Segmentation fault in ecma_find_named_property

[shi-bohao]

JerryScript revision

v3.0.0

Build platform

Ubuntu 22.04.5 LTS

Build steps

python3 tools/build.py --clean --debug --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --logging=on --line-info=on

Test case

var y = function() {
};

async function x(n = y()) {
    return new Promise(function(resolve, reject) {
        return Promise.resolve(n + n).then(foo()).then(bar().then).then(f());
    });
}

async function foo(n = y()) {
}

bar().then(x);

async function bar() {
}

function f() {
    return Promise.resolve(this.y() + this.x()).then(x()).then(foo()).then(bar().then);
}

var bar = async function() {
    x();
};

var foo = async function() {
    return bar();
};

Execution steps

gdb ./build/bin/jerry
run poc.js

Backtrace

Program received signal SIGSEGV, Segmentation fault.
0x00005555555f4c0e in ecma_find_named_property (obj_p=0x5555558b4558 <jerry_global_heap+471640>, name_p=0xa0d) at /home/shibohao/jerry/jerryscript/jerry-core/ecma/base/ecma-helpers.c:613
613	  JERRY_ASSERT (ecma_is_lexical_environment (obj_p) || !ecma_op_object_is_fast_array (obj_p));
(gdb) bt
#0  0x00005555555f4c0e in ecma_find_named_property (
    obj_p=0x5555558b4558 <jerry_global_heap+471640>, name_p=0xa0d)
    at /home/shibohao/jerry/jerryscript/jerry-core/ecma/base/ecma-helpers.c:613
#1  0x0000555555643eb4 in ecma_op_object_find_own (base_value=471643, 
    object_p=0x5555558b4558 <jerry_global_heap+471640>, property_name_p=0xa0d)
    at /home/shibohao/jerry/jerryscript/jerry-core/ecma/operations/ecma-objects.c:633
#2  0x0000555555644450 in ecma_op_object_get_with_receiver (
    object_p=0x5555558b4558 <jerry_global_heap+471640>, property_name_p=0xa0d, 
    receiver=471643)
    at /home/shibohao/jerry/jerryscript/jerry-core/ecma/operations/ecma-objects.c:819
#3  0x00005555556443ed in ecma_op_object_get (
    object_p=0x5555558b4558 <jerry_global_heap+471640>, property_name_p=0xa0d)
    at /home/shibohao/jerry/jerryscript/jerry-core/ecma/operations/ecma-objects.c:788
#4  0x00005555556babce in vm_op_get_value (object=471643, property=2573)
    at /home/shibohao/jerry/jerryscript/jerry-core/vm/vm.c:116
#5  0x00005555556cbbd7 in vm_loop (frame_ctx_p=0x7fffff7ffb60)
    at /home/shibohao/jerry/jerryscript/jerry-core/vm/vm.c:2959
#6  0x00005555556dadaa in vm_execute (frame_ctx_p=0x7fffff7ffb60)
    at /home/shibohao/jerry/jerryscript/jerry-core/vm/vm.c:5230
#7  0x00005555556db45d in vm_run (shared_p=0x7fffff7ffd30, 
    this_binding_value=11, lex_env_p=0x5555558b2ab0 <jerry_global_heap+464816>)
    at /home/shibohao/jerry/jerryscript/jerry-core/vm/vm.c:5331
#8  0x0000555555635bc4 in ecma_op_function_call_simple (
    func_obj_p=0x5555558b4490 <jerry_global_heap+471440>, this_binding=11, 
    arguments_list_p=0x7fffff7ffe60, arguments_list_len=2)
    at /home/shibohao/jerry/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1180
#9  0x0000555555636c20 in ecma_op_function_call (
    func_obj_p=0x5555558b4490 <jerry_global_heap+471440>, this_arg_value=72, 
    arguments_list_p=0x7fffff7ffe60, arguments_list_len=2)
    at /home/shibohao/jerry/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1463
#10 0x000055555564d2c3 in ecma_promise_run_executor (
    promise_p=0x5555558b44c0 <jerry_global_heap+471488>, executor=471443, 
    this_value=72)
    at /home/shibohao/jerry/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:447
#11 0x000055555564d53d in ecma_op_create_promise_object (executor=471443, 
    parent=72, new_target_p=0x555555841610 <jerry_global_heap+784>)
    at /home/shibohao/jerry/jerryscript/jerry-core/ecma/operations/ecma-promise-object.c:514
#12 0x0000555555708563 in ecma_builtin_promise_dispatch_construct (
    arguments_list_p=0x7fffff80010c, arguments_list_len=1)
    at /home/shibohao/jerry/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-promise.c:476
