Assertion Failure in ecma-function-object.c ecma_op_function_call_native.

[JimWongM]

Hello, I found a bug in JerryScript.

JerryScript revision

5020015

Build platform

Ubuntu 22.04.3

Build steps

python3 tools/build.py --debug  --compile-flag=-fsanitize-coverage=trace-pc-guard --lto=off --compile-flag=-D_POSIX_C_SOURCE=200809 --compile-flag=-Wno-strict-prototypes --stack-limit=15 

Test case

function mysort(comparator) {
    var array = this;
    var copy = [];
    for (var p in array) {
      copy[copy.length] = array[p];
    }
    comparator(copy[0], copy[1])
    array.filter(function () { mysort(mysort);});
};
function aMinusB(a, b) {
  return a - b;
}
var array = [1,2,3];
mysort.call(array, aMinusB)

Output

Script Error: assertion failed
Aborted (core dumped)

Backtrace

(lldb) bt
* thread #1, name = 'jerry', stop reason = signal SIGABRT
  * frame #0: 0x00007ffff7c969fc libc.so.6`__GI___pthread_kill at pthread_kill.c:44:76
    frame #1: 0x00007ffff7c969b0 libc.so.6`__GI___pthread_kill [inlined] __pthread_kill_internal(signo=6, threadid=140737352689472) at pthread_kill.c:78:10
    frame #2: 0x00007ffff7c969b0 libc.so.6`__GI___pthread_kill(threadid=140737352689472, signo=6) at pthread_kill.c:89:10
    frame #3: 0x00007ffff7c42476 libc.so.6`__GI_raise(sig=6) at raise.c:26:13
    frame #4: 0x00007ffff7c287f3 libc.so.6`__GI_abort at abort.c:79:7
    frame #5: 0x00005555556cb400 jerry`jerry_port_fatal(code=JERRY_FATAL_FAILED_ASSERTION) at jerry-port-process.c:41:5
    frame #6: 0x00005555556c9090 jerry`jerryx_handler_assert(call_info_p=0x00007fffffffc8e8, args_p=0x00007fffffffcb04, args_cnt=2) at handlers.c:95:3
    frame #7: 0x00005555555ed2c2 jerry`ecma_op_function_call_native(func_obj_p=0x00005555560798c8, this_arg_value=72, arguments_list_p=0x00007fffffffcb04, arguments_list_len=2) at ecma-function-object.c:1262:28
    frame #8: 0x00005555555ec7f3 jerry`ecma_op_function_call(func_obj_p=0x00005555560798c8, this_arg_value=72, arguments_list_p=0x00007fffffffcb04, arguments_list_len=2) at ecma-function-object.c:1485:16
    frame #9: 0x00005555555ec9b4 jerry`ecma_op_function_validated_call(callee=323, this_arg_value=72, arguments_list_p=0x00007fffffffcb04, arguments_list_len=2) at ecma-function-object.c:1428:10
    frame #10: 0x000055555565d8a3 jerry`opfunc_call(frame_ctx_p=0x00007fffffffcab0) at vm.c:758:5
    frame #11: 0x000055555564dd63 jerry`vm_execute(frame_ctx_p=0x00007fffffffcab0) at vm.c:5236:9
    frame #12: 0x000055555564d22b jerry`vm_run(shared_p=0x00007fffffffcc10, this_binding_value=11, lex_env_p=0x0000555556079880) at vm.c:5331:10
    frame #13: 0x00005555555ecec7 jerry`ecma_op_function_call_simple(func_obj_p=0x0000555556079a18, this_binding=11, arguments_list_p=0x00007fffffffce54, arguments_list_len=2) at ecma-function-object.c:1180:28
    frame #14: 0x00005555555ec753 jerry`ecma_op_function_call(func_obj_p=0x0000555556079a18, this_arg_value=72, arguments_list_p=0x00007fffffffce54, arguments_list_len=2) at ecma-function-object.c:1463:16
    frame #15: 0x00005555555ec9b4 jerry`ecma_op_function_validated_call(callee=659, this_arg_value=72, arguments_list_p=0x00007fffffffce54, arguments_list_len=2) at ecma-function-object.c:1428:10
    frame #16: 0x000055555565d8a3 jerry`opfunc_call(frame_ctx_p=0x00007fffffffce00) at vm.c:758:5
