Assertion '(flags >> CBC_STACK_ADJUST_SHIFT) >= CBC_STACK_ADJUST_BASE || (CBC_STACK_ADJUST_BASE - (flags >> CBC_STACK_ADJUST_SHIFT)) <= context_p->stack_depth' in parser_emit_cbc_backward_branch

[owl337]

JerryScript revision

a56e31f

Build platform

Ubuntu 16.04.6 LTS (Linux 4.15.0-99-generic x86_64)

Build steps

./tools/build.py --clean --debug --compile-flag=-fsanitize=address \
 --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer \
 --compile-flag=-fno-common --compile-flag=-g \
 --strip=off --system-allocator=on --logging=on \
 --linker-flag=-fuse-ld=gold --error-messages=on \
 --profile=es2015-subset --lto=off --stack-limit=50

Test case

function dec(x) { return x - 1 };
for (var i = 11; ((123).toString(37)) = dec (i); i--) {}

Output

ICE: Assertion '(flags >> CBC_STACK_ADJUST_SHIFT) >= CBC_STACK_ADJUST_BASE || (CBC_STACK_ADJUST_BASE - (flags >> CBC_STACK_ADJUST_SHIFT)) <= context_p->stack_depth' failed at /home/JerryScript/jerry-core/parser/js/js-parser-util.c(parser_emit_cbc_backward_branch):669.
Error: ERR_FAILED_INTERNAL_ASSERTION
Aborted (core dumped)

Credits: This vulnerability is detected by chong from OWL337.