Skip to content

Assertion in ecma-helpers-value.c(ecma_free_value) failed #5256

New issue
New issue
Open
Open
Assertion in ecma-helpers-value.c(ecma_free_value) failed#5256
@ericliuu

Description

@ericliuu
ericliuu
opened on Oct 6, 2025

Hello,

I found an assertion failure when running the below valid JavaScript. The issue seems to stem from the access to the non-existent property toStringlength which should return undefined.

JerryScript revision

355ab24

Build platform

Ubuntu 24.04.2

Build steps
python3 tools/build.py --clean --debug --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --logging=on --line-info=on
Test case
var __v_25059 = { valueOf: function () { let __v_25062 = __v_25055.toStringlength; __v_25055.length = 1; return __v_25062; }, }; let __v_25060 = []; for (let __v_25063 = 0; __v_25063 < 1500; __v_25063++) { __v_25060.push("" + 0.1); } for (let __v_25064 = 0; __v_25064 < 3; __v_25064++) { __v_25055 = __v_25060.slice(); __v_25056 = __v_25055.fill(3, __v_25059); }
Output
ICE: Assertion 'ecma_get_value_type_field (value) == ECMA_TYPE_DIRECT || ecma_get_value_type_field (value) == ECMA_TYPE_DIRECT_STRING' failed at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c(ecma_free_value):1122. Error: JERRY_FATAL_FAILED_ASSERTION Aborted

Backtrace:

(gdb) bt #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff744527e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff74288ff in __GI_abort () at ./stdlib/abort.c:79 #5 0x000055555576aad8 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at jerryscript/jerry-port/common/jerry-port-process.c:41 #6 0x000055555566d79f in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at jerryscript/jerry-core/jrt/jrt-fatals.c:63 #7 0x000055555566d7fd in jerry_assert_fail (assertion=0x55555577c520 "ecma_get_value_type_field (value) == ECMA_TYPE_DIRECT || ecma_get_value_type_field (value) == ECMA_TYPE_DIRECT_STRING", file=0x55555577bd60 "jerryscript/jerry-core/ecma/base/ecma-helpers-value.c", function=0x55555577cc00 <__func__.2> "ecma_free_value", line=1122) at jerryscript/jerry-core/jrt/jrt-fatals.c:83 #8 0x00005555555f1e1f in ecma_free_value (value=4294967295) at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:1122 #9 0x00005555555f1e7c in ecma_free_value_if_not_object (value=4294967295) at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:1157 #10 0x00005555556e3067 in ecma_builtin_array_prototype_fill (value=48, start_val=683, end_val=72, obj_p=0x555555849538 <jerry_global_heap+25208>, len=1500) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2191 #11 0x00005555556e5c36 in ecma_builtin_array_prototype_dispatch_routine (builtin_routine_id=27 '\033', this_arg=25211, arguments_list_p=0x7ffff53656e0, arguments_number=2) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c:2925 #12 0x000055555560f41d in ecma_builtin_dispatch_routine (func_obj_p=0x555555849558 <jerry_global_heap+25240>, this_arg_value=25211, arguments_list_p=0x7ffff53656e0, arguments_list_len=2) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460 #13 0x000055555560f651 in ecma_builtin_dispatch_call (obj_p=0x555555849558 <jerry_global_heap+25240>, this_arg_value=25211, arguments_list_p=0x7fffffffdab4, arguments_list_len=2) at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489 #14 0x0000555555635991 in ecma_op_function_call_native_built_in (func_obj_p=0x555555849558 <jerry_global_heap+25240>, this_arg_value=25211, arguments_list_p=0x7fffffffdab4, arguments_list_len=2) at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1223 #15 0x0000555555636789 in ecma_op_function_call (func_obj_p=0x555555849558 <jerry_global_heap+25240>, this_arg_value=25211, arguments_list_p=0x7fffffffdab4, arguments_list_len=2) at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1468 #16 0x0000555555636623 in ecma_op_function_validated_call (callee=25243, this_arg_value=25211, arguments_list_p=0x7fffffffdab4, arguments_list_len=2) at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1428 #17 0x00005555556bc288 in opfunc_call (frame_ctx_p=0x7fffffffda60) at jerryscript/jerry-core/vm/vm.c:758 #18 0x00005555556da223 in vm_execute (frame_ctx_p=0x7fffffffda60) at jerryscript/jerry-core/vm/vm.c:5236 #19 0x00005555556da84b in vm_run (shared_p=0x7ffff5409520, this_binding_value=11, lex_env_p=0x555555843550 <jerry_global_heap+656>) at jerryscript/jerry-core/vm/vm.c:5331 #20 0x00005555556ba55b in vm_run_global (bytecode_p=0x555555843940 <jerry_global_heap+1664>, function_object_p=0x555555843540 <jerry_global_heap+640>) at jerryscript/jerry-core/vm/vm.c:286 #21 0x00005555555be092 in jerry_run (script=643) at jerryscript/jerry-core/api/jerryscript.c:549 #22 0x000055555576997b in jerryx_source_exec_script (path_p=0x7fffffffe31d "temp.js") at jerryscript/jerry-ext/util/sources.c:68 #23 0x00005555555b9609 in main (argc=2, argv=0x7fffffffdfd8) at jerryscript/jerry-main/main-desktop.c:156

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions