Segmentation fault (SIGSEGV) on read of a null pointer in ecma_builtin_get_from_realm (ecma-builtins.c:579) #5257
Description
JerryScript revision
git master: 355ab24
tested also on release version: 3.0.0
Build platform
Ubuntu 24.04.2
Build steps
python3 tools/build.py --clean --debug --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --logging=on --line-info=on
Test case
var v3 = Proxy.revocable(Int32Array, Float64Array);
v3.revoke(v3, v3, Float64Array, Int32Array, Int32Array);
var v5 = v3.proxy;
var v6 = [536870912,-2,268435440,268435439];
v6.constructor = v5;
v6.slice();
Backtrace
####### Release 3.0.0
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1484048==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000022 (pc 0x61b349bbe191 bp 0x0f853b9e0590 sp 0x7ffe98452360 T0)
==1484048==The signal is caused by a READ memory access.
==1484048==Hint: address points to the zero page.
#0 0x61b349bbe191 in ecma_builtin_get_from_realm /htp/jerryscript-3.0.0/jerry-core/ecma/builtin-objects/ecma-builtins.c:579
#1 0x61b349bc9e61 in ecma_op_array_species_create /htp/jerryscript-3.0.0/jerry-core/ecma/operations/ecma-array-object.c:702
#2 0x61b349c4695c in ecma_builtin_array_prototype_object_slice /htp/jerryscript-3.0.0/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:789
#3 0x61b349c4695c in ecma_builtin_array_prototype_dispatch_routine /htp/jerryscript-3.0.0/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2854
#4 0x61b349bc06e5 in ecma_builtin_dispatch_routine /htp/jerryscript-3.0.0/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
#5 0x61b349bc06e5 in ecma_builtin_dispatch_call /htp/jerryscript-3.0.0/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
#6 0x61b349bd81fb in ecma_op_function_call_native_built_in /htp/jerryscript-3.0.0/jerry-core/ecma/operations/ecma-function-object.c:1223
#7 0x61b349bda5a9 in ecma_op_function_call /htp/jerryscript-3.0.0/jerry-core/ecma/operations/ecma-function-object.c:1468
#8 0x61b349bda46c in ecma_op_function_validated_call /htp/jerryscript-3.0.0/jerry-core/ecma/operations/ecma-function-object.c:1428
#9 0x61b349c4163c in opfunc_call /htp/jerryscript-3.0.0/jerry-core/vm/vm.c:758
#10 0x61b349c4163c in vm_execute /htp/jerryscript-3.0.0/jerry-core/vm/vm.c:5236
#11 0x61b349c42ad7 in vm_run /htp/jerryscript-3.0.0/jerry-core/vm/vm.c:5331
#12 0x61b349c42cc6 in vm_run_global /htp/jerryscript-3.0.0/jerry-core/vm/vm.c:286
#13 0x61b349b93728 in jerry_run /htp/jerryscript-3.0.0/jerry-core/api/jerryscript.c:549
#14 0x61b349ca0b6b in jerryx_source_exec_script /htp/jerryscript-3.0.0/jerry-ext/util/sources.c:68
#15 0x61b349b8b154 in main /htp/jerryscript-3.0.0/jerry-main/main-desktop.c:156
#16 0x7c29df02a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#17 0x7c29df02a28a in __libc_start_main_impl ../csu/libc-start.c:360
#18 0x61b349b8ab24 in _start (/htp/jerryscript-3.0.0/build/bin/jerry+0x56b24) (BuildId: c9112824341065ceb9938b37acf63a2ba1404c07)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /htp/jerryscript-3.0.0/jerry-core/ecma/builtin-objects/ecma-builtins.c:579 in ecma_builtin_get_from_realm
==1484048==ABORTING
####### GIT master (commit: 355ab24):
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1819408==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000022 (pc 0x5b1e7dbd0c15 bp 0x0e7cf9760590 sp 0x7ffec6fe31c0 T0)
==1819408==The signal is caused by a READ memory access.
