Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation fault in ecma_string_get_chars #1557

Closed
renatahodovan opened this issue Mar 27, 2018 · 1 comment
Closed

Segmentation fault in ecma_string_get_chars #1557

renatahodovan opened this issue Mar 27, 2018 · 1 comment
Labels
bug

Comments

@renatahodovan
Copy link
Contributor

IoT.js version:
Checked revision: 3c2212a
Build command: tools/build.py --buildtype=debug
OS:
Ubuntu 17.10, x86_64
Test case:
var fz_globalObject = Function("return this")( )
var prop_names = Object.getOwnPropertyNames(fz_globalObject)
console.log(prop_names)
for (var i = 0;; i++) {
    var prop_name = prop_names[i]
    console.log(prop_name)
}
Backtrace:
[process,global,console,Buffer,setTimeout,setInterval,clearTimeout,clearInterval,unescape,escape,parseInt,encodeURIComponent,encodeURI,decodeURIComponent,decodeURI,isFinite,isNaN,parseFloat,eval,JSON,Math,URIError,TypeError,SyntaxError,ReferenceError,RangeError,EvalError,Error,RegExp,Date,Number,Boolean,String,Array,Function,Object,Infinity,NaN,undefined]
process
global
console
Segmentation fault (core dumped)

Program received signal SIGSEGV, Segmentation fault.
0x000055555559687d in ecma_string_get_chars (string_p=0x53d, size_p=0x7fffffffb37c, flags_p=0x7fffffffb37b "\001\377\377")
    at iotjs/deps/jerry/jerry-core/ecma/base/ecma-helpers-string.c:1465
1465	          length = lit_utf8_string_length (lit_get_magic_string_ex_utf8 (string_p->u.magic_string_ex_id), size);
(gdb) bt
#0  0x000055555559687d in ecma_string_get_chars (string_p=0x53d, size_p=0x7fffffffb37c, flags_p=0x7fffffffb37b "\001\377\377")
    at iotjs/deps/jerry/jerry-core/ecma/base/ecma-helpers-string.c:1465
#1  0x0000555555598221 in ecma_string_get_char_at_pos (string_p=0x53d, index=0) at iotjs/deps/jerry/jerry-core/ecma/base/ecma-helpers-string.c:2188
#2  0x00005555555dc070 in ecma_builtin_string_prototype_object_char_at (this_arg=1341, arg=0) at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:147
#3  0x00005555555db959 in ecma_builtin_string_prototype_dispatch_routine (builtin_routine_id=40, this_arg_value=1341, arguments_list=0x7fffffffb88c, arguments_number=1)
    at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.inc.h:48
#4  0x00005555555e8f99 in ecma_builtin_dispatch_routine (builtin_object_id=ECMA_BUILTIN_ID_STRING_PROTOTYPE, builtin_routine_id=40, this_arg_value=1341, arguments_list_p=0x7fffffffb88c, 
    arguments_list_len=1) at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:880
#5  0x00005555555e90eb in ecma_builtin_dispatch_call (obj_p=0x555555881c10 <jerry_global_heap+20400>, this_arg_value=1341, arguments_list_p=0x7fffffffb88c, arguments_list_len=1)
    at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:905
#6  0x00005555555f336f in ecma_op_function_call (func_obj_p=0x555555881c10 <jerry_global_heap+20400>, this_arg_value=1341, arguments_list_p=0x7fffffffb88c, arguments_list_len=1)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:342
#7  0x0000555555626992 in opfunc_call (frame_ctx_p=0x7fffffffb8e0) at iotjs/deps/jerry/jerry-core/vm/vm.c:417
#8  0x0000555555630361 in vm_execute (frame_ctx_p=0x7fffffffb8e0, arg_p=0x555555882070 <jerry_global_heap+21520>, arg_list_len=1) at iotjs/deps/jerry/jerry-core/vm/vm.c:2844
