Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assertion literal_index < register_end in vm_loop #3055

Closed
renatahodovan opened this issue Sep 4, 2019 · 0 comments · Fixed by #3056
Closed

Assertion literal_index < register_end in vm_loop #3055

renatahodovan opened this issue Sep 4, 2019 · 0 comments · Fixed by #3056
Labels
bug Undesired behaviour parser Related to the JavaScript parser

Comments

@renatahodovan
Copy link
Contributor

JerryScript revision

1088273

Build platform

Linux-4.15.0-54-generic-x86_64-with-Ubuntu-18.04-bionic

Build steps
./tools/build.py --clean --debug --compile-flag=-fsanitize=address \
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer \
--compile-flag=-fno-common --compile-flag=-g \
--strip=off --system-allocator=on --logging=on \
--linker-flag=-fuse-ld=gold --error-messages=on --profile=es2015-subset
Test case
var src = '(function () {'
for (var i = 0; i < 550; i++) { src += 'var a' + i + ' = 5; ' }
src += '})()'
eval(src)
Output
ICE: Assertion 'literal_index < register_end' failed at jerryscript/jerry-core/vm/vm.c(vm_loop):1950.
Error: ERR_FAILED_INTERNAL_ASSERTION
Backtrace
bt
#0  0xf7fd5059 in __kernel_vsyscall ()
#1  0xf77fc832 in raise () from /lib/i386-linux-gnu/libc.so.6
#2  0xf77fdcc1 in abort () from /lib/i386-linux-gnu/libc.so.6
#3  0x5657ae47 in jerry_port_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at jerryscript/jerry-port/default/default-fatal.c:71
#4  0x56617934 in jerry_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at jerryscript/jerry-core/jrt/jrt-fatals.c:58
#5  0x56617975 in jerry_assert_fail (assertion=0x566a6d00 "literal_index < register_end", file=0x566a5ee0 "jerryscript/jerry-core/vm/vm.c", function=0x566862c0 <__func__.5931.lto_priv.427> "vm_loop", line=1950) at jerryscript/jerry-core/jrt/jrt-fatals.c:82
#6  0x565efe6e in vm_loop (frame_ctx_p=0xffffbdb0) at jerryscript/jerry-core/vm/vm.c:1950
#7  0x565f9958 in vm_execute (frame_ctx_p=0xffffbdb0, arg_p=0xffffc004, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:3616
#8  0x565fa2bc in vm_run (bytecode_header_p=0xf5733080, this_binding_value=4126149459, lex_env_p=0xf5d07b70, parse_opts=0, arg_list_p=0xffffc004, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:3742
#9  0x56633d9d in ecma_op_function_call (func_obj_p=0xf5f13750, this_arg_value=72, arguments_list_p=0xffffc004, arguments_list_len=0) at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:807
#10 0x565e8785 in opfunc_call (frame_ctx_p=0xffffc070) at jerryscript/jerry-core/vm/vm.c:581
#11 0x565f99b8 in vm_execute (frame_ctx_p=0xffffc070, arg_p=0x0, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:3622
#12 0x565fa2bc in vm_run (bytecode_header_p=0xf5f13780, this_binding_value=4126149459, lex_env_p=0xf5d007b0, parse_opts=66, arg_list_p=0x0, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:3742
#13 0x565e7c04 in vm_run_eval (bytecode_data_p=0xf5f13780, parse_opts=66) at jerryscript/jerry-core/vm/vm.c:346
#14 0x56631964 in ecma_op_eval_chars_buffer (code_p=0xf256410c "(function () {var a0 = 5; var a1 = 5; var a2 = 5; var a3 = 5; var a4 = 5; var a5 = 5; var a6 = 5; var a7 = 5; var a8 = 5; var a9 = 5; var a10 = 5; var a11 = 5; var a12 = 5; var a13 = 5; var a14 = 5; v"..., code_buffer_size=7608, parse_opts=66) at jerryscript/jerry-core/ecma/operations/ecma-eval.c:116
#15 0x56631637 in ecma_op_eval (code_p=0xf2564100, parse_opts=2) at jerryscript/jerry-core/ecma/operations/ecma-eval.c:58
#16 0x565bb1e8 in ecma_builtin_global_object_eval (x=4065739009) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-global.c:111
#17 0x565be9ab in ecma_builtin_global_dispatch_routine (builtin_routine_id=73, this_arg=72, arguments_list_p=0xffffc4d0, arguments_number=1) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-global.c:1164
#18 0x56621477 in ecma_builtin_dispatch_routine (builtin_object_id=ECMA_BUILTIN_ID_GLOBAL, builtin_routine_id=73, this_arg_value=72, arguments_list_p=0xffffc4d0, arguments_list_len=1) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1025
#19 0x566216d8 in ecma_builtin_dispatch_call (obj_p=0xf5f036d0, this_arg_value=72, arguments_list_p=0xffffc764, arguments_list_len=1) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1050
#20 0x56633a3c in ecma_op_function_call (func_obj_p=0xf5f036d0, this_arg_value=72, arguments_list_p=0xffffc764, arguments_list_len=1) at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:729
#21 0x565e8785 in opfunc_call (frame_ctx_p=0xffffc7e0) at jerryscript/jerry-core/vm/vm.c:581
#22 0x565f99b8 in vm_execute (frame_ctx_p=0xffffc7e0, arg_p=0x0, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:3622
#23 0x565fa2bc in vm_run (bytecode_header_p=0xf5103ec0, this_binding_value=4126149459, lex_env_p=0xf5d007b0, parse_opts=0, arg_list_p=0x0, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:3742
#24 0x565e7a1c in vm_run_global (bytecode_p=0xf5103ec0) at jerryscript/jerry-core/vm/vm.c:282
#25 0x5664170c in jerry_run (func_val=4126148691) at jerryscript/jerry-core/api/jerry.c:570
#26 0x5663e070 in main (argc=3, argv=0xffffcc14) at jerryscript/jerry-main/main-unix.c:743

