Assertion old_length < new_length in ecma_fast_array_extend

[renatahodovan]

JerryScript revision

518fcf2

Build platform

Linux-4.15.0-72-generic-x86_64-with-Ubuntu-18.04-bionic

Build steps

./tools/build.py --clean --debug --compile-flag=-fsanitize=address \
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer \
--compile-flag=-fno-common --compile-flag=-g \
--strip=off --system-allocator=on --logging=on \
--linker-flag=-fuse-ld=gold --error-messages=on --profile=es2015-subset

Test case

class MyObservedArray extends Array {
    constructor() {
        super('"use strict"; var x = "\\411";')
    } [Symbol]() {}
}

new MyObservedArray().slice()

Output

ICE: Assertion 'old_length < new_length' failed at jerryscript/jerry-core/ecma/operations/ecma-array-object.c(ecma_fast_array_extend):317.
Error: ERR_FAILED_INTERNAL_ASSERTION

Backtrace

bt
#0  0xf7fd5079 in __kernel_vsyscall ()
#1  0xf77fc832 in raise () from /lib/i386-linux-gnu/libc.so.6
#2  0xf77fdcc1 in abort () from /lib/i386-linux-gnu/libc.so.6
#3  0x5657bd39 in jerry_port_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at jerryscript/jerry-port/default/default-fatal.c:30
#4  0x5664e317 in jerry_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at jerryscript/jerry-core/jrt/jrt-fatals.c:58
#5  0x5664e358 in jerry_assert_fail (assertion=0x566f1a00 "old_length < new_length", file=0x566f16e0 "jerryscript/jerry-core/ecma/operations/ecma-array-object.c", function=0x566b8d20 <__func__.5035.lto_priv.702> "ecma_fast_array_extend", line=317) at jerryscript/jerry-core/jrt/jrt-fatals.c:82
#6  0x5665cc17 in ecma_fast_array_extend (object_p=0xf5f03370, new_length=1) at jerryscript/jerry-core/ecma/operations/ecma-array-object.c:317
#7  0x565f2ed4 in ecma_builtin_array_prototype_object_slice (arg1=72, arg2=72, obj_p=0xf5f03460, len=1) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:857
#8  0x565f8616 in ecma_builtin_array_prototype_dispatch_routine (builtin_routine_id=86, this_arg=4126159971, arguments_list_p=0xffffc420, arguments_number=0) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2625
#9  0x56698da7 in ecma_builtin_dispatch_routine (builtin_object_id=ECMA_BUILTIN_ID_ARRAY_PROTOTYPE, builtin_routine_id=86, this_arg_value=4126159971, arguments_list_p=0xffffc420, arguments_list_len=0) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1020
#10 0x56699008 in ecma_builtin_dispatch_call (obj_p=0xf5f01120, this_arg_value=4126159971, arguments_list_p=0xffffc6ec, arguments_list_len=0) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1045
#11 0x5666b55d in ecma_op_function_call (func_obj_p=0xf5f01120, this_arg_value=4126159971, arguments_list_p=0xffffc6ec, arguments_list_len=0) at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:762
#12 0x56631eba in opfunc_call.lto_priv.465 (frame_ctx_p=0xffffc690) at jerryscript/jerry-core/vm/vm.c:699
#13 0x565e5638 in vm_execute (frame_ctx_p=0xffffc690) at jerryscript/jerry-core/vm/vm.c:4117
#14 0x565e5c63 in vm_run (bytecode_header_p=0xf4d03780, this_binding_value=4126149459, lex_env_p=0xf5d007b0, arg_list_p=0x0, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:4240
#15 0x566307df in vm_run_global (bytecode_p=0xf4d03780) at jerryscript/jerry-core/vm/vm.c:286
#16 0x566a097b in jerry_run (func_val=4126152483) at jerryscript/jerry-core/api/jerry.c:595
#17 0x5669d0a8 in main (argc=2, argv=0xffffcb04) at jerryscript/jerry-main/main-unix.c:740

^{Found by Fuzzinator with grammarinator.}