Assertion 'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)' failed at jerryscript/jerry-core/ecma/base/ecma-literal-storage.c(ecma_free_string_list):77.

Question

Assertion 'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)' failed at jerryscript/jerry-core/ecma/base/ecma-literal-storage.c(ecma_free_string_list):77.

SwtWld opened this issue 3 years ago · 0 comments

SwtWld commented 3 years ago

JerryScript revision

Commit: a6ab5e9

Version: v3.0.0

Build platform

Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86_64)

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20

Test case

poc.js


var a = new Array(286331153, 572662306, 858993459, 1145324612, 303174162, 589505315, 305419888, 30583);
var handler = {
    getPrototypeOf: function (target, name) {
        return a;
    }
};
var p = new Proxy([], handler);
var b = [
    {},
    [],
    'natalie'
];
__proto__.__proto__ = p;
eval("function test_configurable_accessor() { print('replacement'); }");
[].flat.call(b);

Execution steps & Output

$ ./jerryscript/build/bin/jerry poc.js

Unhandled exception:
     0: <eval>:1:64
     1: poc.js:14:1
ICE: Assertion 'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)' failed at jerryscript/jerry-core/ecma/base/ecma-literal-storage.c(ecma_free_string_list):77.
Error: ERR_FAILED_INTERNAL_ASSERTION
[1]    987 abort      jerry poc.js

Credits: Found by OWL337 team.