Closed
Description
JerryScript revision
Build platform
Ubuntu 18.04.4 LTS (Linux 4.15.0-91-generic x86_64)
Build steps
- for the first output:
python tools/build.py --profile=es2015-subset --lto=off --compile-flag=-g \
--strip=off --logging=on \
--compile-flag=-fsanitize=address --stack-limit=15- for the second output:
./tools/build.py --clean --debug --compile-flag=-fsanitize=address \
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer \
--compile-flag=-fno-common --compile-flag=-g \
--strip=off --system-allocator=on --logging=on \
--linker-flag=-fuse-ld=gold --error-messages=on --profile=es2015-subset \
--stack-limit=15
Test case
function main() {
var v4 = [1337,1337,1337];
var v5 = [1018825975,1018825975,Number];
var v6 = {constructor:"symbol",toString:"symbol",__proto__:v4,b:v5,e:1018825975};
var v8 = v6.toStringTag;
function v9(v10,v11) {
var v16 = [1337,1337,1337];
var v17 = [1018825975,1018825975,Number];
var v18 = {constructor:"symbol",toString:"symbol",__proto__:v16,b:v17,e:1018825975};
var v20 = v18.toStringTag;
function v21(v22,v23) {
var v25 = [1337,1337];
var v26 = v25[-1951730718];
var v28 = {isExtensible:v26,__proto__:this};
var v30 = new Proxy(Function,v28);
return v30;
}
var v31 = {getPrototypeOf:v21,getOwnPropertyDescriptor:v21,isExtensible:v21,length:v20,set:v20,setPrototypeOf:v21,deleteProperty:v20,defineProperty:v21,get:v20,ownKeys:v21,construct:v20};
var v33 = new Proxy(Function,v31);
var v34 = v33 instanceof v33;
var v35 = v9();
}
var v36 = {getPrototypeOf:v9,getOwnPropertyDescriptor:v9,isExtensible:v9,length:v8,set:v8,setPrototypeOf:v9,deleteProperty:v8,defineProperty:v9,get:v8,ownKeys:v9,construct:v8};
var v38 = new Proxy(print,v36);
var v39 = v38 instanceof v38;
function v40(v41,v42,v43,v44) {
}
}
main();Execution steps
$ /tmp/jerryscript3/build/bin/jerry /tmp/crashes/03.js
=================================================================
==9137==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55b2dd9ed058 at pc 0x55b2dd9678ef bp 0x7fff96087f10 sp 0x7fff96087f00
READ of size 2 at 0x55b2dd9ed058 thread T0
#0 0x55b2dd9678ee in ecma_builtin_try_to_instantiate_property /tmp/jerryscript3/jerry-core/ecma/builtin-objects/ecma-builtins.c:800
#1 0x55b2dd9797dc in ecma_op_object_find_own /tmp/jerryscript3/jerry-core/ecma/operations/ecma-objects.c:608
#2 0x55b2dd979ae9 in ecma_op_object_get_with_receiver /tmp/jerryscript3/jerry-core/ecma/operations/ecma-objects.c:844
#3 0x55b2dd979b7b in ecma_op_object_get /tmp/jerryscript3/jerry-core/ecma/operations/ecma-objects.c:813
#4 0x55b2dd979b7b in ecma_op_get_method /tmp/jerryscript3/jerry-core/ecma/operations/ecma-objects.c:993
#5 0x55b2dd97e8df in ecma_proxy_object_get_prototype_of /tmp/jerryscript3/jerry-core/ecma/operations/ecma-proxy-object.c:303
#6 0x55b2dd973d28 in ecma_op_function_has_instance /tmp/jerryscript3/jerry-core/ecma/operations/ecma-function-object.c:677
...
SUMMARY: AddressSanitizer: global-buffer-overflow /tmp/jerryscript3/jerry-core/ecma/builtin-objects/ecma-builtins.c:800 in ecma_builtin_try_to_instantiate_property
$ build/bin/jerry /tmp/crashes/03.js
ICE: Assertion 'ecma_get_object_type (func_obj_p) == ECMA_OBJECT_TYPE_FUNCTION || ecma_get_object_type (func_obj_p) == ECMA_OBJECT_TYPE_EXTERNAL_FUNCTION' failed at /tmp/jerryscript2/jerry-core/ecma/operations/ecma-function-object.c(ecma_op_function_has_instance):643.
Error: ERR_FAILED_INTERNAL_ASSERTION
Aborted (core dumped)