#9  0x0000555555630617 in vm_run (bytecode_header_p=0x55555587dde8 <jerry_global_heap+4488>, this_binding_value=5603, lex_env_p=0x555555882078 <jerry_global_heap+21528>, is_eval_code=false, 
    arg_list_p=0x555555882070 <jerry_global_heap+21520>, arg_list_len=1) at iotjs/deps/jerry/jerry-core/vm/vm.c:2924
#10 0x00005555555f389f in ecma_op_function_call (func_obj_p=0x55555587e0e0 <jerry_global_heap+5248>, this_arg_value=5603, arguments_list_p=0x555555882070 <jerry_global_heap+21520>, 
    arguments_list_len=1) at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:405
#11 0x00005555555b9ade in ecma_builtin_function_prototype_object_apply (this_arg=5251, arg1=5603, arg2=21459)
    at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:160
#12 0x00005555555b9370 in ecma_builtin_function_prototype_dispatch_routine (builtin_routine_id=35, this_arg_value=5251, arguments_list=0x7fffffffc0c8, arguments_number=2)
    at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.inc.h:41
#13 0x00005555555e8f99 in ecma_builtin_dispatch_routine (builtin_object_id=ECMA_BUILTIN_ID_FUNCTION_PROTOTYPE, builtin_routine_id=35, this_arg_value=5251, arguments_list_p=0x7fffffffc0c8, 
    arguments_list_len=2) at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:880
#14 0x00005555555e90eb in ecma_builtin_dispatch_call (obj_p=0x555555881700 <jerry_global_heap+19104>, this_arg_value=5251, arguments_list_p=0x7fffffffc0c8, arguments_list_len=2)
    at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:905
#15 0x00005555555f336f in ecma_op_function_call (func_obj_p=0x555555881700 <jerry_global_heap+19104>, this_arg_value=5251, arguments_list_p=0x7fffffffc0c8, arguments_list_len=2)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:342
#16 0x0000555555626992 in opfunc_call (frame_ctx_p=0x7fffffffc110) at iotjs/deps/jerry/jerry-core/vm/vm.c:417
#17 0x0000555555630361 in vm_execute (frame_ctx_p=0x7fffffffc110, arg_p=0x7fffffffc51c, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:2844
#18 0x0000555555630617 in vm_run (bytecode_header_p=0x55555587d958 <jerry_global_heap+3320>, this_binding_value=5603, lex_env_p=0x555555881ed8 <jerry_global_heap+21112>, is_eval_code=false, 
    arg_list_p=0x7fffffffc51c, arg_list_len=1) at iotjs/deps/jerry/jerry-core/vm/vm.c:2924
#19 0x00005555555f389f in ecma_op_function_call (func_obj_p=0x55555587e200 <jerry_global_heap+5536>, this_arg_value=5603, arguments_list_p=0x7fffffffc51c, arguments_list_len=1)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:405
#20 0x0000555555626992 in opfunc_call (frame_ctx_p=0x7fffffffc560) at iotjs/deps/jerry/jerry-core/vm/vm.c:417
#21 0x0000555555630361 in vm_execute (frame_ctx_p=0x7fffffffc560, arg_p=0x7fffffffcc4c, arg_list_len=3) at iotjs/deps/jerry/jerry-core/vm/vm.c:2844
#22 0x0000555555630617 in vm_run (bytecode_header_p=0x555555881840 <jerry_global_heap+19424>, this_binding_value=17155, lex_env_p=0x55555587cc88 <jerry_global_heap+40>, is_eval_code=false, 
    arg_list_p=0x7fffffffcc4c, arg_list_len=3) at iotjs/deps/jerry/jerry-core/vm/vm.c:2924
#23 0x00005555555f389f in ecma_op_function_call (func_obj_p=0x555555881650 <jerry_global_heap+18928>, this_arg_value=17155, arguments_list_p=0x7fffffffcc4c, arguments_list_len=3)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:405
#24 0x00005555555b9d35 in ecma_builtin_function_prototype_object_call (this_arg=18931, arguments_list_p=0x7fffffffcc48, arguments_number=4)
