Closed
Description
Revision
Build
./tools/build.py --clean --debug --compile-flag=-fsanitize=address
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer
--compile-flag=-fno-common --compile-flag=-g
--strip=off --system-allocator=on --logging=on
--error-messages=on --profile=es2015-subset
OS
Linux 4.15.0-58-generic #64-Ubuntu x86_64 GNU/Linux
Test case
var r = new RegExp("([X]{6}|.*)", "g");
var s = "a";
s.replace(r, () => r.compile("[PqaCZlWQUT]{0}", "m"))Backtrace
Run with jerry --abort-on-fail poc.js
ICE: Assertion 'start <= end' failed at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c(ecma_builtin_string_prototype_object_replace_append_substr):542.
Error: ERR_FAILED_INTERNAL_ASSERTION
Program received signal SIGABRT, Aborted.
0xf7fd5059 in __kernel_vsyscall ()
(gdb) bt
#0 0xf7fd5059 in __kernel_vsyscall ()
#1 0xf7841452 in raise () from /lib32/libc.so.6
#2 0xf7842871 in abort () from /lib32/libc.so.6
#3 0x566bdfef in jerry_port_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at /jerryscript/jerry-port/default/default-fatal.c:71
#4 0x566513cf in jerry_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at /jerryscript/jerry-core/jrt/jrt-fatals.c:58
#5 0x56651410 in jerry_assert_fail (assertion=0x566da500 "start <= end", file=0x566da100 "/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c",
function=0x566f94c0 <__func__.13780> "ecma_builtin_string_prototype_object_replace_append_substr", line=542) at /jerryscript/jerry-core/jrt/jrt-fatals.c:82
#6 0x565f17cc in ecma_builtin_string_prototype_object_replace_append_substr (base_string_p=0xf5f00490, appended_string_p=0xf5d00670, start=1, end=0)
at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:542
#7 0x565f427a in ecma_builtin_string_prototype_object_replace_loop (context_p=0xffffca80) at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:960
#8 0x565f4c58 in ecma_builtin_string_prototype_object_replace_main (context_p=0xffffca80, replace_value=4126148163)
at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:1054
#9 0x565f580d in ecma_builtin_string_prototype_object_replace (to_string_value=4124051057, search_value=4126148691, replace_value=4126148163)
at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:1159
#10 0x565fa6cc in ecma_builtin_string_prototype_dispatch_routine (builtin_routine_id=79, this_arg=4124051057, arguments_list_p=0xffffcba0, arguments_number=2)
at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:2103
#11 0x565ffbe2 in ecma_builtin_dispatch_routine (builtin_object_id=ECMA_BUILTIN_ID_STRING_PROTOTYPE, builtin_routine_id=79, this_arg_value=4124051057, arguments_list_p=0xffffcba0,
arguments_list_len=2) at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1025
#12 0x565ffe43 in ecma_builtin_dispatch_call (obj_p=0xf5f006a0, this_arg_value=4124051057, arguments_list_p=0xffffcefc, arguments_list_len=2)
at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1050
#13 0x56621b54 in ecma_op_function_call (func_obj_p=0xf5f006a0, this_arg_value=4124051057, arguments_list_p=0xffffcefc, arguments_list_len=2)
at /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:729
#14 0x566a6be0 in opfunc_call (frame_ctx_p=0xffffcf90) at /jerryscript/jerry-core/vm/vm.c:581
#15 0x566bbd84 in vm_execute (frame_ctx_p=0xffffcf90, arg_p=0x0, arg_list_len=0) at /jerryscript/jerry-core/vm/vm.c:3622
#16 0x566bc633 in vm_run (bytecode_header_p=0xf5101ad0, this_binding_value=4126149459, lex_env_p=0xf5d007b0, parse_opts=0, arg_list_p=0x0, arg_list_len=0)
at /jerryscript/jerry-core/vm/vm.c:3742
#17 0x566a5a46 in vm_run_global (bytecode_p=0xf5101ad0) at /jerryscript/jerry-core/vm/vm.c:282
#18 0x56570a9c in jerry_run (func_val=4126148883) at /jerryscript/jerry-core/api/jerry.c:570
#19 0x5656d3ef in main (argc=3, argv=0xffffd3f4) at /jerryscript/jerry-main/main-unix.c:743