Segmentation fault in ecma_string_get_chars #1557
Description
IoT.js version:
Checked revision: 3c2212a
Build command: tools/build.py --buildtype=debug
OS:
Ubuntu 17.10, x86_64
Test case:
var fz_globalObject = Function("return this")( )
var prop_names = Object.getOwnPropertyNames(fz_globalObject)
console.log(prop_names)
for (var i = 0;; i++) {
var prop_name = prop_names[i]
console.log(prop_name)
}Backtrace:
[process,global,console,Buffer,setTimeout,setInterval,clearTimeout,clearInterval,unescape,escape,parseInt,encodeURIComponent,encodeURI,decodeURIComponent,decodeURI,isFinite,isNaN,parseFloat,eval,JSON,Math,URIError,TypeError,SyntaxError,ReferenceError,RangeError,EvalError,Error,RegExp,Date,Number,Boolean,String,Array,Function,Object,Infinity,NaN,undefined]
process
global
console
Segmentation fault (core dumped)
Program received signal SIGSEGV, Segmentation fault.
0x000055555559687d in ecma_string_get_chars (string_p=0x53d, size_p=0x7fffffffb37c, flags_p=0x7fffffffb37b "\001\377\377")
at iotjs/deps/jerry/jerry-core/ecma/base/ecma-helpers-string.c:1465
1465 length = lit_utf8_string_length (lit_get_magic_string_ex_utf8 (string_p->u.magic_string_ex_id), size);
(gdb) bt
#0 0x000055555559687d in ecma_string_get_chars (string_p=0x53d, size_p=0x7fffffffb37c, flags_p=0x7fffffffb37b "\001\377\377")
at iotjs/deps/jerry/jerry-core/ecma/base/ecma-helpers-string.c:1465
#1 0x0000555555598221 in ecma_string_get_char_at_pos (string_p=0x53d, index=0) at iotjs/deps/jerry/jerry-core/ecma/base/ecma-helpers-string.c:2188
#2 0x00005555555dc070 in ecma_builtin_string_prototype_object_char_at (this_arg=1341, arg=0) at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:147
#3 0x00005555555db959 in ecma_builtin_string_prototype_dispatch_routine (builtin_routine_id=40, this_arg_value=1341, arguments_list=0x7fffffffb88c, arguments_number=1)
at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.inc.h:48
#4 0x00005555555e8f99 in ecma_builtin_dispatch_routine (builtin_object_id=ECMA_BUILTIN_ID_STRING_PROTOTYPE, builtin_routine_id=40, this_arg_value=1341, arguments_list_p=0x7fffffffb88c,
arguments_list_len=1) at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:880
#5 0x00005555555e90eb in ecma_builtin_dispatch_call (obj_p=0x555555881c10 <jerry_global_heap+20400>, this_arg_value=1341, arguments_list_p=0x7fffffffb88c, arguments_list_len=1)
at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:905
#6 0x00005555555f336f in ecma_op_function_call (func_obj_p=0x555555881c10 <jerry_global_heap+20400>, this_arg_value=1341, arguments_list_p=0x7fffffffb88c, arguments_list_len=1)
at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:342
#7 0x0000555555626992 in opfunc_call (frame_ctx_p=0x7fffffffb8e0) at iotjs/deps/jerry/jerry-core/vm/vm.c:417
#8 0x0000555555630361 in vm_execute (frame_ctx_p=0x7fffffffb8e0, arg_p=0x555555882070 <jerry_global_heap+21520>, arg_list_len=1) at iotjs/deps/jerry/jerry-core/vm/vm.c:2844
#9 0x0000555555630617 in vm_run (bytecode_header_p=0x55555587dde8 <jerry_global_heap+4488>, this_binding_value=5603, lex_env_p=0x555555882078 <jerry_global_heap+21528>, is_eval_code=false,
arg_list_p=0x555555882070 <jerry_global_heap+21520>, arg_list_len=1) at iotjs/deps/jerry/jerry-core/vm/vm.c:2924
#10 0x00005555555f389f in ecma_op_function_call (func_obj_p=0x55555587e0e0 <jerry_global_heap+5248>, this_arg_value=5603, arguments_list_p=0x555555882070 <jerry_global_heap+21520>,
arguments_list_len=1) at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:405
#11 0x00005555555b9ade in ecma_builtin_function_prototype_object_apply (this_arg=5251, arg1=5603, arg2=21459)
at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:160
#12 0x00005555555b9370 in ecma_builtin_function_prototype_dispatch_routine (builtin_routine_id=35, this_arg_value=5251, arguments_list=0x7fffffffc0c8, arguments_number=2)
at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.inc.h:41