    at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.c:215
#25 0x00005555555b9386 in ecma_builtin_function_prototype_dispatch_routine (builtin_routine_id=36, this_arg_value=18931, arguments_list=0x7fffffffcc48, arguments_number=4)
    at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtin-function-prototype.inc.h:42
#26 0x00005555555e8f99 in ecma_builtin_dispatch_routine (builtin_object_id=ECMA_BUILTIN_ID_FUNCTION_PROTOTYPE, builtin_routine_id=36, this_arg_value=18931, arguments_list_p=0x7fffffffcc48, 
    arguments_list_len=4) at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:880
#27 0x00005555555e90eb in ecma_builtin_dispatch_call (obj_p=0x55555587ef70 <jerry_global_heap+8976>, this_arg_value=18931, arguments_list_p=0x7fffffffcc48, arguments_list_len=4)
    at iotjs/deps/jerry/jerry-core/ecma/builtin-objects/ecma-builtins.c:905
#28 0x00005555555f336f in ecma_op_function_call (func_obj_p=0x55555587ef70 <jerry_global_heap+8976>, this_arg_value=18931, arguments_list_p=0x7fffffffcc48, arguments_list_len=4)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:342
#29 0x0000555555626992 in opfunc_call (frame_ctx_p=0x7fffffffcca0) at iotjs/deps/jerry/jerry-core/vm/vm.c:417
#30 0x0000555555630361 in vm_execute (frame_ctx_p=0x7fffffffcca0, arg_p=0x7fffffffd0a8, arg_list_len=2) at iotjs/deps/jerry/jerry-core/vm/vm.c:2844
#31 0x0000555555630617 in vm_run (bytecode_header_p=0x55555587f6e0 <jerry_global_heap+10880>, this_binding_value=17131, lex_env_p=0x55555587f0d8 <jerry_global_heap+9336>, is_eval_code=false, 
    arg_list_p=0x7fffffffd0a8, arg_list_len=2) at iotjs/deps/jerry/jerry-core/vm/vm.c:2924
#32 0x00005555555f389f in ecma_op_function_call (func_obj_p=0x5555558810f8 <jerry_global_heap+17560>, this_arg_value=17131, arguments_list_p=0x7fffffffd0a8, arguments_list_len=2)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:405
#33 0x0000555555626992 in opfunc_call (frame_ctx_p=0x7fffffffd100) at iotjs/deps/jerry/jerry-core/vm/vm.c:417
#34 0x0000555555630361 in vm_execute (frame_ctx_p=0x7fffffffd100, arg_p=0x7fffffffd4f4, arg_list_len=2) at iotjs/deps/jerry/jerry-core/vm/vm.c:2844
#35 0x0000555555630617 in vm_run (bytecode_header_p=0x55555587f5e0 <jerry_global_heap+10624>, this_binding_value=11099, lex_env_p=0x55555587f0d8 <jerry_global_heap+9336>, is_eval_code=false, 
    arg_list_p=0x7fffffffd4f4, arg_list_len=2) at iotjs/deps/jerry/jerry-core/vm/vm.c:2924
#36 0x00005555555f389f in ecma_op_function_call (func_obj_p=0x5555558810b0 <jerry_global_heap+17488>, this_arg_value=11099, arguments_list_p=0x7fffffffd4f4, arguments_list_len=2)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:405
#37 0x0000555555626992 in opfunc_call (frame_ctx_p=0x7fffffffd530) at iotjs/deps/jerry/jerry-core/vm/vm.c:417
#38 0x0000555555630361 in vm_execute (frame_ctx_p=0x7fffffffd530, arg_p=0x7fffffffd944, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:2844
#39 0x0000555555630617 in vm_run (bytecode_header_p=0x55555587f710 <jerry_global_heap+10928>, this_binding_value=11099, lex_env_p=0x55555587f0d8 <jerry_global_heap+9336>, is_eval_code=false, 
    arg_list_p=0x7fffffffd944, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:2924
