Closed
Description
Revision
Build
./tools/build.py --clean --debug --compile-flag=-fsanitize=address
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer
--compile-flag=-fno-common --compile-flag=-g
--strip=off --system-allocator=on --logging=on
--error-messages=on --profile=es2015-subset
OS
Linux 4.15.0-58-generic #64-Ubuntu x86_64 GNU/Linux
Test case
var arr = [];
arr.length = 10;
arr.splice(0, 17);
arr.length = 4294967294;
arr.splice(1, 1, 1);Backtrace
Run with jerry --abort-on-fail poc.js
ICE: Assertion 'compressed_pointer != JMEM_CP_NULL' failed at /jerryscript/jerry-core/jmem/jmem-allocator.c(jmem_decompress_pointer):215.
Error: ERR_FAILED_INTERNAL_ASSERTION
(gdb) bt
#0 0xf7fd5059 in __kernel_vsyscall ()
#1 0xf7841452 in raise () from /lib32/libc.so.6
#2 0xf7842871 in abort () from /lib32/libc.so.6
#3 0x5657ad77 in jerry_port_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at /jerryscript/jerry-port/default/default-fatal.c:71
#4 0x56617864 in jerry_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at /jerryscript/jerry-core/jrt/jrt-fatals.c:58
#5 0x566178a5 in jerry_assert_fail (assertion=0x566a9ce0 "compressed_pointer != JMEM_CP_NULL", file=0x566a9ba0 "/jerryscript/jerry-core/jmem/jmem-allocator.c",
function=0x5667f100 <__func__.4606.lto_priv.506> "jmem_decompress_pointer", line=215) at /jerryscript/jerry-core/jrt/jrt-fatals.c:82
#6 0x566169d2 in jmem_decompress_pointer (compressed_pointer=0) at /jerryscript/jerry-core/jmem/jmem-allocator.c:215
#7 0x5660472b in ecma_op_object_find_own (base_value=4126148883, object_p=0xf5f00910, property_name_p=0x35) at /jerryscript/jerry-core/ecma/operations/ecma-objects.c:492
#8 0x56605014 in ecma_op_object_find (object_p=0xf5f00910, property_name_p=0x35) at /jerryscript/jerry-core/ecma/operations/ecma-objects.c:717
#9 0x56604f4b in ecma_op_object_find_by_uint32_index (object_p=0xf5f00910, index=1) at /jerryscript/jerry-core/ecma/operations/ecma-objects.c:670
#10 0x5660194e in ecma_builtin_array_prototype_object_splice.lto_priv.397 (args=0xffffcf2c, args_number=3, obj_p=0xf5f00910, len=4294967294)
at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:1176
#11 0x565b454f in ecma_builtin_array_prototype_dispatch_routine (builtin_routine_id=81, this_arg=4126148883, arguments_list_p=0xffffcf2c, arguments_number=3)
at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2195
#12 0x566213a7 in ecma_builtin_dispatch_routine (builtin_object_id=ECMA_BUILTIN_ID_ARRAY_PROTOTYPE, builtin_routine_id=81, this_arg_value=4126148883, arguments_list_p=0xffffcf2c,
arguments_list_len=3) at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1025
#13 0x56621608 in ecma_builtin_dispatch_call (obj_p=0xf5f008e0, this_arg_value=4126148883, arguments_list_p=0xffffcf2c, arguments_list_len=3)
at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1050
#14 0x5663396c in ecma_op_function_call (func_obj_p=0xf5f008e0, this_arg_value=4126148883, arguments_list_p=0xffffcf2c, arguments_list_len=3)
at /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:729
#15 0x565e86b5 in opfunc_call (frame_ctx_p=0xffffcfa0) at /jerryscript/jerry-core/vm/vm.c:581
#16 0x565f98e8 in vm_execute (frame_ctx_p=0xffffcfa0, arg_p=0x0, arg_list_len=0) at /jerryscript/jerry-core/vm/vm.c:3622
#17 0x565fa1ec in vm_run (bytecode_header_p=0xf63015e0, this_binding_value=4126149459, lex_env_p=0xf5d007b0, parse_opts=0, arg_list_p=0x0, arg_list_len=0)
at /jerryscript/jerry-core/vm/vm.c:3742
#18 0x565e794c in vm_run_global (bytecode_p=0xf63015e0) at /jerryscript/jerry-core/vm/vm.c:282
#19 0x5664163c in jerry_run (func_val=4126148979) at /jerryscript/jerry-core/api/jerry.c:570
#20 0x5663dfa0 in main (argc=3, argv=0xffffd3d4) at /jerryscript/jerry-main/main-unix.c:743