    frame #17: 0x000055555564dd63 jerry`vm_execute(frame_ctx_p=0x00007fffffffce00) at vm.c:5236:9
    frame #18: 0x000055555564d22b jerry`vm_run(shared_p=0x00007fffffffcf60, this_binding_value=11, lex_env_p=0x0000555556079880) at vm.c:5331:10
    frame #19: 0x00005555555ecec7 jerry`ecma_op_function_call_simple(func_obj_p=0x0000555556079a18, this_binding=11, arguments_list_p=0x00007fffffffd194, arguments_list_len=1) at ecma-function-object.c:1180:28
    frame #20: 0x00005555555ec753 jerry`ecma_op_function_call(func_obj_p=0x0000555556079a18, this_arg_value=72, arguments_list_p=0x00007fffffffd194, arguments_list_len=1) at ecma-function-object.c:1463:16
    frame #21: 0x00005555555ec9b4 jerry`ecma_op_function_validated_call(callee=659, this_arg_value=72, arguments_list_p=0x00007fffffffd194, arguments_list_len=1) at ecma-function-object.c:1428:10
    frame #22: 0x000055555565d8a3 jerry`opfunc_call(frame_ctx_p=0x00007fffffffd150) at vm.c:758:5
    frame #23: 0x000055555564dd63 jerry`vm_execute(frame_ctx_p=0x00007fffffffd150) at vm.c:5236:9
    frame #24: 0x000055555564d22b jerry`vm_run(shared_p=0x00007fffffffd290, this_binding_value=11, lex_env_p=0x0000555556079880) at vm.c:5331:10
    frame #25: 0x00005555555ecec7 jerry`ecma_op_function_call_simple(func_obj_p=0x0000555556079ac8, this_binding=11, arguments_list_p=0x00007fffffffd3a0, arguments_list_len=3) at ecma-function-object.c:1180:28
    frame #26: 0x00005555555ec753 jerry`ecma_op_function_call(func_obj_p=0x0000555556079ac8, this_arg_value=72, arguments_list_p=0x00007fffffffd3a0, arguments_list_len=3) at ecma-function-object.c:1463:16
    frame #27: 0x00005555556675dc jerry`ecma_builtin_array_prototype_object_filter(arg1=835, arg2=72, obj_p=0x0000555556079a68, len=3) at ecma-builtin-array-prototype.c:1980:33
    frame #28: 0x0000555555661248 jerry`ecma_builtin_array_prototype_dispatch_routine(builtin_routine_id='\x13', this_arg=739, arguments_list_p=0x00007fffffffd4a8, arguments_number=1) at ecma-builtin-array-prototype.c:2952:19
    frame #29: 0x00005555555cee25 jerry`ecma_builtin_dispatch_routine(func_obj_p=0x0000555556079ec8, this_arg_value=739, arguments_list_p=0x00007fffffffd4a8, arguments_list_len=1) at ecma-builtins.c:1460:10
    frame #30: 0x00005555555ceb5e jerry`ecma_builtin_dispatch_call(obj_p=0x0000555556079ec8, this_arg_value=739, arguments_list_p=0x00007fffffffd7ac, arguments_list_len=1) at ecma-builtins.c:1489:12
    frame #31: 0x00005555555ed0b8 jerry`ecma_op_function_call_native_built_in(func_obj_p=0x0000555556079ec8, this_arg_value=739, arguments_list_p=0x00007fffffffd7ac, arguments_list_len=1) at ecma-function-object.c:1223:5
    frame #32: 0x00005555555ec77e jerry`ecma_op_function_call(func_obj_p=0x0000555556079ec8, this_arg_value=739, arguments_list_p=0x00007fffffffd7ac, arguments_list_len=1) at ecma-function-object.c:1468:16
    frame #33: 0x00005555555ec9b4 jerry`ecma_op_function_validated_call(callee=1859, this_arg_value=739, arguments_list_p=0x00007fffffffd7ac, arguments_list_len=1) at ecma-function-object.c:1428:10
    frame #34: 0x000055555565d8a3 jerry`opfunc_call(frame_ctx_p=0x00007fffffffd750) at vm.c:758:5
    frame #35: 0x000055555564dd63 jerry`vm_execute(frame_ctx_p=0x00007fffffffd750) at vm.c:5236:9