#40 0x00005555555f389f in ecma_op_function_call (func_obj_p=0x555555881108 <jerry_global_heap+17576>, this_arg_value=11099, arguments_list_p=0x7fffffffd944, arguments_list_len=0)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:405
#41 0x0000555555626992 in opfunc_call (frame_ctx_p=0x7fffffffd990) at iotjs/deps/jerry/jerry-core/vm/vm.c:417
#42 0x0000555555630361 in vm_execute (frame_ctx_p=0x7fffffffd990, arg_p=0x7fffffffdd74, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:2844
#43 0x0000555555630617 in vm_run (bytecode_header_p=0x55555587d210 <jerry_global_heap+1456>, this_binding_value=27, lex_env_p=0x55555587d750 <jerry_global_heap+2800>, is_eval_code=false, 
    arg_list_p=0x7fffffffdd74, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:2924
#44 0x00005555555f389f in ecma_op_function_call (func_obj_p=0x55555587d740 <jerry_global_heap+2784>, this_arg_value=72, arguments_list_p=0x7fffffffdd74, arguments_list_len=0)
    at iotjs/deps/jerry/jerry-core/ecma/operations/ecma-function-object.c:405
#45 0x0000555555626992 in opfunc_call (frame_ctx_p=0x7fffffffddb0) at iotjs/deps/jerry/jerry-core/vm/vm.c:417
#46 0x0000555555630361 in vm_execute (frame_ctx_p=0x7fffffffddb0, arg_p=0x0, arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:2844
#47 0x0000555555630617 in vm_run (bytecode_header_p=0x55555587d1f0 <jerry_global_heap+1424>, this_binding_value=27, lex_env_p=0x55555587cc88 <jerry_global_heap+40>, is_eval_code=true, arg_list_p=0x0, 
    arg_list_len=0) at iotjs/deps/jerry/jerry-core/vm/vm.c:2924
#48 0x0000555555626220 in vm_run_eval (bytecode_data_p=0x55555587d1f0 <jerry_global_heap+1424>, is_direct=false) at iotjs/deps/jerry/jerry-core/vm/vm.c:269
#49 0x000055555557a870 in jerry_snapshot_result_at (snapshot_p=0x555555646fc0 <iotjs_js_modules_s>, snapshot_size=36146, func_index=12, copy_bytecode=false, as_function=false)
    at iotjs/deps/jerry/jerry-core/api/jerry-snapshot.c:761
#50 0x000055555557a8e2 in jerry_exec_snapshot_at (snapshot_p=0x555555646fc0 <iotjs_js_modules_s>, snapshot_size=36146, func_index=12, copy_bytecode=false)
    at iotjs/deps/jerry/jerry-core/api/jerry-snapshot.c:800
#51 0x000055555556c565 in iotjs_run (env=0x55555587b420 <current_env>) at iotjs/src/iotjs.c:102
#52 0x000055555556c62b in iotjs_start (env=0x55555587b420 <current_env>) at iotjs/src/iotjs.c:132
#53 0x000055555556ca7d in iotjs_entry (argc=2, argv=0x7fffffffe168) at iotjs/src/iotjs.c:207
#54 0x000055555556c1ba in main (argc=2, argv=0x7fffffffe168) at iotjs/src/platform/linux/iotjs_linux.c:19

Found by Fuzzinator
@galpeter
Copy link
Contributor

This Jerry fix should resolve the problem: jerryscript-project/jerryscript#2261

LaszloLango added a commit to LaszloLango/iotjs that referenced this issue Mar 29, 2018
@LaszloLango
Update JerryScript submodule
298bb2f 
Updated snapshot version and added a test for jerryscript-project#1557. Fixes jerryscript-project#1557

IoT.js-DCO-1.0-Signed-off-by: László Langó llango.u-szeged@partner.samsung.com
@LaszloLango LaszloLango mentioned this issue Mar 29, 2018
Merged
yichoi pushed a commit that referenced this issue Mar 30, 2018
@LaszloLango @yichoi
Update JerryScript submodule (#1568)
b944e04 
Updated snapshot version and added a test for #1557. Fixes #1557

IoT.js-DCO-1.0-Signed-off-by: László Langó llango.u-szeged@partner.samsung.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@renatahodovan @LaszloLango @galpeter