#13 0x000055555560fc21 in ecma_builtin_dispatch_construct (
    obj_p=0x555555841610 <jerry_global_heap+784>, 
    arguments_list_p=0x7fffff80010c, arguments_list_len=1)
    at /home/shibohao/jerry/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1518
#14 0x000055555563702f in ecma_op_function_construct_built_in (
    func_obj_p=0x555555841610 <jerry_global_heap+784>, 
    new_target_p=0x555555841610 <jerry_global_heap+784>, 
    arguments_list_p=0x7fffff80010c, arguments_list_len=1)
    at /home/shibohao/jerry/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1594
#15 0x0000555555637633 in ecma_op_function_construct (
    func_obj_p=0x555555841610 <jerry_global_heap+784>, 
    new_target_p=0x555555841610 <jerry_global_heap+784>, 
    arguments_list_p=0x7fffff80010c, arguments_list_len=1)
    at /home/shibohao/jerry/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1774
#16 0x00005555556bd3bf in opfunc_construct (frame_ctx_p=0x7fffff8000c0)
    at /home/shibohao/jerry/jerryscript/jerry-core/vm/vm.c:840
#17 0x00005555556dae5f in vm_execute (frame_ctx_p=0x7fffff8000c0)
    at /home/shibohao/jerry/jerryscript/jerry-core/vm/vm.c:5255
#18 0x00005555556db45d in vm_run (shared_p=0x7fffff8002a0, 
    this_binding_value=11, lex_env_p=0x5555558b2ab0 <jerry_global_heap+464816>)
    at /home/shibohao/jerry/jerryscript/jerry-core/vm/vm.c:5331
#19 0x0000555555635bc4 in ecma_op_function_call_simple (
    func_obj_p=0x5555558415a0 <jerry_global_heap+672>, this_binding=11, 
    arguments_list_p=0x7fffff8004a8, arguments_list_len=0)
    at /home/shibohao/jerry/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1180
#20 0x0000555555636c20 in ecma_op_function_call (
    func_obj_p=0x5555558415a0 <jerry_global_heap+672>, this_arg_value=72, 
    arguments_list_p=0x7fffff8004a8, arguments_list_len=0)
    at /home/shibohao/jerry/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1463
#21 0x0000555555636ad8 in ecma_op_function_validated_call (callee=675, 
    this_arg_value=72, arguments_list_p=0x7fffff8004a8, arguments_list_len=0)
    at /home/shibohao/jerry/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1428
#22 0x00005555556bce69 in opfunc_call (frame_ctx_p=0x7fffff800460)
    at /home/shibohao/jerry/jerryscript/jerry-core/vm/vm.c:758
#23 0x00005555556dae24 in vm_execute (frame_ctx_p=0x7fffff800460)
    at /home/shibohao/jerry/jerryscript/jerry-core/vm/vm.c:5236
#24 0x00005555556db45d in vm_run (shared_p=0x7fffff800640, 
    this_binding_value=11, lex_env_p=0x5555558413f8 <jerry_global_heap+248>)
    at /home/shibohao/jerry/jerryscript/jerry-core/vm/vm.c:5331
#25 0x0000555555635bc4 in ecma_op_function_call_simple (
    func_obj_p=0x555555841918 <jerry_global_heap+1560>, this_binding=11, 
    arguments_list_p=0x7fffff800848, arguments_list_len=0)
    at /home/shibohao/jerry/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1180
#26 0x0000555555636c20 in ecma_op_function_call (
    func_obj_p=0x555555841918 <jerry_global_heap+1560>, this_arg_value=72, 
    arguments_list_p=0x7fffff800848, arguments_list_len=0)
    at /home/shibohao/jerry/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1463
#27 0x0000555555636ad8 in ecma_op_function_validated_call (callee=1563, 
    this_arg_value=72, arguments_list_p=0x7fffff800848, arguments_list_len=0)
    at /home/shibohao/jerry/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1428
#28 0x00005555556bce69 in opfunc_call (frame_ctx_p=0x7fffff800800)
    at /home/shibohao/jerry/jerryscript/jerry-core/vm/vm.c:758
#29 0x00005555556dae24 in vm_execute (frame_ctx_p=0x7fffff800800)
    at /home/shibohao/jerry/jerryscript/jerry-core/vm/vm.c:5236
#30 0x00005555556db45d in vm_run (shared_p=0x7fffff8009e0, 
    this_binding_value=11, lex_env_p=0x5555558413f8 <jerry_global_heap+248>)
    at /home/shibohao/jerry/jerryscript/jerry-core/vm/vm.c:5331
(...)