Found by Fuzzinator with grammarinator.

@rerobika rerobika added bug Undesired behaviour parser Related to the JavaScript parser labels Sep 4, 2019
rerobika added a commit to rerobika/jerryscript that referenced this issue Sep 4, 2019
@rerobika
Property decode literal index before CBC_ASSING_MOV
d7fce77 
This patch fixes jerryscript-project#3055.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
@rerobika rerobika mentioned this issue Sep 4, 2019
Merged
rerobika added a commit to rerobika/jerryscript that referenced this issue Sep 5, 2019
@rerobika
Properly decode literal index before CBC_ASSING_MOV
853679a 
This patch fixes jerryscript-project#3055.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
rerobika added a commit to rerobika/jerryscript that referenced this issue Sep 5, 2019
@rerobika
Properly decode literal index before CBC_ASSING_MOV
fbb8198 
This patch fixes jerryscript-project#3055.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
rerobika added a commit to rerobika/jerryscript that referenced this issue Sep 5, 2019
@rerobika
Properly decode literal index before CBC_ASSIGN_MOV
2c066a6 
This patch fixes jerryscript-project#3055.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
rerobika added a commit to rerobika/jerryscript that referenced this issue Sep 5, 2019
@rerobika
Properly decode literal index before CBC_MOV_IDENT
6fac47d 
This patch fixes jerryscript-project#3055.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
dbatyai pushed a commit that referenced this issue Sep 7, 2019
@rerobika @dbatyai
Properly decode literal index before CBC_MOV_IDENT (#3056)
2933947 
This patch fixes #3055.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Undesired behaviour parser Related to the JavaScript parser
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Properly decode literal index before CBC_MOV_IDENT rerobika/jerryscript
2 participants
@renatahodovan @rerobika