Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ICE: Assertion 'ecma_object_class_is (object_p, LIT_MAGIC_STRING_ARRAY_BUFFER_UL)' failed at jerry-core/ecma/operations/ecma-arraybuffer-object.c(ecma_arraybuffer_get_buffer):190. Error: ERR_FAILED_INTERNAL_ASSERTION #3836

Closed
nszetei opened this issue Jun 3, 2020 · 1 comment · Fixed by #3850
Closed

ICE: Assertion 'ecma_object_class_is (object_p, LIT_MAGIC_STRING_ARRAY_BUFFER_UL)' failed at jerry-core/ecma/operations/ecma-arraybuffer-object.c(ecma_arraybuffer_get_buffer):190. Error: ERR_FAILED_INTERNAL_ASSERTION #3836

nszetei opened this issue Jun 3, 2020 · 1 comment · Fixed by #3850
Assignees
@szilagyiadam
Labels
bug Undesired behaviour

Comments

@nszetei
Copy link

nszetei commented Jun 3, 2020

JerryScript revision

a56e31f

Build platform

Ubuntu 18.04.4 LTS (Linux 4.15.0-91-generic x86_64)

Build steps
  • first output
python tools/build.py --profile=es2015-subset --lto=off --compile-flag=-g \
--error-messages=on --debug --strip=off --logging=on \
 --compile-flag=-fsanitize=address --stack-limit=15
  • second output
python tools/build.py --profile=es2015-subset --lto=off --compile-flag=-g  \
--strip=off --logging=on  --stack-limit=15
Test case
function main() {
var v3 = new Float64Array(6);
var v4 = v3.buffer;
v4.constructor = Uint8Array;
var v5 = new Float64Array(v3);
}
main();
Execution steps
ICE: Assertion 'ecma_object_class_is (object_p, LIT_MAGIC_STRING_ARRAY_BUFFER_UL)' failed at /home/jerryscript/jerry-core/ecma/operations/ecma-arraybuffer-object.c(ecma_arraybuffer_get_buffer):190.
Error: ERR_FAILED_INTERNAL_ASSERTION
Aborted (core dumped)
$ gdb -nx -q ~/jerryscript/build/bin/jerry -ex 'r 01.js'
Reading symbols from /home/jerryscript/build/bin/jerry...
Starting program: /home/jerryscript/build/bin/jerry 01.js

Program received signal SIGSEGV, Segmentation fault.
ecma_typedarray_create_object_with_typedarray (typedarray_id=ECMA_FLOAT64_ARRAY, element_size_shift=<optimized out>, proto_p=<optimized out>, typedarray_p=0x5555556bd408 <jerry_global_heap+480>)
    at /home/jerryscript/jerry-core/ecma/operations/ecma-typedarray-object.c:655
655	    memcpy (dst_buf_p, src_buf_p, array_length << element_size_shift);
(gdb) x/i $rip
=> 0x55555557654e <ecma_op_create_typedarray+346>:	rep movsb %ds:(%rsi),%es:(%rdi)
(gdb) i r rdi
rdi            0x3004100020008     844704103137288
@nszetei nszetei changed the title ICE: Assertion 'ecma_object_class_is (object_p, LIT_MAGIC_STRING_ARRAY_BUFFER_UL)' failed at jerry-core/ecma/operations/ecma-arraybuffer-object.c(ecma_arraybuffer_get_buffer):190. Error: ERR_FAILED_INTERNAL_ASSERTION Aborted (core dumped) ICE: Assertion 'ecma_object_class_is (object_p, LIT_MAGIC_STRING_ARRAY_BUFFER_UL)' failed at jerry-core/ecma/operations/ecma-arraybuffer-object.c(ecma_arraybuffer_get_buffer):190. Error: ERR_FAILED_INTERNAL_ASSERTION Jun 3, 2020
@nszetei
Copy link
Author

nszetei commented Jun 3, 2020

  • A similar PoC:
function main() {
var v2 = new Float64Array();
var v3 = v2.buffer;
v3.constructor = Set;
var v4 = new Float64Array(v2);
}
main();
  • Output:
~/jerryscript/build/bin/jerry 02.js
ICE: Assertion 'ecma_is_value_object (value)' failed at /home/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c(ecma_get_object_from_value):793.
Error: ERR_FAILED_INTERNAL_ASSERTION

@szilagyiadam szilagyiadam self-assigned this Jun 3, 2020
@rerobika rerobika added the bug Undesired behaviour label Jun 3, 2020
szilagyiadam added a commit to szilagyiadam/jerryscript that referenced this issue Jun 4, 2020
@szilagyiadam
Fix the TypedArray initialization where the internal buffer is anothe…
a6208a7 
…r TypedArray

Fixes jerryscript-project#3836

JerryScript-DCO-1.0-Signed-off-by: Adam Szilagyi [email protected]
@szilagyiadam szilagyiadam mentioned this issue Jun 4, 2020
Merged
szilagyiadam added a commit to szilagyiadam/jerryscript that referenced this issue Jun 4, 2020
@szilagyiadam
Fix TypedArray initialization with another TypedArray
12fa5c9 
Fixes jerryscript-project#3836

JerryScript-DCO-1.0-Signed-off-by: Adam Szilagyi [email protected]
szilagyiadam added a commit to szilagyiadam/jerryscript that referenced this issue Jun 4, 2020
@szilagyiadam
Fix TypedArray initialization with another TypedArray
00ce4e4 
Fixes jerryscript-project#3836

JerryScript-DCO-1.0-Signed-off-by: Adam Szilagyi [email protected]
szilagyiadam added a commit to szilagyiadam/jerryscript that referenced this issue Jun 4, 2020
@szilagyiadam
Fix TypedArray initialization with another TypedArray
7b095c9 
Fixes jerryscript-project#3836

JerryScript-DCO-1.0-Signed-off-by: Adam Szilagyi [email protected]
szilagyiadam added a commit to szilagyiadam/jerryscript that referenced this issue Jun 5, 2020
@szilagyiadam
Fix TypedArray initialization with another TypedArray
32aa8ac 
Fixes jerryscript-project#3836

JerryScript-DCO-1.0-Signed-off-by: Adam Szilagyi [email protected]
szilagyiadam added a commit to szilagyiadam/jerryscript that referenced this issue Jun 8, 2020
@szilagyiadam
Fix TypedArray initialization with another TypedArray
3e31897 
Fixes jerryscript-project#3836

JerryScript-DCO-1.0-Signed-off-by: Adam Szilagyi [email protected]
rerobika pushed a commit that referenced this issue Jun 8, 2020
@szilagyiadam
Fix TypedArray initialization with another TypedArray (#3850)
90fd881 
Fixes #3836

JerryScript-DCO-1.0-Signed-off-by: Adam Szilagyi [email protected]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@szilagyiadam szilagyiadam

Labels
bug Undesired behaviour
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix TypedArray initialization with another TypedArray szilagyiadam/jerryscript
3 participants
@rerobika @szilagyiadam @nszetei