Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assertion ext_obj_p->u.array.hole_count <= ECMA_FAST_ARRAY_MAX_HOLE_COUNT in ecma_fast_array_set_property #3075

Closed
renatahodovan opened this issue Sep 5, 2019 · 0 comments · Fixed by #3076
Closed

Assertion ext_obj_p->u.array.hole_count <= ECMA_FAST_ARRAY_MAX_HOLE_COUNT in ecma_fast_array_set_property #3075

renatahodovan opened this issue Sep 5, 2019 · 0 comments · Fixed by #3076
Labels
bug Undesired behaviour ecma core Related to core ECMA functionality

Comments

@renatahodovan
Copy link
Contributor

JerryScript revision

57f389d

Build platform

Linux-4.15.0-54-generic-x86_64-with-Ubuntu-18.04-bionic

Build steps
./tools/build.py --clean --debug --compile-flag=-fsanitize=address \
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer \
--compile-flag=-fno-common --compile-flag=-g \
--strip=off --system-allocator=on --logging=on \
--linker-flag=-fuse-ld=gold --error-messages=on --profile=es2015-subset
Test case
var arr = [ , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ]; 
arr [ 4294967294 ] = 0
Output
ICE: Assertion 'ext_obj_p->u.array.hole_count <= ECMA_FAST_ARRAY_MAX_HOLE_COUNT' failed at jerryscript/jerry-core/ecma/operations/ecma-array-object.c(ecma_fast_array_set_property):277.
Error: ERR_FAILED_INTERNAL_ASSERTION
Backtrace
bt
#0  0xf7fd5059 in __kernel_vsyscall ()
#1  0xf77fc832 in raise () from /lib/i386-linux-gnu/libc.so.6
#2  0xf77fdcc1 in abort () from /lib/i386-linux-gnu/libc.so.6
#3  0x5657ac4c in jerry_port_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at jerryscript/jerry-port/default/default-fatal.c:71
#4  0x56618af4 in jerry_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at jerryscript/jerry-core/jrt/jrt-fatals.c:58
#5  0x56618b35 in jerry_assert_fail (assertion=0x566af220 "ext_obj_p->u.array.hole_count <= ECMA_FAST_ARRAY_MAX_HOLE_COUNT", file=0x566aef80 "jerryscript/jerry-core/ecma/operations/ecma-array-object.c", function=0x5667cea0 <__func__.4083.lto_priv.595> "ecma_fast_array_set_property", line=277) at jerryscript/jerry-core/jrt/jrt-fatals.c:82
#6  0x56629798 in ecma_fast_array_set_property (object_p=0xf5f00730, property_name_p=0xf5d00570, value=4124051185) at jerryscript/jerry-core/ecma/operations/ecma-array-object.c:277
#7  0x56606737 in ecma_op_object_put (object_p=0xf5f00730, property_name_p=0xf5d00570, value=4124051185, is_throw=false) at jerryscript/jerry-core/ecma/operations/ecma-objects.c:1007
#8  0x565e9060 in vm_op_set_value (object=4126148403, property=4124050770, value=4124051185, is_strict=false) at jerryscript/jerry-core/vm/vm.c:212
#9  0x565f96f8 in vm_loop (frame_ctx_p=0xffffc7e0) at jerryscript/jerry-core/vm/vm.c:3349
#10 0x565fb064 in vm_execute (frame_ctx_p=0xffffc7e0, arg_p=0x0, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:3616
#11 0x565fb9c8 in vm_run (bytecode_header_p=0xf5103c80, this_binding_value=4126149459, lex_env_p=0xf5d007b0, parse_opts=0, arg_list_p=0x0, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:3742
#12 0x565e9128 in vm_run_global (bytecode_p=0xf5103c80) at jerryscript/jerry-core/vm/vm.c:282
#13 0x56641db1 in jerry_run (func_val=4126148835) at jerryscript/jerry-core/api/jerry.c:570
#14 0x5663e715 in main (argc=3, argv=0xffffcc14) at jerryscript/jerry-main/main-unix.c:743

Found by Fuzzinator with grammarinator.

@rerobika rerobika added bug Undesired behaviour ecma core Related to core ECMA functionality labels Sep 6, 2019
rerobika added a commit to rerobika/jerryscript that referenced this issue Sep 6, 2019
@rerobika
Fix array initialization with array holes
0aec930 
Fast mode access arrays must be converted back to normal if the array hole count reaches the limit during the initializtaion.
This patch fixes jerryscript-project#3075.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
rerobika added a commit to rerobika/jerryscript that referenced this issue Sep 6, 2019
@rerobika
Fix array initialization with array holes
735c70d 
Fast mode access arrays must be converted back to normal if the array hole count reaches the limit during the initializtaion.
This patch fixes jerryscript-project#3075.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
@rerobika rerobika mentioned this issue Sep 6, 2019
Merged
rerobika added a commit that referenced this issue Sep 9, 2019
@rerobika
Fix array initialization with array holes (#3076)
c79659d 
Fast mode access arrays must be converted back to normal if the array hole count reaches the limit during the initializtaion.
This patch fixes #3075.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Undesired behaviour ecma core Related to core ECMA functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix array initialization with array holes rerobika/jerryscript
2 participants
@renatahodovan @rerobika