ChakraCore
ChakraCore copied to clipboard
chakra-core
Assertion Error in `FromPhysicalFrame`
PoC:
function main() {
try {
const v1 = BigInt();
} catch(v2) {
}
const v3 = async (v4,v5,v6) => {
for (const v8 in "pS1LFZI9uc") {
const v10 = typeof BigInt;
for (const v12 in "pS1LFZI9uc") {
const v13 = await v12;
}
}
};
const v14 = v3();
const v15 = v3();
}
main();
backtrace:
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
frame #0: 0x0000000102ec3a5c libChakraCore.dylib`Js::InlinedFrameWalker::FromPhysicalFrame(self=0x00007ffeefbfc350, physicalFrame=0x00007ffeefbfc3a8, parent=0x00000001007e6af0, fromBailout=true, loopNum=-1, stackWalker=0x00007ffeefbfc320, useInternalFrameInfo=false, noAlloc=false) at JavascriptStackWalker.cpp:1289:9
1286 entryPointInfo = (Js::EntryPointInfo*)parentFunctionBody->GetEntryPointFromNativeAddress((DWORD_PTR)nativeCodeAddress);
1287 }
1288
-> 1289 AssertMsg(entryPointInfo != nullptr, "Inlined frame should resolve to the right parent address");
1290 if (entryPointInfo->HasInlinees())
1291 {
1292 void *entry = reinterpret_cast<void*>(entryPointInfo->GetNativeAddress());
Target 0: (ch) stopped.
(lldb) bt 20
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
* frame #0: 0x0000000102ec3a5c libChakraCore.dylib`Js::InlinedFrameWalker::FromPhysicalFrame(self=0x00007ffeefbfc350, physicalFrame=0x00007ffeefbfc3a8, parent=0x00000001007e6af0, fromBailout=true, loopNum=-1, stackWalker=0x00007ffeefbfc320, useInternalFrameInfo=false, noAlloc=false) at JavascriptStackWalker.cpp:1289:9
frame #1: 0x0000000102ec41c0 libChakraCore.dylib`Js::JavascriptStackWalker::UpdateFrame(this=0x00007ffeefbfc320, includeInlineFrames=true) at JavascriptStackWalker.cpp:561:56
frame #2: 0x0000000102ec1f13 libChakraCore.dylib`Js::JavascriptStackWalker::Walk(this=0x00007ffeefbfc320, includeInlineFrames=true) at JavascriptStackWalker.cpp:783:15
frame #3: 0x0000000102ec56bf libChakraCore.dylib`Js::JavascriptStackWalker::GetCaller(this=0x00007ffeefbfc320, ppFunc=0x00007ffeefbfc400, includeInlineFrames=true) at JavascriptStackWalker.cpp:794:22
frame #4: 0x0000000102ec6082 libChakraCore.dylib`Js::JavascriptStackWalker::GetCaller(ppFunc=0x00007ffeefbfc400, scriptContext=0x0000000100819858) at JavascriptStackWalker.cpp:1181:23
frame #5: 0x0000000102e6324b libChakraCore.dylib`Js::JavascriptOperators::OP_GetRootProperty(instance=0x00000001007e4000, propertyId=266, info=0x00007ffeefbfc450, scriptContext=0x0000000100819858) at JavascriptOperators.cpp:2187:13
frame #6: 0x0000000102e85244 libChakraCore.dylib`Js::JavascriptOperators::PatchGetRootValueNoFastPath(functionBody=0x000000090834c3e0, inlineCache=0x000000010078af10, inlineCacheIndex=3, object=0x00000001007e4000, propertyId=266) at JavascriptOperators.cpp:8194:16
frame #7: 0x0000000102e85164 libChakraCore.dylib`Js::JavascriptOperators::PatchGetRootValueNoFastPath_Var(functionBody=0x000000090834c3e0, inlineCache=0x000000010078af10, inlineCacheIndex=3, instance=0x00000001007e4000, propertyId=266) at JavascriptOperators.cpp:8178:13
frame #8: 0x0000000102edc1f3 libChakraCore.dylib`void* Js::ProfilingHelpers::ProfiledLdFld<true, false, false>(instance=0x00000001007e4000, propertyId=266, inlineCache=0x000000010078af10, inlineCacheIndex=3, functionBody=0x000000090834c3e0, thisInstance=0x00000001007e4000) at ProfilingHelpers.cpp:996:21
frame #9: 0x0000000102edc3c0 libChakraCore.dylib`void* Js::ProfilingHelpers::ProfiledLdFldForTypeOf<true, false, false>(instance=0x00000001007e4000, propertyId=266, inlineCache=0x000000010078af10, inlineCacheIndex=3, functionBody=0x000000090834c3e0) at ProfilingHelpers.cpp:1068:15
frame #10: 0x0000000102cc51a4 libChakraCore.dylib`void Js::InterpreterStackFrame::OP_ProfiledGetRootPropertyForTypeOf<Js::OpLayoutT_ElementRootCP<Js::LayoutSizePolicy<(Js::LayoutSize)0> > const __unaligned>(this=0x00000009083502f0, playout=0x000000090836a01e)0> > const __unaligned __unaligned*) at InterpreterStackFrame.cpp:4207:21
frame #11: 0x0000000102cbec43 libChakraCore.dylib`Js::InterpreterStackFrame::ProcessProfiledExtendedOpcodePrefix(this=0x00000009083502f0, ip="*\x12\x13E\b\x12�\x01") at InterpreterHandler.inl:181:1
frame #12: 0x0000000102d03b2f libChakraCore.dylib`Js::InterpreterStackFrame::ProcessProfiled(this=0x00000009083502f0) at InterpreterLoop.inl:357:13
frame #13: 0x0000000102c938f4 libChakraCore.dylib`Js::InterpreterStackFrame::Process(this=0x00000009083502f0) at InterpreterStackFrame.cpp:3472:20
frame #14: 0x0000000102c923fc libChakraCore.dylib`Js::InterpreterStackFrame::InterpreterHelper(function=0x00000001007e6af0, args=ArgumentReader @ 0x00007ffeefbfe1f0, returnAddress=0x0000000908380f92, addressOfReturnAddress=0x00007ffeefbfe238, asmJsReturn=0x0000000000000000) at InterpreterStackFrame.cpp:2153:40
frame #15: 0x0000000102c91480 libChakraCore.dylib`Js::InterpreterStackFrame::InterpreterThunk(layout=0x00007ffeefbfe250) at InterpreterStackFrame.cpp:1833:16
frame #16: 0x0000000908380f92
frame #17: 0x000000010340d15e libChakraCore.dylib`amd64_CallFunction at JavascriptFunctionA.S:100
frame #18: 0x00000001030c62db libChakraCore.dylib`void* Js::JavascriptFunction::CallFunction<true>(function=0x00000001007e6af0, entryPoint=(libChakraCore.dylib`NativeCodeGenerator::CheckCodeGenThunk(Js::RecyclableObject*, Js::CallInfo, ...)), args=Arguments @ 0x00007ffeefbfe348, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
frame #19: 0x00000001030d2a47 libChakraCore.dylib`Js::JavascriptGenerator::CallGenerator(this=0x00000009083490c0, data=0x000000090835b300, resumeKind=Normal) at JavascriptGenerator.cpp:185:26
How to reproduce:
- ./build.sh -d -j
- ./ch ./poc.js
BigInt implementation is incomplete so disabled - hence typeof BigInt throws.
Looks like error handling during a jitted async function has a problem.
