Skip to content

Assertion ext_obj_p->u.array.hole_count <= ECMA_FAST_ARRAY_MAX_HOLE_COUNT in ecma_fast_array_set_property #3075

New issue
New issue
Closed
#3076
Closed
Assertion ext_obj_p->u.array.hole_count <= ECMA_FAST_ARRAY_MAX_HOLE_COUNT in ecma_fast_array_set_property#3075
#3076
Labels
bugUndesired behaviourecma coreRelated to core ECMA functionality
@renatahodovan

Description

@renatahodovan
renatahodovan
opened on Sep 5, 2019
JerryScript revision

57f389d

Build platform

Linux-4.15.0-54-generic-x86_64-with-Ubuntu-18.04-bionic

Build steps
./tools/build.py --clean --debug --compile-flag=-fsanitize=address \
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer \
--compile-flag=-fno-common --compile-flag=-g \
--strip=off --system-allocator=on --logging=on \
--linker-flag=-fuse-ld=gold --error-messages=on --profile=es2015-subset
Test case
var arr = [ , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ]; 
arr [ 4294967294 ] = 0
Output
ICE: Assertion 'ext_obj_p->u.array.hole_count <= ECMA_FAST_ARRAY_MAX_HOLE_COUNT' failed at jerryscript/jerry-core/ecma/operations/ecma-array-object.c(ecma_fast_array_set_property):277.
Error: ERR_FAILED_INTERNAL_ASSERTION
Backtrace
bt
#0  0xf7fd5059 in __kernel_vsyscall ()
#1  0xf77fc832 in raise () from /lib/i386-linux-gnu/libc.so.6
#2  0xf77fdcc1 in abort () from /lib/i386-linux-gnu/libc.so.6
#3  0x5657ac4c in jerry_port_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at jerryscript/jerry-port/default/default-fatal.c:71
#4  0x56618af4 in jerry_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at jerryscript/jerry-core/jrt/jrt-fatals.c:58
#5  0x56618b35 in jerry_assert_fail (assertion=0x566af220 "ext_obj_p->u.array.hole_count <= ECMA_FAST_ARRAY_MAX_HOLE_COUNT", file=0x566aef80 "jerryscript/jerry-core/ecma/operations/ecma-array-object.c", function=0x5667cea0 <__func__.4083.lto_priv.595> "ecma_fast_array_set_property", line=277) at jerryscript/jerry-core/jrt/jrt-fatals.c:82
#6  0x56629798 in ecma_fast_array_set_property (object_p=0xf5f00730, property_name_p=0xf5d00570, value=4124051185) at jerryscript/jerry-core/ecma/operations/ecma-array-object.c:277
#7  0x56606737 in ecma_op_object_put (object_p=0xf5f00730, property_name_p=0xf5d00570, value=4124051185, is_throw=false) at jerryscript/jerry-core/ecma/operations/ecma-objects.c:1007
#8  0x565e9060 in vm_op_set_value (object=4126148403, property=4124050770, value=4124051185, is_strict=false) at jerryscript/jerry-core/vm/vm.c:212
#9  0x565f96f8 in vm_loop (frame_ctx_p=0xffffc7e0) at jerryscript/jerry-core/vm/vm.c:3349
#10 0x565fb064 in vm_execute (frame_ctx_p=0xffffc7e0, arg_p=0x0, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:3616
#11 0x565fb9c8 in vm_run (bytecode_header_p=0xf5103c80, this_binding_value=4126149459, lex_env_p=0xf5d007b0, parse_opts=0, arg_list_p=0x0, arg_list_len=0) at jerryscript/jerry-core/vm/vm.c:3742
#12 0x565e9128 in vm_run_global (bytecode_p=0xf5103c80) at jerryscript/jerry-core/vm/vm.c:282
#13 0x56641db1 in jerry_run (func_val=4126148835) at jerryscript/jerry-core/api/jerry.c:570
#14 0x5663e715 in main (argc=3, argv=0xffffcc14) at jerryscript/jerry-main/main-unix.c:743

Found by Fuzzinator with grammarinator.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugUndesired behaviourecma coreRelated to core ECMA functionality

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions