Assertion `isArrayObject()' failed in Escargot::Object::asArrayObject

[renatahodovan]

Escargot version:

Checked revision: 8bcf72a
Build command: cmake -DESCARGOT_HOST=linux -DESCARGOT_ARCH=x64 -DESCARGOT_MODE=debug -DESCARGOT_OUTPUT=bin -GNinja && ninja

OS:

Ubuntu 18.04, x86_64

Test case:

JSON.stringify(new Uint32Array());

Backtrace:

escargot: escargot/src/runtime/Object.h:546: Escargot::ArrayObject* Escargot::Object::asArrayObject(): Assertion `isArrayObject()' failed.

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff688d801 in __GI_abort () at abort.c:79
#2  0x00007ffff687d39a in __assert_fail_base (fmt=0x7ffff6a047d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x555555818a39 "isArrayObject()", 
    file=file@entry=0x555555818958 "escargot/src/runtime/Object.h", line=line@entry=546, 
    function=function@entry=0x555555819900 <Escargot::Object::asArrayObject()::__PRETTY_FUNCTION__> "Escargot::ArrayObject* Escargot::Object::asArrayObject()") at assert.c:92
#3  0x00007ffff687d412 in __GI___assert_fail (assertion=0x555555818a39 "isArrayObject()", file=0x555555818958 "escargot/src/runtime/Object.h", line=546, 
    function=0x555555819900 <Escargot::Object::asArrayObject()::__PRETTY_FUNCTION__> "Escargot::ArrayObject* Escargot::Object::asArrayObject()") at assert.c:101
#4  0x00005555555edbb2 in Escargot::Object::asArrayObject (this=0x7ffff4828430) at escargot/src/runtime/Object.h:546
#5  0x000055555572811c in Escargot::<lambda(Escargot::ObjectPropertyName, Escargot::Object*)>::operator()(Escargot::ObjectPropertyName, Escargot::Object *) const (__closure=0x555555bac550, key=..., 
    holder=0x7ffff4829430) at src/runtime/GlobalObjectBuiltinJSON.cpp:422
#6  0x000055555572faf2 in std::_Function_handler<Escargot::Value(Escargot::ObjectPropertyName, Escargot::Object*), Escargot::builtinJSONStringify(Escargot::ExecutionState&, Escargot::Value, size_t, Escargot::Value*, bool)::<lambda(Escargot::ObjectPropertyName, Escargot::Object*)> >::_M_invoke(const std::_Any_data &, Escargot::ObjectPropertyName &&, Escargot::Object *&&) (__functor=..., __args#0=..., 
    __args#1=@0x7fffffffce70: 0x7ffff4829430) at /usr/include/c++/7/bits/std_function.h:302
#7  0x000055555572b6bd in std::function<Escargot::Value (Escargot::ObjectPropertyName, Escargot::Object*)>::operator()(Escargot::ObjectPropertyName, Escargot::Object*) const (this=0x7fffffffd060, 
    __args#0=..., __args#1=0x7ffff4829430) at /usr/include/c++/7/bits/std_function.h:706
#8  0x000055555572a1d7 in Escargot::builtinJSONStringify (state=..., thisValue=..., argc=1, argv=0x7fffffffd120, isNewExpression=false) at src/runtime/GlobalObjectBuiltinJSON.cpp:631
#9  0x00005555556cba78 in Escargot::FunctionObject::processCall (this=0x7ffff48725f0, state=..., receiverSrc=..., argc=@0x7fffffffd940: 1, argv=0x7fffffffd120, isNewExpression=false)
    at src/runtime/FunctionObject.cpp:326
#10 0x00005555555ee742 in Escargot::FunctionObject::call (state=..., callee=..., receiver=..., argc=@0x7fffffffd940: 1, argv=0x7fffffffd9b8)
    at escargot/src/runtime/FunctionObject.h:100
#11 0x00005555555f15bf in Escargot::ByteCodeInterpreter::interpret (state=..., byteCodeBlock=0x7ffff7e68730, programCounter=93824998886616, registerFile=0x7fffffffd9a0, initAddressFiller=0x7fffffffda28)
    at src/interpreter/ByteCodeInterpreter.cpp:527
#12 0x0000555555611a21 in Escargot::Script::execute (this=0x7ffff48242b0, state=..., isEvalMode=false, needNewEnv=false, isOnGlobal=true) at src/parser/Script.cpp:80
#13 0x0000555555611b73 in Escargot::Script::<lambda()>::operator()(void) const (__closure=0x7fffffffdd30) at src/parser/Script.cpp:93
#14 0x0000555555612c16 in std::_Function_handler<Escargot::Value(), Escargot::Script::sandboxExecute(Escargot::ExecutionState&)::<lambda()> >::_M_invoke(const std::_Any_data &) (__functor=...)
    at /usr/include/c++/7/bits/std_function.h:302
#15 0x00005555557a4106 in std::function<Escargot::Value ()>::operator()() const (this=0x7fffffffdd30) at /usr/include/c++/7/bits/std_function.h:706
#16 0x00005555557a2c4b in Escargot::SandBox::run(std::function<Escargot::Value ()> const&) (this=0x7fffffffdca0, scriptRunner=...) at src/runtime/SandBox.cpp:36
#17 0x0000555555611c50 in Escargot::Script::sandboxExecute (this=0x7ffff48242b0, state=...) at src/parser/Script.cpp:94
#18 0x00005555557c102b in eval (context=0x7ffff7e59ed0, str=0x7ffff4829750, fileName=0x7ffff48296b0, shouldPrintScriptResult=false) at src/shell/Shell.cpp:46
#19 0x00005555557c197a in main (argc=2, argv=0x7fffffffe058) at src/shell/Shell.cpp:129

^{Found by Fuzzinator with grammarinator.}

[akosthekiss]

For the records: I've executed the problematic test case both in Safari and in Chrome. The result was "{}" in both cases.