Skip to content

Assertion 'compressed_pointer != JMEM_CP_NULL' failed #5091

New issue
New issue
Open
Open
Assertion 'compressed_pointer != JMEM_CP_NULL' failed#5091
Labels
fuzzingRelated to fuzz testing of the engine
@voidptr127

Description

@voidptr127
voidptr127
opened on Jun 12, 2023
JerryScript revision
05dbbd134c3b9e2482998f267857dd3722001cd7
Build platform
Linux-6.2.15-200.fc37.x86_64-x86_64-with-glibc2.34
clang version 14.0.6 (Red Hat 14.0.6-4.el9_1)
Build steps
CC=/usr/bin/clang python3 tools/build.py --clean \
    --debug \
    --strip=off \
    --compile-flag=-fsanitize=address \
    --lto=off \
    --compile-flag=-g \
    --error-messages=on \
    --promise-callback=on \
    --logging=on \
    --line-info=on \
    --stack-limit=128
Test case
void new Uint8Array(new String());
void new Uint8Array(new Promise(Number.__proto__),new Proxy(new Proxy(new Proxy(new Proxy(new Proxy(new Proxy(Reflect,Reflect),Reflect),Proxy),Reflect),Proxy),Reflect));
void (new Function(`0324--help${new Proxy(Number.MAX_VALUE=new Date(new Proxy(Number.__proto__=new Proxy(new Proxy(new Proxy(new Proxy(new Proxy(new Proxy(new Proxy(Reflect,new Proxy(new Proxy(new Proxy(new Proxy(new Proxy(Reflect,Reflect),Reflect),Reflect),Reflect),Proxy)),Reflect),Proxy),Reflect),Reflect),Number.MAX_VALUE=new Date(new Proxy(Number.__proto__=new Proxy(new Proxy(new Proxy(new Proxy(new Proxy(new Proxy(new Proxy(new Proxy(Reflect,new Proxy(new Proxy(new Proxy(new Proxy(new Proxy(Reflect,Reflect),Proxy),Proxy),Reflect),Reflect)),Reflect),new Proxy(Reflect,Reflect)),Proxy),Reflect),Reflect),Reflect),new Proxy(Reflect,Reflect)),Proxy))),Reflect),Reflect)),Reflect)}`,new Proxy())%new Reflect());
Execution and Output

Depending on how JerryScript is used a different error message is printed.

Case 1: Filename or via stdin

./build/bin/jerry poc.js

# or

cat poc.js | ./build/bin/jerry

Output:

ICE: Assertion 'compressed_pointer != JMEM_CP_NULL' failed at /home/rocky/jerryscript/jerry-core/jmem/jmem-allocator.c(jmem_decompress_pointer):216.
Error: JERRY_FATAL_FAILED_ASSERTION
Aborted (core dumped)

This is similar to the closed issue #3779

Case 2: Filename is an absolute path

./build/bin/jerry /home/rocky/poc.js

Output:

Unhandled exception: TypeError: Argument 'this' is not a Date object
 0: /home/rocky/poc.js:3:1
ICE: Assertion 'JERRY_CONTEXT (jmem_heap_allocated_size) == 0' failed at /home/rocky/jerryscript/jerry-core/jmem/jmem-heap.c(jmem_heap_finalize):108.
Error: JERRY_FATAL_FAILED_ASSERTION
Aborted (core dumped)

This is similar to the open issue #5062

Metadata

Metadata

Assignees

No one assigned

    Labels

    fuzzingRelated to fuzz testing of the engine

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions