ChakraCore
ChakraCore copied to clipboard
chakra-core
[FatalInternalError] ReportFatalException14
enviroment
ubuntu 18
poc
function opt(index) {
var flag = 0;
var tmp = new String('aa');
tmp.x = 2;
var i = 0;
function test() {
testDate('0001-10-13T05:16:33Z');
testDate('0011-10-13T05:16:33Z');
var hiddenValue = getHiddenValue();
var result;
testDate('0111-10-13T05:16:33Z');
testDate('1111-10-13T05:16:33Z');
testDate('-000001-11-13T19:40:33Z');
testDate('-000011-11-13T19:40:33Z');
testDate('-000111-11-13T19:40:33Z');
testDate('-001111-11-13T19:40:33Z');
}
var ary_3 = [
1.1,
2.2,
3.3
];
var error = null;
var DjjB = tmp.trimLeft();
var test12 = new Int32Array(0);
once = 1;
var i = 0;
var go = function (a, b, c) {
a[0] = 1.1;
a[1] = 2.2;
[...c];
var fun = eval(str);
b[0] = a[0];
a[2] = 2.3023e-320;
};
for (let useless in tmp) {
if (once) {
var go = function (a, b, c) {
a[0] = 1.1;
a[1] = 2.2;
[...c];
b[0] = a[0];
a[2] = 2.3023e-320;
};
delete tmp.x;
var fun = eval(str);
var object = {};
var i = 0.26279099966609487;
var f64_1 = new Float64Array(16);
once = 0.2969306068681026;
}
var z = cache.push(i, String() * 42);
tmp.y = index;
for (var ijjkkk = 0; ijjkkk < 594; ++ijjkkk) {
var KaRd = Symbol;
}
tmp.x = 1;
}
return [
1,
tmp.x - 524286
];
}
var cache = [];
for (let i = 0; i < 561; i++) {
opt(1);
}
evil = opt(0);
function shouldBe(actual, expected) {
;
}
var str = 'class x extends Array{}';
var f64_1 = new Float64Array(16);
evil[0] = 1.1;
callstack
[#0] 0x555555d59fac → DebugBreak()
[#1] 0x555555d59fac → ReportFatalException(context=<optimized out>, exceptionCode=<optimized out>, reasonCode=<optimized out>, scenario=<optimized out>)
[#2] 0x555555d5a709 → Js::Throw::FatalInternalError(hr=0x7d7f7de0)
[#3] 0x555558643c89 → Lowerer::MapStFldHelper(this=<optimized out>, propertySymOpnd=<optimized out>, helperMethod=@0x7ff7ebffc6c0, polymorphicHelperMethod=@0x7ff7ebffc6d0)
[#4] 0x5555585bb33a → Lowerer::LowerStFld(this=<optimized out>, stFldInstr=<optimized out>, helperMethod=<optimized out>, polymorphicHelperMethod=<optimized out>, withInlineCache=0x0, labelBailOut=0x0, isHelper=<optimized out>, withPutFlags=<optimized out>, flags=<optimized out>)
[#5] 0x5555585a6efc → Lowerer::LowerRange(this=0x7ff7ebffd490, instrStart=<optimized out>, instrEnd=<optimized out>, defaultDoFastPath=<optimized out>, defaultDoLoopFastPath=0x0)
[#6] 0x55555859d345 → Lowerer::Lower(this=0x7ff7ebffd490)
[#7] 0x55555814f951 → Func::TryCodegen(this=<optimized out>)
[#8] 0x55555814d944 → Func::Codegen(alloc=0x7ff7ebffe6c0, workItem=0x7ffff1fc1030, threadContextInfo=0x622000000140, scriptContextInfo=0x61a000000680, outputData=0x7ff7ebffe8e0, epInfo=0x7ffff23c58c0, runtimeInfo=<optimized out>, polymorphicInlineCacheInfo=<optimized out>, codeGenAllocators=<optimized out>, codeGenProfiler=<optimized out>, isBackgroundJIT=<optimized out>)
[#9] 0x555557e4d330 → NativeCodeGenerator::CodeGen(this=<optimized out>, pageAllocator=<optimized out>, workItemData=0xc2200000061, jitWriteData=@0x7ff7ebffe8e0, foreground=0x0, epInfo=0x7ffff23c58c0)
Here's a reduction:
function opt() {
var tmp = new String('aa');
tmp.x = 2;
for (let useless in tmp) {
delete tmp.x;
eval('class x extends Array{}');
tmp.y = 1;
tmp.x = 1;
}
}
for (var i = 0; i < 561; i++) {
opt();
}
The crash is something to do with jitting the let useless statement inside the loop control block BUT only occurs with all of the other components present (the deletion, the assignments AND the eval).
The same assertion is hit if you switch to const useless BUT the code can run to completion if it's var useless
Neat - thanks for reducing! I don't know what the severity should be on this, left out for now.
