Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assertion ecma_is_value_object (value) in ecma_get_object_from_value #2951

Closed
renatahodovan opened this issue Jul 8, 2019 · 0 comments · Fixed by #2961
Closed

Assertion ecma_is_value_object (value) in ecma_get_object_from_value #2951

renatahodovan opened this issue Jul 8, 2019 · 0 comments · Fixed by #2961
Labels
bug Undesired behaviour ES2015 Related to ES2015 features

Comments

@renatahodovan
Copy link
Contributor

JerryScript revision

2b8c428

Build platform

Linux-4.15.0-54-generic-x86_64-with-Ubuntu-18.04-bionic

Build steps
./tools/build.py --clean --debug --compile-flag=-fsanitize=address \
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer \
--compile-flag=-fno-common --compile-flag=-g \
--strip=off --system-allocator=on --logging=on \
--linker-flag=-fuse-ld=gold --error-messages=on --profile=es2015-subset
Test case
var x = 1 / 3
do {
  m = new Map([ ])
} while (x === 3 / 9) $
Output
ICE: Assertion 'ecma_is_value_object (value)' failed at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c(ecma_get_object_from_value):774.
Error: ERR_FAILED_INTERNAL_ASSERTION
Backtrace
bt
#0  0xf7fd5059 in __kernel_vsyscall ()
#1  0xf7800832 in raise () from /lib/i386-linux-gnu/libc.so.6
#2  0xf7801cc1 in abort () from /lib/i386-linux-gnu/libc.so.6
#3  0x5657a242 in jerry_port_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at jerryscript/jerry-port/default/default-fatal.c:71
#4  0x56612f28 in jerry_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at jerryscript/jerry-core/jrt/jrt-fatals.c:58
#5  0x56612f69 in jerry_assert_fail (assertion=0x566b1c40 "ecma_is_value_object (value)", file=0x566b1660 "jerryscript/jerry-core/ecma/base/ecma-helpers-value.c", function=0x56674ae0 <__func__.3642.lto_priv.706> "ecma_get_object_from_value", line=774) at jerryscript/jerry-core/jrt/jrt-fatals.c:82
#6  0x5665fc28 in ecma_get_object_from_value (value=3200171710) at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:774
#7  0x5664887f in ecma_gc_mark_container_object (object_p=0xf5f05aa0) at jerryscript/jerry-core/ecma/base/ecma-gc.c:255
#8  0x56648de7 in ecma_gc_mark (object_p=0xf5f05aa0) at jerryscript/jerry-core/ecma/base/ecma-gc.c:361
#9  0x5664ab9f in ecma_gc_run (severity=JMEM_FREE_UNUSED_MEMORY_SEVERITY_LOW) at jerryscript/jerry-core/ecma/base/ecma-gc.c:956
#10 0x5664b123 in ecma_free_unused_memory (severity=JMEM_FREE_UNUSED_MEMORY_SEVERITY_LOW) at jerryscript/jerry-core/ecma/base/ecma-gc.c:1094
#11 0x56612458 in jmem_run_free_unused_memory_callbacks (severity=JMEM_FREE_UNUSED_MEMORY_SEVERITY_LOW) at jerryscript/jerry-core/jmem/jmem-allocator.c:267
#12 0x566126e2 in jmem_heap_gc_and_alloc_block (size=16, ret_null_on_error=false) at jerryscript/jerry-core/jmem/jmem-heap.c:324
#13 0x566127c5 in jmem_heap_alloc_block (size=16) at jerryscript/jerry-core/jmem/jmem-heap.c:373
#14 0x56612ba6 in jmem_pools_alloc (size=16) at jerryscript/jerry-core/jmem/jmem-poolman.c:104
#15 0x565f606b in ecma_alloc_object () at jerryscript/jerry-core/ecma/base/ecma-alloc.c:84
#16 0x56629a61 in ecma_op_container_create_internal_object () at jerryscript/jerry-core/ecma/operations/ecma-container-object.c:46
#17 0x56629bf7 in ecma_op_container_create (arguments_list_p=0xffffc7e4, arguments_list_len=1, lit_id=LIT_MAGIC_STRING_MAP_UL, proto_id=ECMA_BUILTIN_ID_MAP_PROTOTYPE) at jerryscript/jerry-core/ecma/operations/ecma-container-object.c:73
#18 0x565c3388 in ecma_builtin_map_dispatch_construct (arguments_list_p=0xffffc7e4, arguments_list_len=1) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-map.c:62
#19 0x5662107a in ecma_builtin_dispatch_construct (obj_p=0xf5f009d0, arguments_list_p=0xffffc7e4, arguments_list_len=1) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1075
#20 0x56632ad5 in ecma_op_function_construct (func_obj_p=0xf5f009d0, this_arg_value=72, arguments_list_p=0xffffc7e4, arguments_list_len=1) at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1094
#21 0x565e4eed in opfunc_construct (frame_ctx_p=0xffffc860) at jerryscript/jerry-core/vm/vm.c:656
#22 0x565f56a4 in vm_execute (frame_ctx_p=0xffffc860, arg_p=0x0, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:3586
#23 0x565f5f87 in vm_run (bytecode_header_p=0xf5302a30, this_binding_value=4126149459, lex_env_p=0xf5d007b0, parse_opts=0, arg_list_p=0x0, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:3694
#24 0x565e3c15 in vm_run_global (bytecode_p=0xf5302a30) at jerryscript/jerry-core/vm/vm.c:273
#25 0x5663f51b in jerry_run (func_val=4126149123) at jerryscript/jerry-core/api/jerry.c:550
#26 0x5663bf9d in main (argc=3, argv=0xffffcc94) at jerryscript/jerry-main/main-unix.c:742

Found by Fuzzinator with grammarinator.

@rerobika rerobika added bug Undesired behaviour ES2015 Related to ES2015 features labels Jul 10, 2019
rerobika added a commit to rerobika/jerryscript that referenced this issue Jul 11, 2019
@rerobika @dbatyai
Container object's internal object must be allocated firstly
0f9ea5d 
This patch slightly reworks the container objects internal objects allocation.
This rework allows the same lifetime of the objects also the manual allocation/deallocation is not required anymore for the internal object.

This patch also fixes jerryscript-project#2951.

Co-authored-by: Dániel Bátyai <[email protected]>
JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
@rerobika rerobika mentioned this issue Jul 11, 2019
Merged
rerobika added a commit to rerobika/jerryscript that referenced this issue Jul 11, 2019
@rerobika @dbatyai
Container object's internal object must be allocated firstly
dac66f3 
This patch slightly reworks the container objects internal objects allocation.
This rework allows the same lifetime of the objects without the manual allocation/deallocation of the internal object.

This patch also fixes jerryscript-project#2951.

Co-authored-by: Dániel Bátyai <[email protected]>
JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
dbatyai added a commit that referenced this issue Jul 11, 2019
@rerobika @dbatyai
Container object's internal object must be allocated firstly (#2961)
3f47e1b 
This patch slightly reworks the container objects internal objects allocation.
This rework allows the same lifetime of the objects without the manual allocation/deallocation of the internal object.

This patch also fixes #2951.

Co-authored-by: Dániel Bátyai <[email protected]>
JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Undesired behaviour ES2015 Related to ES2015 features
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Container object's internal object must be allocated firstly rerobika/jerryscript
2 participants
@renatahodovan @rerobika