Description
JerryScript revision
Build platform
Ubuntu 20.04.3 LTS (Linux 5.11.0-34-generic x86_64)
Build steps
./tools/build.py --profile=es2015-subset --lto=off --compile-flag=-g \
--clean --debug --strip=off --logging=on --error-messages=on \
--compile-flag=-fsanitize=address --stack-limit=20Test case
function test(constructor, constructor2, from = [1, 2, 3, 4, 5]) {
var modifiedConstructor = new constructor(from);
modifiedConstructor.constructor = constructor2;
modifiedConstructor.filter(x => x % 2 == 0);
}
test(Float64Array, Float32Array);Output
ICE: Assertion 'object_p->type_flags_refs >= ECMA_OBJECT_REF_ONE' failed at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-gc.c(ecma_deref_object):158.
Error: ERR_FAILED_INTERNAL_ASSERTION
Aborted (core dumped)
Backtrace
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007f2898e32859 in __GI_abort () at abort.c:79
#2 0x0000558795034682 in jerry_port_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at /home/sy/Documents/jerry/jerryscript/jerry-port/default/default-fatal.c:30
#3 0x0000558794fccb4a in jerry_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at /home/sy/Documents/jerry/jerryscript/jerry-core/jrt/jrt-fatals.c:63
#4 0x0000558794fccba0 in jerry_assert_fail (assertion=0x558795036db0 "object_p->type_flags_refs >= ECMA_OBJECT_REF_ONE", file=0x558795036d68 "/home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-gc.c", function=0x558795052a90 <func.7709> "ecma_deref_object", line=158) at /home/sy/Documents/jerry/jerryscript/jerry-core/jrt/jrt-fatals.c:87
#5 0x0000558794f80b25 in ecma_deref_object (object_p=0x55879507b990 <jerry_global_heap+1872>) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-gc.c:158
#6 0x0000558794f92037 in ecma_free_value (value=1875) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:1145
#7 0x0000558794f92167 in ecma_fast_free_value (value=1875) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:1184
#8 0x0000558794fea587 in opfunc_call (frame_ctx_p=0x7ffcb43d6230) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:834
#9 0x0000558794ff5e4b in vm_execute (frame_ctx_p=0x7ffcb43d6230) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:5271
#10 0x0000558794ff60ea in vm_run (shared_p=0x7ffcb43d63a0, this_binding_value=11, lex_env_p=0x55879507b330 <jerry_global_heap+240>) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:5372
#11 0x0000558794fb1369 in ecma_op_function_call_simple (func_obj_p=0x55879507b530 <jerry_global_heap+752>, this_arg_value=72, arguments_list_p=0x7ffcb43d651c, arguments_list_len=2) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1145
#12 0x0000558794fb1a19 in ecma_op_function_call (func_obj_p=0x55879507b530 <jerry_global_heap+752>, this_arg_value=72, arguments_list_p=0x7ffcb43d651c, arguments_list_len=2) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1395
#13 0x0000558794fea4a9 in opfunc_call (frame_ctx_p=0x7ffcb43d64d0) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:799
#14 0x0000558794ff5e4b in vm_execute (frame_ctx_p=0x7ffcb43d64d0) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:5271
#15 0x0000558794ff60ea in vm_run (shared_p=0x7ffcb43d65e0, this_binding_value=11, lex_env_p=0x55879507b330 <jerry_global_heap+240>) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:5372
#16 0x0000558794fe99c1 in vm_run_global (bytecode_p=0x55879507b6a8 <jerry_global_heap+1128>, function_object_p=0x55879507b520 <jerry_global_heap+736>) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:306
#17 0x0000558794f77256 in jerry_run (func_val=739) at /home/sy/Documents/jerry/jerryscript/jerry-core/api/jerry.c:588
#18 0x0000558794f73d63 in main (argc=2, argv=0x7ffcb43d69c8) at /home/sy/Documents/jerry/jerryscript/jerry-main/main-jerry.c:173
#19 0x00007f2898e340b3 in __libc_start_main (main=0x558794f73889
#20 0x0000558794f737ce in _start ()
Expected behavior
memcopy() in ecma-builtin-typearray-prototype.c:467 should check type of the array give backed by filter. We have already made this crash an arbitrary read/write, if you need that PoC, please contact us.