#13 0x00005555555e8f99 in ecma_builtin_dispatch_routine (builtin_object_id=ECMA_BUILTIN_ID_FUNCTION_PROTOTYPE, builtin_routine_id=35, this_arg_value=5251, arguments_list_p=0x7fffffffc0c8,
arguments_list_len=2) at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:880
#14 0x00005555555e90eb in ecma_builtin_dispatch_call (obj_p=0x555555881700 <jerry_global_heap+19104>, this_arg_value=5251, arguments_list_p=0x7fffffffc0c8, arguments_list_len=2)
at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:905
#15 0x00005555555f336f in ecma_op_function_call (func_obj_p=0x555555881700 <jerry_global_heap+19104>, this_arg_value=5251, arguments_list_p=0x7fffffffc0c8, arguments_list_len=2)
at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:342
#16 0x0000555555626992 in opfunc_call (frame_ctx_p=0x7fffffffc110) at iotjs/deps/jerry/jerry-core/vm/vm.c:417
#17 0x0000555555630361 in vm_execute (frame_ctx_p=0x7fffffffc110, arg_p=0x7fffffffc51c, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:2844
#18 0x0000555555630617 in vm_run (bytecode_header_p=0x55555587d958 <jerry_global_heap+3320>, this_binding_value=5603, lex_env_p=0x555555881ed8 <jerry_global_heap+21112>, is_eval_code=false,
arg_list_p=0x7fffffffc51c, arg_list_len=1) at iotjs/deps/jerry/jerry-core/vm/vm.c:2924
#19 0x00005555555f389f in ecma_op_function_call (func_obj_p=0x55555587e200 <jerry_global_heap+5536>, this_arg_value=5603, arguments_list_p=0x7fffffffc51c, arguments_list_len=1)
at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:405
#20 0x0000555555626992 in opfunc_call (frame_ctx_p=0x7fffffffc560) at iotjs/deps/jerry/jerry-core/vm/vm.c:417
#21 0x0000555555630361 in vm_execute (frame_ctx_p=0x7fffffffc560, arg_p=0x7fffffffcc4c, arg_list_len=3) at iotjs/deps/jerry/jerry-core/vm/vm.c:2844
#22 0x0000555555630617 in vm_run (bytecode_header_p=0x555555881840 <jerry_global_heap+19424>, this_binding_value=17155, lex_env_p=0x55555587cc88 <jerry_global_heap+40>, is_eval_code=false,
arg_list_p=0x7fffffffcc4c, arg_list_len=3) at iotjs/deps/jerry/jerry-core/vm/vm.c:2924
#23 0x00005555555f389f in ecma_op_function_call (func_obj_p=0x555555881650 <jerry_global_heap+18928>, this_arg_value=17155, arguments_list_p=0x7fffffffcc4c, arguments_list_len=3)
at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:405
#24 0x00005555555b9d35 in ecma_builtin_function_prototype_object_call (this_arg=18931, arguments_list_p=0x7fffffffcc48, arguments_number=4)
at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:215
#25 0x00005555555b9386 in ecma_builtin_function_prototype_dispatch_routine (builtin_routine_id=36, this_arg_value=18931, arguments_list=0x7fffffffcc48, arguments_number=4)
at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.inc.h:42
#26 0x00005555555e8f99 in ecma_builtin_dispatch_routine (builtin_object_id=ECMA_BUILTIN_ID_FUNCTION_PROTOTYPE, builtin_routine_id=36, this_arg_value=18931, arguments_list_p=0x7fffffffcc48,
arguments_list_len=4) at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:880
#27 0x00005555555e90eb in ecma_builtin_dispatch_call (obj_p=0x55555587ef70 <jerry_global_heap+8976>, this_arg_value=18931, arguments_list_p=0x7fffffffcc48, arguments_list_len=4)
at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:905
#28 0x00005555555f336f in ecma_op_function_call (func_obj_p=0x55555587ef70 <jerry_global_heap+8976>, this_arg_value=18931, arguments_list_p=0x7fffffffcc48, arguments_list_len=4)
at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:342
#29 0x0000555555626992 in opfunc_call (frame_ctx_p=0x7fffffffcca0) at iotjs/deps/jerry/jerry-core/vm/vm.c:417
#30 0x0000555555630361 in vm_execute (frame_ctx_p=0x7fffffffcca0, arg_p=0x7fffffffd0a8, arg_list_len=2) at iotjs/deps/jerry/jerry-core/vm/vm.c:2844
#31 0x0000555555630617 in vm_run (bytecode_header_p=0x55555587f6e0 <jerry_global_heap+10880>, this_binding_value=17131, lex_env_p=0x55555587f0d8 <jerry_global_heap+9336>, is_eval_code=false,
arg_list_p=0x7fffffffd0a8, arg_list_len=2) at iotjs/deps/jerry/jerry-core/vm/vm.c:2924