==1819408==Hint: address points to the zero page.
#0 0x5b1e7dbd0c15 in ecma_builtin_get_from_realm /htp/jerryscript-dbg/jerry-core/ecma/builtin-objects/ecma-builtins.c:579
#1 0x5b1e7dbdc8e5 in ecma_op_array_species_create /htp/jerryscript-dbg/jerry-core/ecma/operations/ecma-array-object.c:702
#2 0x5b1e7dc593e0 in ecma_builtin_array_prototype_object_slice /htp/jerryscript-dbg/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:789
#3 0x5b1e7dc593e0 in ecma_builtin_array_prototype_dispatch_routine /htp/jerryscript-dbg/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2854
#4 0x5b1e7dbd3169 in ecma_builtin_dispatch_routine /htp/jerryscript-dbg/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
#5 0x5b1e7dbd3169 in ecma_builtin_dispatch_call /htp/jerryscript-dbg/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
#6 0x5b1e7dbeac7f in ecma_op_function_call_native_built_in /htp/jerryscript-dbg/jerry-core/ecma/operations/ecma-function-object.c:1223
#7 0x5b1e7dbed02d in ecma_op_function_call /htp/jerryscript-dbg/jerry-core/ecma/operations/ecma-function-object.c:1468
#8 0x5b1e7dbecef0 in ecma_op_function_validated_call /htp/jerryscript-dbg/jerry-core/ecma/operations/ecma-function-object.c:1428
#9 0x5b1e7dc540c0 in opfunc_call /htp/jerryscript-dbg/jerry-core/vm/vm.c:758
#10 0x5b1e7dc540c0 in vm_execute /htp/jerryscript-dbg/jerry-core/vm/vm.c:5236
#11 0x5b1e7dc5555b in vm_run /htp/jerryscript-dbg/jerry-core/vm/vm.c:5331
#12 0x5b1e7dc5574a in vm_run_global /htp/jerryscript-dbg/jerry-core/vm/vm.c:286
#13 0x5b1e7dba57a8 in jerry_run /htp/jerryscript-dbg/jerry-core/api/jerryscript.c:549
#14 0x5b1e7dcb35ef in jerryx_source_exec_script /htp/jerryscript-dbg/jerry-ext/util/sources.c:68
#15 0x5b1e7db9d1d4 in main /htp/jerryscript-dbg/jerry-main/main-desktop.c:156
#16 0x73e7cdc2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#17 0x73e7cdc2a28a in __libc_start_main_impl ../csu/libc-start.c:360
#18 0x5b1e7db9cba4 in _start (/htp/jerryscript-dbg/build/bin/jerry+0x57ba4) (BuildId: f22bf86baf569fd11a0816f75e22241b106dbbfb)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /htp/jerryscript-dbg/jerry-core/ecma/builtin-objects/ecma-builtins.c:579 in ecma_builtin_get_from_realm
==1819408==ABORTING
Program received signal SIGSEGV, Segmentation fault.
0x000000000043a09a in ecma_builtin_get_from_realm (global_object_p=global_object_p@entry=0x0, builtin_id=builtin_id@entry=ECMA_BUILTIN_ID_ARRAY) at /htp/jerryscript-rep/jerry-core/ecma/builtin-objects/ecma-builtins.c:579
579 if (JERRY_UNLIKELY (*builtin_p == JMEM_CP_NULL))
#0 0x000000000043a09a in ecma_builtin_get_from_realm (global_object_p=global_object_p@entry=0x0, builtin_id=builtin_id@entry=ECMA_BUILTIN_ID_ARRAY) at /htp/jerryscript-rep/jerry-core/ecma/builtin-objects/ecma-builtins.c:579
#1 0x0000000000445ee7 in ecma_op_array_species_create (original_array_p=original_array_p@entry=0x5d9ab0 <jerry_global_heap+1072>, length=length@entry=0x4) at /htp/jerryscript-rep/jerry-core/ecma/operations/ecma-array-object.c:702
#2 0x00000000004c55ae in ecma_builtin_array_prototype_object_slice (len=<optimized out>, obj_p=0x5d9ab0 <jerry_global_heap+1072>, arg2=<optimized out>, arg1=<optimized out>) at /htp/jerryscript-rep/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:789
#3 ecma_builtin_array_prototype_dispatch_routine (builtin_routine_id=<optimized out>, this_arg=<optimized out>, arguments_list_p=<optimized out>, arguments_number=<optimized out>) at /htp/jerryscript-rep/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2854
#4 0x000000000043c5ed in ecma_builtin_dispatch_routine (arguments_list_len=0x0, arguments_list_p=0x7ffff5302c20, this_arg_value=0x433, func_obj_p=0x5d9b18 <jerry_global_heap+1176>) at /htp/jerryscript-rep/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
#5 ecma_builtin_dispatch_call (obj_p=obj_p@entry=0x5d9b18 <jerry_global_heap+1176>, this_arg_value=this_arg_value@entry=0x433, arguments_list_p=arguments_list_p@entry=0x7fffffffd3b0, arguments_list_len=arguments_list_len@entry=0x0) at /htp/jerryscript-rep/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
#6 0x0000000000454777 in ecma_op_function_call_native_built_in (func_obj_p=func_obj_p@entry=0x5d9b18 <jerry_global_heap+1176>, this_arg_value=this_arg_value@entry=0x433, arguments_list_p=arguments_list_p@entry=0x7fffffffd3b0, arguments_list_len=arguments_list_len@entry=0x0) at /htp/j
erryscript-rep/jerry-core/ecma/operations/ecma-function-object.c:1222
#7 0x0000000000456bd0 in ecma_op_function_call (func_obj_p=0x5d9b18 <jerry_global_heap+1176>, this_arg_value=this_arg_value@entry=0x433, arguments_list_p=arguments_list_p@entry=0x7fffffffd3b0, arguments_list_len=arguments_list_len@entry=0x0) at /htp/jerryscript-rep/jerry-core/ecma/op
erations/ecma-function-object.c:1468
#8 0x0000000000456aa2 in ecma_op_function_validated_call (callee=0x49b, this_arg_value=0x433, arguments_list_p=arguments_list_p@entry=0x7fffffffd3b0, arguments_list_len=arguments_list_len@entry=0x0) at /htp/jerryscript-rep/jerry-core/ecma/operations/ecma-function-object.c:1428
#9 0x00000000004c0071 in opfunc_call (frame_ctx_p=0x7fffffffd360) at /htp/jerryscript-rep/jerry-core/vm/vm.c:757
#10 vm_execute (frame_ctx_p=frame_ctx_p@entry=0x7fffffffd360) at /htp/jerryscript-rep/jerry-core/vm/vm.c:5236
#11 0x00000000004c148a in vm_run (shared_p=shared_p@entry=0x7ffff54068a0, this_binding_value=<optimized out>, lex_env_p=0x5d9778 <jerry_global_heap+248>) at /htp/jerryscript-rep/jerry-core/vm/vm.c:5331
#12 0x00000000004c166f in vm_run_global (bytecode_p=<optimized out>, function_object_p=function_object_p@entry=0x5d9960 <jerry_global_heap+736>) at /htp/jerryscript-rep/jerry-core/vm/vm.c:286
#13 0x000000000040e1c8 in jerry_run (script=script@entry=0x2e3) at /htp/jerryscript-rep/jerry-core/api/jerryscript.c:549
#14 0x00000000005214b0 in jerryx_source_exec_script (path_p=<optimized out>) at /htp/jerryscript-rep/jerry-ext/util/sources.c:68
#15 0x00000000004044c5 in main (argc=<optimized out>, argv=0x7fffffffd878) at /htp/jerryscript-rep/jerry-main/main-desktop.c:162
Expected behavior
Not crash.