Assertion 'ecma_is_value_object (capability) && ecma_is_value_object (array) && ecma_is_value_object (ctor)' failed in ecma_builtin_promise_do_race #2468

renatahodovan · 2018-08-12T23:05:30Z

Jerry version:

Checked revision: 29e7330b
Build command: ./tools/build.py --clean --debug --compile-flag=-fsanitize=address \
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer \
--compile-flag=-fno-common --compile-flag=-g --jerry-libc=off \
--strip=off --system-allocator=on \
--linker-flag=-fuse-ld=gold --error-messages=on --profile=es2015-subset --logging=on

OS:

Ubuntu 17.10, x86_64

Test case:

Object.prototype[1] = 0; 
Promise.race([]);

Backtrace:

ICE: Assertion 'ecma_is_value_object (capability) && ecma_is_value_object (array) && ecma_is_value_object (ctor)' failed at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-promise.c(ecma_builtin_promise_do_race):199.
Error: ERR_FAILED_INTERNAL_ASSERTION

Program received signal SIGABRT, Aborted.
0xf7fd5db9 in __kernel_vsyscall ()
(gdb) bt
#0  0xf7fd5db9 in __kernel_vsyscall ()
#1  0xf78057e2 in raise () from /lib/i386-linux-gnu/libc.so.6
#2  0xf7806f51 in abort () from /lib/i386-linux-gnu/libc.so.6
#3  0x56576c2c in jerry_port_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at jerryscript/jerry-port/default/default-fatal.c:71
#4  0x56611827 in jerry_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at jerryscript/jerry-core/jrt/jrt-fatals.c:58
#5  0x56611868 in jerry_assert_fail (assertion=0x5667c7a0 "ecma_is_value_object (capability) && ecma_is_value_object (array) && ecma_is_value_object (ctor)", 
    file=0x5667c720 "jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-promise.c", function=0x56666660 <__func__.4897.lto_priv.284> "ecma_builtin_promise_do_race", line=199)
    at jerryscript/jerry-core/jrt/jrt-fatals.c:82
#6  0x565c6564 in ecma_builtin_promise_do_race (array=4126148691, capability=24, ctor=4126148931) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-promise.c:197
#7  0x565c78b9 in ecma_builtin_promise_race_or_all (this_arg=4126148931, array=4126148691, is_race=true) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-promise.c:576
#8  0x565c7953 in ecma_builtin_promise_race (this_arg=4126148931, array=4126148691) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-promise.c:606
#9  0x565c6019 in ecma_builtin_promise_dispatch_routine (builtin_routine_id=60, this_arg_value=4126148931, arguments_list=0xffffcd5c, arguments_number=1)
    at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-promise.inc.h:42
#10 0x56630a10 in ecma_builtin_dispatch_routine (builtin_object_id=ECMA_BUILTIN_ID_PROMISE, builtin_routine_id=60, this_arg_value=4126148931, arguments_list_p=0xffffcd5c, arguments_list_len=1)
    at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:906
#11 0x56630c1e in ecma_builtin_dispatch_call (obj_p=0xf5f008e0, this_arg_value=4126148931, arguments_list_p=0xffffcd5c, arguments_list_len=1)
    at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:931
#12 0x565ff595 in ecma_op_function_call (func_obj_p=0xf5f008e0, this_arg_value=4126148931, arguments_list_p=0xffffcd5c, arguments_list_len=1)
    at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:495
#13 0x565e4f12 in opfunc_call (frame_ctx_p=0xffffcdd0) at jerryscript/jerry-core/vm/vm.c:436
#14 0x565f193a in vm_execute (frame_ctx_p=0xffffcdd0, arg_p=0x0, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:3006
#15 0x565f218b in vm_run (bytecode_header_p=0xf5300f50, this_binding_value=4126149459, lex_env_p=0xf5d007b0, parse_opts=0, arg_list_p=0x0, arg_list_len=0)
    at jerryscript/jerry-core/vm/vm.c:3090
#16 0x565e4457 in vm_run_global (bytecode_p=0xf5300f50) at jerryscript/jerry-core/vm/vm.c:225
#17 0x5663cd1f in jerry_run (func_val=4126149123) at jerryscript/jerry-core/api/jerry.c:533
#18 0x566397fe in main (argc=3, argv=0xffffd1f4) at jerryscript/jerry-main/main-unix.c:676

^{Found by Fuzzinator with grammarinator.}

The text was updated successfully, but these errors were encountered:

If a new Capability was created no check was issued if it happened to be an error. Fixes jerryscript-project#2465 Fixes jerryscript-project#2468 JerryScript-DCO-1.0-Signed-off-by: Daniel Balla [email protected]

If a new Capability was created no check was issued if it happened to be an error. Fixes jerryscript-project#2465 Fixes jerryscript-project#2468 Also fixes the second variant of jerryscript-project#2490. JerryScript-DCO-1.0-Signed-off-by: Daniel Balla [email protected]

If a new Capability was created no check was issued if it happened to be an error. Fixes #2465 Fixes #2468 Also fixes the second variant of #2490. JerryScript-DCO-1.0-Signed-off-by: Daniel Balla [email protected]

LaszloLango added bug ES2015 labels Aug 21, 2018

renatahodovan mentioned this issue Aug 28, 2018

Assertion 'ecma_is_value_integer_number (index_val)' failed in ecma_builtin_promise_all_handler #2490

Closed

DanielBallaSZTE mentioned this issue Aug 28, 2018

Fix ecma_builtin_promise_race_or_all function #2491

Merged

akosthekiss closed this as completed in #2491 Aug 31, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Assertion 'ecma_is_value_object (capability) && ecma_is_value_object (array) && ecma_is_value_object (ctor)' failed in ecma_builtin_promise_do_race #2468

Assertion 'ecma_is_value_object (capability) && ecma_is_value_object (array) && ecma_is_value_object (ctor)' failed in ecma_builtin_promise_do_race #2468

renatahodovan commented Aug 12, 2018

Assertion 'ecma_is_value_object (capability) && ecma_is_value_object (array) && ecma_is_value_object (ctor)' failed in ecma_builtin_promise_do_race #2468

Assertion 'ecma_is_value_object (capability) && ecma_is_value_object (array) && ecma_is_value_object (ctor)' failed in ecma_builtin_promise_do_race #2468

Comments

renatahodovan commented Aug 12, 2018

Jerry version:

OS:

Test case:

Backtrace: