Closed
Description
Revision
Build
./tools/build.py --clean --debug --compile-flag=-fsanitize=address
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer
--compile-flag=-fno-common --compile-flag=-g
--strip=off --system-allocator=on --logging=on
--error-messages=on --profile=es2015-subset
OS
Linux 4.15.0-58-generic #64-Ubuntu x86_64 GNU/Linux
Test case
var str = String.fromCharCode([-10] + "123", Date.UTC(15, 13, 15));
str.repeat(11);Backtrace
Run with jerry --abort-on-fail poc.js
ICE: Assertion 'ecma_string_get_size (string_p) <= buffer_size' failed at /jerryscript/jerry-core/ecma/base/ecma-helpers-string.c(ecma_string_copy_to_cesu8_buffer):1008.
Error: ERR_FAILED_INTERNAL_ASSERTION
Program received signal SIGABRT, Aborted.
0xf7fd5059 in __kernel_vsyscall ()
(gdb) bt
#0 0xf7fd5059 in __kernel_vsyscall ()
#1 0xf7841452 in raise () from /lib32/libc.so.6
#2 0xf7842871 in abort () from /lib32/libc.so.6
#3 0x566c737e in jerry_port_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at /jerryscript/jerry-port/default/default-fatal.c:71
#4 0x56652060 in jerry_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at /jerryscript/jerry-core/jrt/jrt-fatals.c:58
#5 0x566520a1 in jerry_assert_fail (assertion=0x566d8560 "ecma_string_get_size (string_p) <= buffer_size", file=0x566d4f40 "/jerryscript/jerry-core/ecma/base/ecma-helpers-string.c", function=0x566fd940 <__func__.8013> "ecma_string_copy_to_cesu8_buffer",
line=1008) at /jerryscript/jerry-core/jrt/jrt-fatals.c:82
#6 0x56594bcb in ecma_string_copy_to_cesu8_buffer (string_p=0xf5f00610, buffer_p=0xf5100f50 '\276' <repeats 44 times>, buffer_size=4) at /jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:1008
#7 0x565fa089 in ecma_builtin_string_prototype_object_repeat (original_string_p=0xf5f00610, count=176) at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:1930
#8 0x565fae8c in ecma_builtin_string_prototype_dispatch_routine (builtin_routine_id=89, this_arg=4126148113, arguments_list_p=0xffffcb90, arguments_number=1) at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:2152
#9 0x566002d7 in ecma_builtin_dispatch_routine (builtin_object_id=ECMA_BUILTIN_ID_STRING_PROTOTYPE, builtin_routine_id=89, this_arg_value=4126148113, arguments_list_p=0xffffcb90, arguments_list_len=1)
at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1021
#10 0x56600538 in ecma_builtin_dispatch_call (obj_p=0xf5f00580, this_arg_value=4126148113, arguments_list_p=0xffffceec, arguments_list_len=1) at /jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1046
#11 0x56622467 in ecma_op_function_call (func_obj_p=0xf5f00580, this_arg_value=4126148113, arguments_list_p=0xffffceec, arguments_list_len=1) at /jerryscript/jerry-core/ecma/operations/ecma-function-object.c:729
#12 0x566afd80 in opfunc_call (frame_ctx_p=0xffffcf90) at /jerryscript/jerry-core/vm/vm.c:581
#13 0x566c5113 in vm_execute (frame_ctx_p=0xffffcf90, arg_p=0x0, arg_list_len=0) at /jerryscript/jerry-core/vm/vm.c:3629
#14 0x566c59c2 in vm_run (bytecode_header_p=0xf5301ad0, this_binding_value=4126149459, lex_env_p=0xf5d007b0, parse_opts=0, arg_list_p=0x0, arg_list_len=0) at /jerryscript/jerry-core/vm/vm.c:3749
#15 0x566aebe6 in vm_run_global (bytecode_p=0xf5301ad0) at /jerryscript/jerry-core/vm/vm.c:282
#16 0x56570c6c in jerry_run (func_val=4126148931) at /jerryscript/jerry-core/api/jerry.c:570
#17 0x5656d5bf in main (argc=3, argv=0xffffd3f4) at /jerryscript/jerry-main/main-unix.c:743