#32 0x00005555555f389f in ecma_op_function_call (func_obj_p=0x5555558810f8 <jerry_global_heap+17560>, this_arg_value=17131, arguments_list_p=0x7fffffffd0a8, arguments_list_len=2)
at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:405
#33 0x0000555555626992 in opfunc_call (frame_ctx_p=0x7fffffffd100) at iotjs/deps/jerry/jerry-core/vm/vm.c:417
#34 0x0000555555630361 in vm_execute (frame_ctx_p=0x7fffffffd100, arg_p=0x7fffffffd4f4, arg_list_len=2) at iotjs/deps/jerry/jerry-core/vm/vm.c:2844
#35 0x0000555555630617 in vm_run (bytecode_header_p=0x55555587f5e0 <jerry_global_heap+10624>, this_binding_value=11099, lex_env_p=0x55555587f0d8 <jerry_global_heap+9336>, is_eval_code=false,
arg_list_p=0x7fffffffd4f4, arg_list_len=2) at iotjs/deps/jerry/jerry-core/vm/vm.c:2924
#36 0x00005555555f389f in ecma_op_function_call (func_obj_p=0x5555558810b0 <jerry_global_heap+17488>, this_arg_value=11099, arguments_list_p=0x7fffffffd4f4, arguments_list_len=2)
at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:405
#37 0x0000555555626992 in opfunc_call (frame_ctx_p=0x7fffffffd530) at iotjs/deps/jerry/jerry-core/vm/vm.c:417
#38 0x0000555555630361 in vm_execute (frame_ctx_p=0x7fffffffd530, arg_p=0x7fffffffd944, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:2844
#39 0x0000555555630617 in vm_run (bytecode_header_p=0x55555587f710 <jerry_global_heap+10928>, this_binding_value=11099, lex_env_p=0x55555587f0d8 <jerry_global_heap+9336>, is_eval_code=false,
arg_list_p=0x7fffffffd944, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:2924
#40 0x00005555555f389f in ecma_op_function_call (func_obj_p=0x555555881108 <jerry_global_heap+17576>, this_arg_value=11099, arguments_list_p=0x7fffffffd944, arguments_list_len=0)
at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:405
#41 0x0000555555626992 in opfunc_call (frame_ctx_p=0x7fffffffd990) at iotjs/deps/jerry/jerry-core/vm/vm.c:417
#42 0x0000555555630361 in vm_execute (frame_ctx_p=0x7fffffffd990, arg_p=0x7fffffffdd74, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:2844
#43 0x0000555555630617 in vm_run (bytecode_header_p=0x55555587d210 <jerry_global_heap+1456>, this_binding_value=27, lex_env_p=0x55555587d750 <jerry_global_heap+2800>, is_eval_code=false,
arg_list_p=0x7fffffffdd74, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:2924
#44 0x00005555555f389f in ecma_op_function_call (func_obj_p=0x55555587d740 <jerry_global_heap+2784>, this_arg_value=72, arguments_list_p=0x7fffffffdd74, arguments_list_len=0)
at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:405
#45 0x0000555555626992 in opfunc_call (frame_ctx_p=0x7fffffffddb0) at iotjs/deps/jerry/jerry-core/vm/vm.c:417
#46 0x0000555555630361 in vm_execute (frame_ctx_p=0x7fffffffddb0, arg_p=0x0, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:2844
#47 0x0000555555630617 in vm_run (bytecode_header_p=0x55555587d1f0 <jerry_global_heap+1424>, this_binding_value=27, lex_env_p=0x55555587cc88 <jerry_global_heap+40>, is_eval_code=true, arg_list_p=0x0,
arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:2924
#48 0x0000555555626220 in vm_run_eval (bytecode_data_p=0x55555587d1f0 <jerry_global_heap+1424>, is_direct=false) at iotjs/deps/jerry/jerry-core/vm/vm.c:269
#49 0x000055555557a870 in jerry_snapshot_result_at (snapshot_p=0x555555646fc0 <iotjs_js_modules_s>, snapshot_size=36146, func_index=12, copy_bytecode=false, as_function=false)
at iotjs/deps/jerry/jerry-core/api/jerry-snapshot.c:761
#50 0x000055555557a8e2 in jerry_exec_snapshot_at (snapshot_p=0x555555646fc0 <iotjs_js_modules_s>, snapshot_size=36146, func_index=12, copy_bytecode=false)
at iotjs/deps/jerry/jerry-core/api/jerry-snapshot.c:800
#51 0x000055555556c565 in iotjs_run (env=0x55555587b420 <current_env>) at iotjs/src/iotjs.c:102
#52 0x000055555556c62b in iotjs_start (env=0x55555587b420 <current_env>) at iotjs/src/iotjs.c:132
#53 0x000055555556ca7d in iotjs_entry (argc=2, argv=0x7fffffffe168) at iotjs/src/iotjs.c:207
#54 0x000055555556c1ba in main (argc=2, argv=0x7fffffffe168) at iotjs/src/platform/linux/iotjs_linux.c:19
Found by Fuzzinator