Assertion in ecma-helpers-value.c(ecma_free_value) failed #5256
Description
Hello,
I found an assertion failure when running the below valid JavaScript. The issue seems to stem from the access to the non-existent property toStringlength which should return undefined.
JerryScript revision
Build platform
Ubuntu 24.04.2
Build steps
python3 tools/build.py --clean --debug --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --logging=on --line-info=onTest case
var __v_25059 = {
valueOf: function () {
let __v_25062 = __v_25055.toStringlength;
__v_25055.length = 1;
return __v_25062;
},
};
let __v_25060 = [];
for (let __v_25063 = 0; __v_25063 < 1500; __v_25063++) {
__v_25060.push("" + 0.1);
}
for (let __v_25064 = 0; __v_25064 < 3; __v_25064++) {
__v_25055 = __v_25060.slice();
__v_25056 = __v_25055.fill(3, __v_25059);
}Output
ICE: Assertion 'ecma_get_value_type_field (value) == ECMA_TYPE_DIRECT || ecma_get_value_type_field (value) == ECMA_TYPE_DIRECT_STRING' failed at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c(ecma_free_value):1122.
Error: JERRY_FATAL_FAILED_ASSERTION
AbortedBacktrace:
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x00007ffff744527e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x00007ffff74288ff in __GI_abort () at ./stdlib/abort.c:79
#5 0x000055555576aad8 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at jerryscript/jerry-port/common/jerry-port-process.c:41
#6 0x000055555566d79f in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at jerryscript/jerry-core/jrt/jrt-fatals.c:63
#7 0x000055555566d7fd in jerry_assert_fail (assertion=0x55555577c520 "ecma_get_value_type_field (value) == ECMA_TYPE_DIRECT || ecma_get_value_type_field (value) == ECMA_TYPE_DIRECT_STRING",
file=0x55555577bd60 "jerryscript/jerry-core/ecma/base/ecma-helpers-value.c", function=0x55555577cc00 <__func__.2> "ecma_free_value", line=1122)
at jerryscript/jerry-core/jrt/jrt-fatals.c:83
#8 0x00005555555f1e1f in ecma_free_value (value=4294967295) at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:1122
#9 0x00005555555f1e7c in ecma_free_value_if_not_object (value=4294967295) at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:1157
#10 0x00005555556e3067 in ecma_builtin_array_prototype_fill (value=48, start_val=683, end_val=72, obj_p=0x555555849538 <jerry_global_heap+25208>, len=1500)
at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2191
#11 0x00005555556e5c36 in ecma_builtin_array_prototype_dispatch_routine (builtin_routine_id=27 '\033', this_arg=25211, arguments_list_p=0x7ffff53656e0, arguments_number=2)
at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2925
#12 0x000055555560f41d in ecma_builtin_dispatch_routine (func_obj_p=0x555555849558 <jerry_global_heap+25240>, this_arg_value=25211, arguments_list_p=0x7ffff53656e0, arguments_list_len=2)
at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
#13 0x000055555560f651 in ecma_builtin_dispatch_call (obj_p=0x555555849558 <jerry_global_heap+25240>, this_arg_value=25211, arguments_list_p=0x7fffffffdab4, arguments_list_len=2)
at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
#14 0x0000555555635991 in ecma_op_function_call_native_built_in (func_obj_p=0x555555849558 <jerry_global_heap+25240>, this_arg_value=25211, arguments_list_p=0x7fffffffdab4, arguments_list_len=2)
at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1223
#15 0x0000555555636789 in ecma_op_function_call (func_obj_p=0x555555849558 <jerry_global_heap+25240>, this_arg_value=25211, arguments_list_p=0x7fffffffdab4, arguments_list_len=2)
at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1468
#16 0x0000555555636623 in ecma_op_function_validated_call (callee=25243, this_arg_value=25211, arguments_list_p=0x7fffffffdab4, arguments_list_len=2)
at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1428
#17 0x00005555556bc288 in opfunc_call (frame_ctx_p=0x7fffffffda60) at jerryscript/jerry-core/vm/vm.c:758
#18 0x00005555556da223 in vm_execute (frame_ctx_p=0x7fffffffda60) at jerryscript/jerry-core/vm/vm.c:5236
#19 0x00005555556da84b in vm_run (shared_p=0x7ffff5409520, this_binding_value=11, lex_env_p=0x555555843550 <jerry_global_heap+656>)
at jerryscript/jerry-core/vm/vm.c:5331
#20 0x00005555556ba55b in vm_run_global (bytecode_p=0x555555843940 <jerry_global_heap+1664>, function_object_p=0x555555843540 <jerry_global_heap+640>)
at jerryscript/jerry-core/vm/vm.c:286
#21 0x00005555555be092 in jerry_run (script=643) at jerryscript/jerry-core/api/jerryscript.c:549
#22 0x000055555576997b in jerryx_source_exec_script (path_p=0x7fffffffe31d "temp.js") at jerryscript/jerry-ext/util/sources.c:68
#23 0x00005555555b9609 in main (argc=2, argv=0x7fffffffdfd8) at jerryscript/jerry-main/main-desktop.c:156