Description
Only an assert stops this from being outside of the correct region. It seems that in most cases the result is pretty benign, but I wouldn't recommend relying on that.
On Ubuntu 16.04.2,
$ python tools/build.py --compile-flag=-m32 --clean --jerry-libc=OFF --system-allocator ON --compile-flag=-ggdb3 --debug --link-lib mcheck
$ cat x.js
39000000000000700 .toString(2);
(gdb) where
#0 jerry_assert_fail (assertion=0x8134df2 "buff_index <= buff_size", file=0x8134d60 "/afl/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-number-prototype.c",
function=0x812dc40 <func.3568.lto_priv.293> "ecma_builtin_number_prototype_object_to_string", line=0x19e) at /afl/jerryscript/jerry-core/jrt/jrt-fatals.c:76
#1 0x0806c7ef in ecma_builtin_number_prototype_object_to_string.lto_priv.341 (this_arg=0x837be41, arguments_list_p=0xffffd38c, arguments_list_len=0x1)
at /afl/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-number-prototype.c:414
#2 0x08072b84 in ecma_builtin_number_prototype_dispatch_routine (builtin_routine_id=0x22, this_arg_value=0x837be41, arguments_list=0xffffd38c, arguments_number=0x1)
at /afl/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-number-prototype.inc.h:34
#3 0x0809968d in ecma_builtin_dispatch_routine (builtin_object_id=ECMA_BUILTIN_ID_NUMBER_PROTOTYPE, builtin_routine_id=0x22, this_arg_value=0x837be41, arguments_list=0xffffd38c,
arguments_number=0x1) at /afl/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.inc.h:91
#4 0x08099a87 in ecma_builtin_dispatch_call (obj_p=0x837c000, this_arg_value=0x837be41, arguments_list_p=0xffffd38c, arguments_list_len=0x1)
at /afl/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:844
#5 0x08091f9e in ecma_op_function_call (func_obj_p=0x837c000, this_arg_value=0x837be41, arguments_list_p=0xffffd38c, arguments_list_len=0x1)
at /afl/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:458
#6 0x08085ce4 in opfunc_call.lto_priv.408 (frame_ctx_p=0xffffd3b4) at /afl/jerryscript/jerry-core/vm/vm.c:411
#7 0x0807db36 in vm_execute (frame_ctx_p=0xffffd3b4, arg_p=0x0, arg_list_len=0x0) at /afl/jerryscript/jerry-core/vm/vm.c:2746
#8 0x0807dcfe in vm_run (bytecode_header_p=0x837bfc0, this_binding_value=0x837bafb, lex_env_p=0x837bb30, is_eval_code=0x0, arg_list_p=0x0, arg_list_len=0x0)
at /afl/jerryscript/jerry-core/vm/vm.c:2826
#9 0x08085939 in vm_run_global (bytecode_p=0x837bfc0) at /afl/jerryscript/jerry-core/vm/vm.c:231
#10 0x080ae327 in jerry_run (func_val=0x837be0b) at /afl/jerryscript/jerry-core/api/jerry.c:425
#11 0x080ad1ce in main (argc=0x2, argv=0xffffd654) at /afl/jerryscript/jerry-main/main-unix.c:691
(gdb) print buff_index
$5 = 0x38
(gdb) print buff_size
$6 = 0x36