ICE: Assertion 'ecma_object_class_is (object_p, LIT_MAGIC_STRING_ARRAY_BUFFER_UL)' failed at jerry-core/ecma/operations/ecma-arraybuffer-object.c(ecma_arraybuffer_get_buffer):190. Error: ERR_FAILED_INTERNAL_ASSERTION

Question

ICE: Assertion 'ecma_object_class_is (object_p, LIT_MAGIC_STRING_ARRAY_BUFFER_UL)' failed at jerry-core/ecma/operations/ecma-arraybuffer-object.c(ecma_arraybuffer_get_buffer):190. Error: ERR_FAILED_INTERNAL_ASSERTION

nszetei opened this issue 4 years ago · 1 comments

nszetei commented 4 years ago

JerryScript revision

a56e31f

Build platform

Ubuntu 18.04.4 LTS (Linux 4.15.0-91-generic x86_64)

Build steps

first output

python tools/build.py --profile=es2015-subset --lto=off --compile-flag=-g \
--error-messages=on --debug --strip=off --logging=on \
 --compile-flag=-fsanitize=address --stack-limit=15

second output

python tools/build.py --profile=es2015-subset --lto=off --compile-flag=-g  \
--strip=off --logging=on  --stack-limit=15

Test case

function main() {
var v3 = new Float64Array(6);
var v4 = v3.buffer;
v4.constructor = Uint8Array;
var v5 = new Float64Array(v3);
}
main();

Execution steps

ICE: Assertion 'ecma_object_class_is (object_p, LIT_MAGIC_STRING_ARRAY_BUFFER_UL)' failed at /home/jerryscript/jerry-core/ecma/operations/ecma-arraybuffer-object.c(ecma_arraybuffer_get_buffer):190.
Error: ERR_FAILED_INTERNAL_ASSERTION
Aborted (core dumped)

$ gdb -nx -q ~/jerryscript/build/bin/jerry -ex 'r 01.js'
Reading symbols from /home/jerryscript/build/bin/jerry...
Starting program: /home/jerryscript/build/bin/jerry 01.js

Program received signal SIGSEGV, Segmentation fault.
ecma_typedarray_create_object_with_typedarray (typedarray_id=ECMA_FLOAT64_ARRAY, element_size_shift=<optimized out>, proto_p=<optimized out>, typedarray_p=0x5555556bd408 <jerry_global_heap+480>)
    at /home/jerryscript/jerry-core/ecma/operations/ecma-typedarray-object.c:655
655	    memcpy (dst_buf_p, src_buf_p, array_length << element_size_shift);
(gdb) x/i $rip
=> 0x55555557654e <ecma_op_create_typedarray+346>:	rep movsb %ds:(%rsi),%es:(%rdi)
(gdb) i r rdi
rdi            0x3004100020008     844704103137288

Answer 1 · 2020-06-03T07:48:59.000Z

A similar PoC:

function main() {
var v2 = new Float64Array();
var v3 = v2.buffer;
v3.constructor = Set;
var v4 = new Float64Array(v2);
}
main();

Output:

~/jerryscript/build/bin/jerry 02.js
ICE: Assertion 'ecma_is_value_object (value)' failed at /home/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c(ecma_get_object_from_value):793.
Error: ERR_FAILED_INTERNAL_ASSERTION