Assertion 'ECMA_PROPERTY_IS_PROPERTY_PAIR (prop_iter_p)' failed in ecma_find_named_property #2506

renatahodovan · 2018-09-03T09:20:33Z

Jerry version:

Checked revision: d270f82e
Build command: ./tools/build.py --clean --debug --error-messages=on --profile=es2015-subset --logging=on

OS:

Ubuntu 18.04, x86_64

Test case:

print(Promise.race([,,,,,,,,,,,,,,,this,,this,,,,,,{ },function(){}])
	.then(function(){$('The promise should be rejected')},function(){$.id_1(escape,URIError)})
	.then(-Math.PI/0)<+RangeError);Date.UTC("",0);
new Date( ).getHours(-{ });
$.$("arg1,arg2,arg3","arg1,arg2",$,$);
$.setYear

Backtrace:

false
Script Error: ReferenceError: $ is not defined
ICE: Assertion 'ECMA_PROPERTY_IS_PROPERTY_PAIR (prop_iter_p)' failed at jerryscript/jerry-core/ecma/base/ecma-helpers.c(ecma_find_named_property):627.
Error: ERR_FAILED_INTERNAL_ASSERTION

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff7a24801 in __GI_abort () at abort.c:79
#2  0x000055555555efae in jerry_port_fatal (code=ERR_FAILED_INTERNAL_ASSERTION)
    at jerryscript/jerry-port/default/default-fatal.c:71
#3  0x0000555555589c30 in jerry_fatal (code=ERR_FAILED_INTERNAL_ASSERTION)
    at jerryscript/jerry-core/jrt/jrt-fatals.c:63
#4  0x0000555555589c82 in jerry_assert_fail (assertion=0x5555555e02e8 "ECMA_PROPERTY_IS_PROPERTY_PAIR (prop_iter_p)", 
    file=0x5555555e1e18 "jerryscript/jerry-core/ecma/base/ecma-helpers.c", 
    function=0x5555555ceab0 <__func__.4374.lto_priv.126> "ecma_find_named_property", line=627)
    at jerryscript/jerry-core/jrt/jrt-fatals.c:87
#5  0x00005555555b0117 in ecma_find_named_property (obj_p=0x5555558f5178 <jerry_global_heap+3528>, name_p=0x75)
    at jerryscript/jerry-core/ecma/base/ecma-helpers.c:627
#6  0x00005555555a4abb in ecma_op_object_find_own (base_value=3531, object_p=0x5555558f5178 <jerry_global_heap+3528>, 
    property_name_p=0x75) at jerryscript/jerry-core/ecma/operations/ecma-objects.c:508
#7  0x00005555555a4e77 in ecma_op_object_get (object_p=0x5555558f5178 <jerry_global_heap+3528>, property_name_p=0x75)
    at jerryscript/jerry-core/ecma/operations/ecma-objects.c:683
#8  0x00005555555a19f1 in ecma_process_promise_reaction_job (obj_p=0x5555558f4478 <jerry_global_heap+200>)
    at jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:154
#9  0x00005555555a1eb9 in ecma_process_all_enqueued_jobs ()
    at jerryscript/jerry-core/ecma/operations/ecma-jobqueue.c:343
#10 0x00005555555bf989 in jerry_run_all_enqueued_jobs () at jerryscript/jerry-core/api/jerry.c:570
#11 0x00005555555be6a0 in main (argc=3, argv=0x7fffffffdbf8) at jerryscript/jerry-main/main-unix.c:863

^{Found by Fuzzinator with grammarinator.}

The text was updated successfully, but these errors were encountered:

DanielBallaSZTE · 2018-09-06T15:04:06Z

It causes a segfault with gcc-5.4.0, doesn't segfault with gcc-7.3 and gcc-4.8.
The segfault part got fixed.

Fixes jerryscript-project#2486 Fixes jerryscript-project#2506 Co-authored-by: Robert Fancsik [email protected] JerryScript-DCO-1.0-Signed-off-by: Daniel Balla [email protected]

Fixes jerryscript-project#2486 Fixes jerryscript-project#2506 Co-authored-by: Robert Fancsik <[email protected]> JerryScript-DCO-1.0-Signed-off-by: Daniel Balla [email protected]

The ecma_enqueue_promise_reaction_job() function allocates memory, which might trigger a GC run. During this GC the objects in the reactions collection are not marked. Fixes jerryscript-project#2486. Fixes jerryscript-project#2506. JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg [email protected]

The ecma_enqueue_promise_reaction_job() function allocates memory, which might trigger a GC run. During this GC the objects in the reactions collection are not marked. Fixes jerryscript-project#2486. Fixes jerryscript-project#2506. Fixes jerryscript-project#2541. JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg [email protected]

The ecma_enqueue_promise_reaction_job() function allocates memory, which might trigger a GC run. During this GC the objects in the reactions collection are not marked. Fixes #2486. Fixes #2506. Fixes #2541. JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg [email protected]

LaszloLango added bug Undesired behaviour ES2015 Related to ES2015 features labels Sep 3, 2018

DanielBallaSZTE mentioned this issue Sep 11, 2018

Fix an issue with ecma collections in the Promise implementation #2518

Closed

zherczeg mentioned this issue Sep 18, 2018

Fix use after free during creation of Promise reactions. #2532

Merged

LaszloLango closed this as completed in #2532 Oct 5, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Assertion 'ECMA_PROPERTY_IS_PROPERTY_PAIR (prop_iter_p)' failed in ecma_find_named_property #2506

Assertion 'ECMA_PROPERTY_IS_PROPERTY_PAIR (prop_iter_p)' failed in ecma_find_named_property #2506

renatahodovan commented Sep 3, 2018

DanielBallaSZTE commented Sep 6, 2018

Assertion 'ECMA_PROPERTY_IS_PROPERTY_PAIR (prop_iter_p)' failed in ecma_find_named_property #2506

Assertion 'ECMA_PROPERTY_IS_PROPERTY_PAIR (prop_iter_p)' failed in ecma_find_named_property #2506

Comments

renatahodovan commented Sep 3, 2018

Jerry version:

OS:

Test case:

Backtrace:

DanielBallaSZTE commented Sep 6, 2018