Skip to content

Assertion 'object_p->type_flags_refs >= ECMA_OBJECT_REF_ONE' failed at jerry-core/ecma/base/ecma-gc.c:160 #5255

New issue
New issue
Open
Open
Assertion 'object_p->type_flags_refs >= ECMA_OBJECT_REF_ONE' failed at jerry-core/ecma/base/ecma-gc.c:160#5255
@ericliuu

Description

@ericliuu
ericliuu
opened on Oct 3, 2025

Hello,

I found an assertion failure when running some malformed JavaScript.

JerryScript revision

355ab24

Build platform

Ubuntu 24.04.2

Build steps
python3 tools/build.py --clean --debug --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --logging=on --line-info=on
Test case
var regexp = /./;
regexp.constructor = {
  [Symbol.species]: function() {
    return Object.freeze(/./);
  }
};
regexp[Symbol.matchAll]('');
Output
ICE: Assertion 'object_p->type_flags_refs >= ECMA_OBJECT_REF_ONE' failed at jerryscript/jerry-core/ecma/base/ecma-gc.c(ecma_deref_object):160.
Error: JERRY_FATAL_FAILED_ASSERTION
Aborted
==1722506==ABORTING

Backtrace:

(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff744527e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff74288ff in __GI_abort () at ./stdlib/abort.c:79
#5  0x000055555576aad8 in jerry_port_fatal (code=JERRY_FATAL_FAILED_ASSERTION)
    at jerryscript/jerry-port/common/jerry-port-process.c:41
#6  0x000055555566d79f in jerry_fatal (code=JERRY_FATAL_FAILED_ASSERTION) at jerryscript/jerry-core/jrt/jrt-fatals.c:63
#7  0x000055555566d7fd in jerry_assert_fail (assertion=0x55555576f700 "object_p->type_flags_refs >= ECMA_OBJECT_REF_ONE",
    file=0x55555576f680 "jerryscript/jerry-core/ecma/base/ecma-gc.c", function=0x5555557709a0 <__func__.21> "ecma_deref_object",
    line=160) at jerryscript/jerry-core/jrt/jrt-fatals.c:83
#8  0x00005555555d0968 in ecma_deref_object (object_p=0x555555843888 <jerry_global_heap+1480>)
    at jerryscript/jerry-core/ecma/base/ecma-gc.c:160
#9  0x000055555570a4e3 in ecma_builtin_regexp_prototype_match_all (regexp_obj_p=0x5555558435a8 <jerry_global_heap+744>, string_arg=13)
    at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:529
#10 0x000055555570a81d in ecma_builtin_regexp_prototype_dispatch_routine (builtin_routine_id=17 '\021', this_arg=747, arguments_list_p=0x7ffff5303820, arguments_number=1)
    at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:598
#11 0x000055555560f41d in ecma_builtin_dispatch_routine (func_obj_p=0x555555843710 <jerry_global_heap+1104>, this_arg_value=747, arguments_list_p=0x7ffff5303820, arguments_list_len=1)
    at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
#12 0x000055555560f651 in ecma_builtin_dispatch_call (obj_p=0x555555843710 <jerry_global_heap+1104>, this_arg_value=747, arguments_list_p=0x7fffffffdab0, arguments_list_len=1)
    at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
#13 0x0000555555635991 in ecma_op_function_call_native_built_in (func_obj_p=0x555555843710 <jerry_global_heap+1104>, this_arg_value=747, arguments_list_p=0x7fffffffdab0,
    arguments_list_len=1) at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1223
#14 0x0000555555636789 in ecma_op_function_call (func_obj_p=0x555555843710 <jerry_global_heap+1104>, this_arg_value=747, arguments_list_p=0x7fffffffdab0, arguments_list_len=1)
    at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1468
#15 0x0000555555636623 in ecma_op_function_validated_call (callee=1107, this_arg_value=747, arguments_list_p=0x7fffffffdab0, arguments_list_len=1)
    at jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1428
#16 0x00005555556bc288 in opfunc_call (frame_ctx_p=0x7fffffffda60) at jerryscript/jerry-core/vm/vm.c:758
#17 0x00005555556da223 in vm_execute (frame_ctx_p=0x7fffffffda60) at jerryscript/jerry-core/vm/vm.c:5236
#18 0x00005555556da84b in vm_run (shared_p=0x7ffff54048a0, this_binding_value=11, lex_env_p=0x5555558433b8 <jerry_global_heap+248>)
    at jerryscript/jerry-core/vm/vm.c:5331
#19 0x00005555556ba55b in vm_run_global (bytecode_p=0x5555558437f8 <jerry_global_heap+1336>, function_object_p=0x555555843560 <jerry_global_heap+672>)
    at jerryscript/jerry-core/vm/vm.c:286
#20 0x00005555555be092 in jerry_run (script=675) at jerryscript/jerry-core/api/jerryscript.c:549
#21 0x000055555576997b in jerryx_source_exec_script (path_p=0x7fffffffe30c "bugs/10-03-2025-assertion-fail.js")
    at jerryscript/jerry-ext/util/sources.c:68
#22 0x00005555555b9609 in main (argc=2, argv=0x7fffffffdfc8) at jerryscript/jerry-main/main-desktop.c:156
Expected behavior

Since the species constructor returns a frozen regexp, I believe the output should be a TypeError since we are assigning to a readonly property.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions