Assertion (opcode >= CBC_PRE_INCR && opcode <= CBC_POST_DECR) || (opcode == CBC_ASSIGN && (context_p->token.type == LEXER_ASSIGN || LEXER_IS_BINARY_LVALUE_TOKEN (context_p->token.type))) in parser_check_invalid_new_target

[renatahodovan]

JerryScript revision

210b631

Build platform

Linux-4.15.0-72-generic-x86_64-with-Ubuntu-18.04-bionic

Build steps

./tools/build.py --clean --debug --compile-flag=-fsanitize=address \
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer \
--compile-flag=-fno-common --compile-flag=-g \
--strip=off --system-allocator=on --logging=on \
--linker-flag=-fuse-ld=gold --error-messages=on --profile=es2015-subset

Test case

(function() {
    [""] = $
})

Output

ICE: Assertion '(opcode >= CBC_PRE_INCR && opcode <= CBC_POST_DECR) || (opcode == CBC_ASSIGN && (context_p->token.type == LEXER_ASSIGN || LEXER_IS_BINARY_LVALUE_TOKEN (context_p->token.type)))' failed at jerryscript/jerry-core/parser/js/js-parser-expr.c(parser_check_invalid_new_target):127.
Error: ERR_FAILED_INTERNAL_ASSERTION

Backtrace

bt
#0  0xf7fd5079 in __kernel_vsyscall ()
#1  0xf77fc832 in raise () from /lib/i386-linux-gnu/libc.so.6
#2  0xf77fdcc1 in abort () from /lib/i386-linux-gnu/libc.so.6
#3  0x5657ce9d in jerry_port_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at jerryscript/jerry-port/default/default-fatal.c:30
#4  0x5665089b in jerry_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at jerryscript/jerry-core/jrt/jrt-fatals.c:58
#5  0x566508dc in jerry_assert_fail (assertion=0x566dc840 "(opcode >= CBC_PRE_INCR && opcode <= CBC_POST_DECR) || (opcode == CBC_ASSIGN && (context_p->token.type == LEXER_ASSIGN || LEXER_IS_BINARY_LVALUE_TOKEN (context_p->token.type)))", file=0x566dc680 "jerryscript/jerry-core/parser/js/js-parser-expr.c", function=0x566cbd20 <__func__.5589.lto_priv.38> "parser_check_invalid_new_target", line=127) at jerryscript/jerry-core/jrt/jrt-fatals.c:82
#6  0x5659af2e in parser_check_invalid_new_target (context_p=0xffffc4a0, opcode=CBC_ASSIGN) at jerryscript/jerry-core/parser/js/js-parser-expr.c:124
#7  0x565a3805 in parser_append_binary_single_assignment_token (context_p=0xffffc4a0, assign_ident_opcode=211 '\323') at jerryscript/jerry-core/parser/js/js-parser-expr.c:2211
#8  0x565a5367 in parser_pattern_form_assignment (context_p=0xffffc4a0, flags=PARSER_PATTERN_NO_OPTS, rhs_opcode=96, literal_index=65535, ident_line_counter=3) at jerryscript/jerry-core/parser/js/js-parser-expr.c:2527
#9  0x565a5eaf in parser_pattern_process_assignment (context_p=0xffffc4a0, flags=PARSER_PATTERN_NO_OPTS, rhs_opcode=96, literal_index=65535, end_type=LEXER_RIGHT_SQUARE) at jerryscript/jerry-core/parser/js/js-parser-expr.c:2701
#10 0x565a6121 in parser_parse_array_initializer (context_p=0xffffc4a0, flags=PARSER_PATTERN_NO_OPTS) at jerryscript/jerry-core/parser/js/js-parser-expr.c:2737
#11 0x565a0a6a in parser_parse_unary_expression (context_p=0xffffc4a0, grouping_level_p=0xffffb9f0) at jerryscript/jerry-core/parser/js/js-parser-expr.c:1581
#12 0x565a79e9 in parser_parse_expression (context_p=0xffffc4a0, options=2) at jerryscript/jerry-core/parser/js/js-parser-expr.c:3036
#13 0x565a7741 in parser_parse_expression_statement (context_p=0xffffc4a0, options=0) at jerryscript/jerry-core/parser/js/js-parser-expr.c:2996
#14 0x56571091 in parser_parse_statements (context_p=0xffffc4a0) at jerryscript/jerry-core/parser/js/js-parser-statm.c:3056
#15 0x5660e98d in parser_parse_function (context_p=0xffffc4a0, status_flags=14) at jerryscript/jerry-core/parser/js/js-parser.c:2402
#16 0x56595a6d in lexer_construct_function_object (context_p=0xffffc4a0, extra_status_flags=14) at jerryscript/jerry-core/parser/js/js-lexer.c:2492
#17 0x5659e329 in parser_parse_function_expression (context_p=0xffffc4a0, status_flags=14) at jerryscript/jerry-core/parser/js/js-parser-expr.c:1136
#18 0x565a07c2 in parser_parse_unary_expression (context_p=0xffffc4a0, grouping_level_p=0xffffbfc0) at jerryscript/jerry-core/parser/js/js-parser-expr.c:1558
#19 0x565a79e9 in parser_parse_expression (context_p=0xffffc4a0, options=2) at jerryscript/jerry-core/parser/js/js-parser-expr.c:3036
#20 0x565a73b7 in parser_parse_block_expression (context_p=0xffffc4a0, options=0) at jerryscript/jerry-core/parser/js/js-parser-expr.c:2975
#21 0x565710a7 in parser_parse_statements (context_p=0xffffc4a0) at jerryscript/jerry-core/parser/js/js-parser-statm.c:3060
#22 0x5660bfe0 in parser_parse_source (arg_list_p=0x0, arg_list_size=0, source_p=0x56733280 <buffer.lto_priv> "( function ( ) { new Promise ( isFinite .toString ) \n} ) ( ) ; \n( function ( ) { [ 'A' ] = [ ] \n} ) ( { } )  \n ", source_size=111, parse_opts=0, error_location_p=0xffffc6b0) at jerryscript/jerry-core/parser/js/js-parser.c:2103
#23 0x5660f623 in parser_parse_script (arg_list_p=0x0, arg_list_size=0, source_p=0x56733280 <buffer.lto_priv> "( function ( ) { new Promise ( isFinite .toString ) \n} ) ( ) ; \n( function ( ) { [ 'A' ] = [ ] \n} ) ( { } )  \n ", source_size=111, parse_opts=0, bytecode_data_p=0xffffc770) at jerryscript/jerry-core/parser/js/js-parser.c:2626
#24 0x566a1838 in jerry_parse (resource_name_p=0xffffcd7c "/home/reni/.fuzzinator_31942//jerryscript/picireny/299222989790379317439802882557105746447.js", resource_name_length=93, source_p=0x56733280 <buffer.lto_priv> "( function ( ) { new Promise ( isFinite .toString ) \n} ) ( ) ; \n( function ( ) { [ 'A' ] = [ ] \n} ) ( { } )  \n ", source_size=111, parse_opts=0) at jerryscript/jerry-core/api/jerry.c:445
#25 0x5669e575 in main (argc=2, argv=0xffffcb04) at jerryscript/jerry-main/main-unix.c:731

^{Found by Fuzzinator with grammarinator.}