    frame #36: 0x000055555564d22b jerry`vm_run(shared_p=0x00007fffffffd8b0, this_binding_value=739, lex_env_p=0x0000555556079880) at vm.c:5331:10
    frame #37: 0x00005555555ecec7 jerry`ecma_op_function_call_simple(func_obj_p=0x0000555556079a18, this_binding=739, arguments_list_p=0x00007fffffffda6c, arguments_list_len=1) at ecma-function-object.c:1180:28
    frame #38: 0x00005555555ec753 jerry`ecma_op_function_call(func_obj_p=0x0000555556079a18, this_arg_value=739, arguments_list_p=0x00007fffffffda6c, arguments_list_len=1) at ecma-function-object.c:1463:16
    frame #39: 0x0000555555672c48 jerry`ecma_builtin_function_prototype_object_call(func_obj_p=0x0000555556079a18, arguments_list_p=0x00007fffffffda68, arguments_number=2) at ecma-builtin-function-prototype.c:288:10
    frame #40: 0x0000555555672a9d jerry`ecma_builtin_function_prototype_dispatch_routine(builtin_routine_id='\x02', this_arg=659, arguments_list_p=0x00007fffffffda68, arguments_number=2) at ecma-builtin-function-prototype.c:529:14
    frame #41: 0x00005555555cee25 jerry`ecma_builtin_dispatch_routine(func_obj_p=0x0000555556079a98, this_arg_value=659, arguments_list_p=0x00007fffffffda68, arguments_list_len=2) at ecma-builtins.c:1460:10
    frame #42: 0x00005555555ceb5e jerry`ecma_builtin_dispatch_call(obj_p=0x0000555556079a98, this_arg_value=659, arguments_list_p=0x00007fffffffdd60, arguments_list_len=2) at ecma-builtins.c:1489:12
    frame #43: 0x00005555555ed0b8 jerry`ecma_op_function_call_native_built_in(func_obj_p=0x0000555556079a98, this_arg_value=659, arguments_list_p=0x00007fffffffdd60, arguments_list_len=2) at ecma-function-object.c:1223:5
    frame #44: 0x00005555555ec77e jerry`ecma_op_function_call(func_obj_p=0x0000555556079a98, this_arg_value=659, arguments_list_p=0x00007fffffffdd60, arguments_list_len=2) at ecma-function-object.c:1468:16
    frame #45: 0x00005555555ec9b4 jerry`ecma_op_function_validated_call(callee=787, this_arg_value=659, arguments_list_p=0x00007fffffffdd60, arguments_list_len=2) at ecma-function-object.c:1428:10
    frame #46: 0x000055555565d8a3 jerry`opfunc_call(frame_ctx_p=0x00007fffffffdd10) at vm.c:758:5
    frame #47: 0x000055555564dd63 jerry`vm_execute(frame_ctx_p=0x00007fffffffdd10) at vm.c:5236:9
    frame #48: 0x000055555564d22b jerry`vm_run(shared_p=0x00007fffffffde18, this_binding_value=11, lex_env_p=0x0000555556079880) at vm.c:5331:10
    frame #49: 0x000055555564d0e7 jerry`vm_run_global(bytecode_p=0x0000555556079bf8, function_object_p=0x0000555556079a08) at vm.c:286:25
    frame #50: 0x000055555558ebe1 jerry`jerry_run(script=643) at jerryscript.c:549:24
    frame #51: 0x00005555556ca604 jerry`jerryx_source_exec_script(path_p="poc4.js") at sources.c:68:14
    frame #52: 0x000055555558a402 jerry`main(argc=2, argv=0x00007fffffffe0a8) at main-desktop.c:162:20
    frame #53: 0x00007ffff7c29d90 libc.so.6`__libc_start_call_main(main=(jerry`main at main-desktop.c:113), argc=2, argv=0x00007fffffffe0a8) at libc_start_call_main.h:58:16
    frame #54: 0x00007ffff7c29e40 libc.so.6`__libc_start_main_impl(main=(jerry`main at main-desktop.c:113), argc=2, argv=0x00007fffffffe0a8, init=<unavailable>, fini=<unavailable>, rtld_fini=<unavailable>, stack_end=0x00007fffffffe098) at libc-start.c:392:3
    frame #55: 0x00005555555617f5 jerry`_start + 37