Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assertion 'ecma_object_is_typedarray (obj_p)' failed in ecma-typedarray-object(ecma_get_typedarray_id) #4875

Closed
hope-fly opened this issue Dec 9, 2021 · 0 comments · Fixed by #4879
Assignees
Labels
bug Undesired behaviour

Comments

@hope-fly
Copy link

hope-fly commented Dec 9, 2021

JerryScript revision

Commit: 51da1551 Version: v3.0.0

Commit: 8ba0d1b Version: v2.4.0

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps
./tools/build.py --clean --debug --profile=es2015-subset --compile-flag=-fsanitize=address --compile-flag=-m32 --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20
Test case
function isPoT(obj, name, type) {
  let desc;
  desc = Object.getOwnPropertyDescriptor(obj, name);
  return typeof type === 'undefined' || typeof desc.value === type;
}

function getPs(obj, type) {
  let properties = [];

  for (let name of Object.getOwnPropertyNames(obj)) {
    if (isPoT(obj, name, type)) {
      properties.push(name);
    }
  }

  return properties;
}

function* genObj(root = this, level = 0) {
  if (level > 4) {
    return;
  }

  let obj_names = getPs(root, 'object');

  for (let obj_name of obj_names) {
    if (obj_name.startsWith('$')) {
      continue;
    } 

    let obj = root[obj_name];
    yield obj;
    yield* genObj(obj, level + 1);
  }
}

function JSEtestObj() {
  let objects = [];

  for (let obj of genObj()) {
    if (!objects.includes(obj)) {
      objects.push(obj);
    }
  }

  return objects;
}

function JSEtestFunc(obj) {
  return getPs(obj, 'function');
}

const thrower = new Proxy({}, {
  get() {
    throw 0xc0defefe;
  }

});

for (let o of JSEtestObj()) {
  for (let f of JSEtestFunc(o)) {
    const arityPlusOne = o[f].length + 1;
    try {
      o[f](Array(arityPlusOne).fill(thrower));
    } catch (e) {
      if (`${e}`.includes('1')) {
        try {
          new o[f](Array(arityPlusOne).fill(thrower));
        } catch (e) {}
      } else {
      }
    }
  }
}

Execution steps & Output

Version: v3.0.0

$ ./jerryscript/build/bin/jerry poc.js

ICE: Assertion 'ecma_object_is_typedarray (obj_p)' failed at /root/jerryscript/jerry-core/ecma/operations/ecma-typedarray-object.c(ecma_get_typedarray_id):764.
Error: ERR_FAILED_INTERNAL_ASSERTION

Version: v2.4.0

$ ~/jerryscript-2.4.0/build/bin/jerry poc.js
Script Error: assertion failed
Script backtrace (top 5):
 0: poc.js:72

Credits: Found by OWL337 team.

@rerobika rerobika added the bug Undesired behaviour label Dec 9, 2021
rerobika pushed a commit to rerobika/jerryscript that referenced this issue Dec 9, 2021
This patch fixes jerryscript-project#4875.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik robert.fancsik@h-lab.eu
@rerobika rerobika self-assigned this Dec 9, 2021
rerobika pushed a commit to rerobika/jerryscript that referenced this issue Dec 9, 2021
This patch fixes jerryscript-project#4875.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik robert.fancsik@h-lab.eu
rerobika pushed a commit to rerobika/jerryscript that referenced this issue Dec 9, 2021
This patch fixes jerryscript-project#4875.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik robert.fancsik@h-lab.eu
ossy-szeged pushed a commit that referenced this issue Dec 15, 2021
This patch fixes #4875.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik robert.fancsik@h-lab.eu
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Undesired behaviour
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants