Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ICE: Assertion 'ecma_get_object_type (func_obj_p) == ECMA_OBJECT_TYPE_FUNCTION || ecma_get_object_type (func_obj_p) == ECMA_OBJECT_TYPE_EXTERNAL_FUNCTION' failed at jerry-core/ecma/operations/ecma-function-object.c(ecma_op_function_has_instance):643. #3814

Closed
nszetei opened this issue May 29, 2020 · 1 comment · Fixed by #3827
Assignees
Labels
bug Undesired behaviour

Comments

@nszetei
Copy link

nszetei commented May 29, 2020

JerryScript revision

3b4c259

Build platform

Ubuntu 18.04.4 LTS (Linux 4.15.0-91-generic x86_64)

Build steps
  • for the first output:
python tools/build.py --profile=es2015-subset --lto=off --compile-flag=-g \
--strip=off --logging=on \
--compile-flag=-fsanitize=address --stack-limit=15
  • for the second output:
./tools/build.py --clean --debug --compile-flag=-fsanitize=address \
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer \
--compile-flag=-fno-common --compile-flag=-g \
--strip=off --system-allocator=on --logging=on \
--linker-flag=-fuse-ld=gold --error-messages=on --profile=es2015-subset \
--stack-limit=15
Test case
function main() {
var v4 = [1337,1337,1337];
var v5 = [1018825975,1018825975,Number];
var v6 = {constructor:"symbol",toString:"symbol",__proto__:v4,b:v5,e:1018825975};
var v8 = v6.toStringTag;
function v9(v10,v11) {
    var v16 = [1337,1337,1337];
    var v17 = [1018825975,1018825975,Number];
    var v18 = {constructor:"symbol",toString:"symbol",__proto__:v16,b:v17,e:1018825975};
    var v20 = v18.toStringTag;
    function v21(v22,v23) {
        var v25 = [1337,1337];
        var v26 = v25[-1951730718];
        var v28 = {isExtensible:v26,__proto__:this};
        var v30 = new Proxy(Function,v28);
        return v30;
    }
    var v31 = {getPrototypeOf:v21,getOwnPropertyDescriptor:v21,isExtensible:v21,length:v20,set:v20,setPrototypeOf:v21,deleteProperty:v20,defineProperty:v21,get:v20,ownKeys:v21,construct:v20};
    var v33 = new Proxy(Function,v31);
    var v34 = v33 instanceof v33;
    var v35 = v9();
}
var v36 = {getPrototypeOf:v9,getOwnPropertyDescriptor:v9,isExtensible:v9,length:v8,set:v8,setPrototypeOf:v9,deleteProperty:v8,defineProperty:v9,get:v8,ownKeys:v9,construct:v8};
var v38 = new Proxy(print,v36);
var v39 = v38 instanceof v38;
function v40(v41,v42,v43,v44) {
}
}
main();
Execution steps
$ /tmp/jerryscript3/build/bin/jerry /tmp/crashes/03.js
=================================================================
==9137==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55b2dd9ed058 at pc 0x55b2dd9678ef bp 0x7fff96087f10 sp 0x7fff96087f00
READ of size 2 at 0x55b2dd9ed058 thread T0
    #0 0x55b2dd9678ee in ecma_builtin_try_to_instantiate_property /tmp/jerryscript3/jerry-core/ecma/builtin-objects/ecma-builtins.c:800
    #1 0x55b2dd9797dc in ecma_op_object_find_own /tmp/jerryscript3/jerry-core/ecma/operations/ecma-objects.c:608
    #2 0x55b2dd979ae9 in ecma_op_object_get_with_receiver /tmp/jerryscript3/jerry-core/ecma/operations/ecma-objects.c:844
    #3 0x55b2dd979b7b in ecma_op_object_get /tmp/jerryscript3/jerry-core/ecma/operations/ecma-objects.c:813
    #4 0x55b2dd979b7b in ecma_op_get_method /tmp/jerryscript3/jerry-core/ecma/operations/ecma-objects.c:993
    #5 0x55b2dd97e8df in ecma_proxy_object_get_prototype_of /tmp/jerryscript3/jerry-core/ecma/operations/ecma-proxy-object.c:303
    #6 0x55b2dd973d28 in ecma_op_function_has_instance /tmp/jerryscript3/jerry-core/ecma/operations/ecma-function-object.c:677
...
SUMMARY: AddressSanitizer: global-buffer-overflow /tmp/jerryscript3/jerry-core/ecma/builtin-objects/ecma-builtins.c:800 in ecma_builtin_try_to_instantiate_property
$ build/bin/jerry /tmp/crashes/03.js
ICE: Assertion 'ecma_get_object_type (func_obj_p) == ECMA_OBJECT_TYPE_FUNCTION || ecma_get_object_type (func_obj_p) == ECMA_OBJECT_TYPE_EXTERNAL_FUNCTION' failed at /tmp/jerryscript2/jerry-core/ecma/operations/ecma-function-object.c(ecma_op_function_has_instance):643.
Error: ERR_FAILED_INTERNAL_ASSERTION
Aborted (core dumped)
@rerobika
Copy link
Member

rerobika commented Jun 2, 2020

Minimal testcase:

({} instanceof new Proxy(function(){}, {}))

@rerobika rerobika closed this as completed Jun 2, 2020
@rerobika rerobika reopened this Jun 2, 2020
rerobika added a commit to rerobika/jerryscript that referenced this issue Jun 2, 2020
This patch fixes jerryscript-project#3814.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
@rerobika rerobika added the bug Undesired behaviour label Jun 2, 2020
@rerobika rerobika self-assigned this Jun 2, 2020
rerobika added a commit to rerobika/jerryscript that referenced this issue Jun 2, 2020
This patch fixes jerryscript-project#3814.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
dbatyai pushed a commit that referenced this issue Jun 2, 2020
This patch fixes #3814.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Undesired behaviour
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants