Description
There's a string validity check but it gets compiled out during release builds. Struck me that this validity check should probably happen in release builds also - so an if as well as an assert.
On Ubuntu 16.04.2,
$ python tools/build.py --compile-flag=-m32 --clean --jerry-libc=OFF --system-allocator ON --compile-flag=-ggdb3 --debug --link-lib mcheck
$ xxd unescape.js
0000000: 756e 6573 6361 7065 2827 2025 7201 3d3d unescape(' %r.==
0000010: 0001 0822 0909 6e20 7b31 7d74 e59c ac38 ..."..n {1}t...8
0000020: 4000 004d 6100 2409 092e 716e 7065 2e76 @..Ma.$...qnpe.v
0000030: 6159 7565 4f46 2030 2020 2020 2020 2020 aYueOF 0
0000040: 2020 2063 5e5e 5e5e 5e5e 5e5e 5e5e 5e5e c^^^^^^^^^^^^
0000050: 5e5e 5e5e 5e5e 5e5e 525e 5e5e 5e5e 5e5e ^^^^^^^^R^^^^^^^
0000060: 5e5e 5e5e 5e5e 6552 7a65 0108 2216 096e ^^^^^^eRze.."..n
0000070: 74e5 9cac 3840 0000 4d61 6f6e 0b64 2729 t...8@..Maon.d')
0000080: 3b
$ gdb -q --args ./build/bin/jerry ../jerryscript-js/build/bin/crash-payloads/unescape.js
(gdb) step
154 JERRY_ASSERT (lit_is_valid_cesu8_string (string_p, string_size));
(gdb) list
149 ecma_string_t *
150 ecma_new_ecma_string_from_utf8 (const lit_utf8_byte_t *string_p, /< utf-8 string */
151 lit_utf8_size_t string_size) /< string size */
152 {
153 JERRY_ASSERT (string_p != NULL || string_size == 0);
154 JERRY_ASSERT (lit_is_valid_cesu8_string (string_p, string_size));
155
156 lit_magic_string_id_t magic_string_id = lit_is_utf8_string_magic (string_p, string_size);
157
158 if (magic_string_id != LIT_MAGIC_STRING__COUNT)
(gdb) where
#0 ecma_new_ecma_string_from_utf8 (string_p=0x837c048 " %r\001==", string_size=0x72) at /afl/jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:154
#1 0x08070952 in ecma_builtin_global_object_unescape.lto_priv.355 (this_arg=0x48, arg=0x837bfaa) at /afl/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-global.c:1336
#2 0x0807572e in ecma_builtin_global_dispatch_routine (builtin_routine_id=0x2c, this_arg_value=0x48, arguments_list=0xffffd374, arguments_number=0x1)
at /afl/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-global.inc.h:215
#3 0x08099927 in ecma_builtin_dispatch_routine (builtin_object_id=ECMA_BUILTIN_ID_GLOBAL, builtin_routine_id=0x2c, this_arg_value=0x48, arguments_list=0xffffd374, arguments_number=0x1)
at /afl/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.inc.h:484
#4 0x08099a87 in ecma_builtin_dispatch_call (obj_p=0x837be40, this_arg_value=0x48, arguments_list_p=0xffffd374, arguments_list_len=0x1)
at /afl/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:844
#5 0x08091f9e in ecma_op_function_call (func_obj_p=0x837be40, this_arg_value=0x48, arguments_list_p=0xffffd374, arguments_list_len=0x1)
at /afl/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:458
#6 0x08085ce4 in opfunc_call.lto_priv.408 (frame_ctx_p=0xffffd394) at /afl/jerryscript/jerry-core/vm/vm.c:411
#7 0x0807db36 in vm_execute (frame_ctx_p=0xffffd394, arg_p=0x0, arg_list_len=0x0) at /afl/jerryscript/jerry-core/vm/vm.c:2746
#8 0x0807dcfe in vm_run (bytecode_header_p=0x837bf68, this_binding_value=0x837bafb, lex_env_p=0x837bb30, is_eval_code=0x0, arg_list_p=0x0, arg_list_len=0x0)
at /afl/jerryscript/jerry-core/vm/vm.c:2826
#9 0x08085939 in vm_run_global (bytecode_p=0x837bf68) at /afl/jerryscript/jerry-core/vm/vm.c:231
#10 0x080ae327 in jerry_run (func_val=0x837be0b) at /afl/jerryscript/jerry-core/api/jerry.c:425
#11 0x080ad1ce in main (argc=0x2, argv=0xffffd634) at /afl/jerryscript/jerry-main/main-unix.c:691
(gdb)