ChakraCore
ChakraCore copied to clipboard
chakra-core
Assertion Error in `Js::VarIs<Js::RecyclableObject>`
PoC:
function main() {
const v3 = async (v4,v5,v6,v7) => {
};
const v10 = [13.37];
const v11 = {__proto__:v10,e:"e",valueOf:v3};
for (let v14 = v11; v14 < 1337; v14 = v14 ^ 2) {
const v15 = v14++;
}
async function v16(v17,v18,v19,v20,v21) {
for (let v24 = 0; v24 < 1337; v24++) {
const v25 = await v24;
}
for (let v29 = 0; v29 < 1337; v29 = v29 + 128) {
(1337)[v29] = 929444965;
}
}
const v30 = v16();
for (const v34 in "undefined") {
for (let v35 = 1; v35 < v34; v35 = v35 + v34) {
const v36 = v35++;
}
}
for (const v39 in "undefined") {
for (let v40 = 1; v40 < v39; v40 = v40 + "O6WVmPSpHT") {
const v41 = v40++;
}
}
}
main();
Backtrace:
Failure: (aValue != nullptr)
Process 24504 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
frame #0: 0x00000001030dcdef libChakraCore.dylib`bool Js::VarIs<Js::RecyclableObject>(aValue=0x0000000000000000) at RecyclableObject.h:492:9
489 // Return whether the given Var is of the template parameter's type.
490 template <typename T> bool VarIs(Var aValue)
491 {
-> 492 AssertMsg(aValue != nullptr, "VarIs: aValue is null");
493
494 #if INT32VAR
495 bool isRecyclableObject = (((uintptr_t)aValue) >> VarTag_Shift) == 0;
Target 0: (ch) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
* frame #0: 0x00000001030dcdef libChakraCore.dylib`bool Js::VarIs<Js::RecyclableObject>(aValue=0x0000000000000000) at RecyclableObject.h:492:9
frame #1: 0x00000001030dc6b5 libChakraCore.dylib`Js::TaggedNumber::Is(aValue=0x0000000000000000) at TaggedInt.inl:312:27
frame #2: 0x0000000103e6c4e5 libChakraCore.dylib`Js::JavascriptOperators::OP_SetElementI_JIT(instance=0x0000000000000000, index=0x0001000000000000, value=0x0001000037663465, scriptContext=0x0000000909008258, flags=PropertyOperation_None) at JavascriptOperators.cpp:4540:13
frame #3: 0x0000000103e6c4b9 libChakraCore.dylib`Js::JavascriptOperators::OP_SetElementI_UInt32(instance=0x0000000000000000, index=0, value=0x0001000037663465, scriptContext=0x0000000909008258, flags=PropertyOperation_None) at JavascriptOperators.cpp:4514:16
frame #4: 0x000000010264160e
frame #5: 0x000000010440d14e libChakraCore.dylib`amd64_CallFunction at JavascriptFunctionA.S:100
frame #6: 0x00000001040c625b libChakraCore.dylib`void* Js::JavascriptFunction::CallFunction<true>(function=0x00000001020e67d0, entryPoint=(0x0000000102641400), args=Arguments @ 0x00007ffeefbfe358, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
frame #7: 0x00000001040d29c7 libChakraCore.dylib`Js::JavascriptGenerator::CallGenerator(this=0x0000000102549120, data=0x0001000000000538, resumeKind=Normal) at JavascriptGenerator.cpp:185:26
frame #8: 0x0000000104083814 libChakraCore.dylib`Js::JavascriptAsyncFunction::EntryAsyncSpawnStepNextFunction(function=0x00000001025c7000, callInfo=(Count = 1, Flags = CallFlags_Value, unused = 0)) at JavascriptAsyncFunction.cpp:93:31
frame #9: 0x00000001040839f8 libChakraCore.dylib`Js::JavascriptAsyncFunction::AsyncSpawnStep(stepFunction=0x00000001025c7000, generator=0x0000000102549120, resolve=0x0000000102540840, reject=0x00000001025408a0) at JavascriptAsyncFunction.cpp:151:25
frame #10: 0x0000000104084487 libChakraCore.dylib`Js::JavascriptAsyncFunction::EntryAsyncSpawnCallStepFunction(function=0x000000010277aee0, callInfo=(Count = 2, Flags = CallFlags_Value, unused = 0)) at JavascriptAsyncFunction.cpp:130:5
frame #11: 0x00000001042873d6 libChakraCore.dylib`Js::JavascriptPromise::EntryReactionTaskFunction(function=0x000000010277f190, callInfo=(Count = 1, Flags = CallFlags_None, unused = 0)) at JavascriptPromise.cpp:1074:37
frame #12: 0x000000010440d14e libChakraCore.dylib`amd64_CallFunction at JavascriptFunctionA.S:100
frame #13: 0x00000001040c625b libChakraCore.dylib`void* Js::JavascriptFunction::CallFunction<true>(function=0x000000010277f190, entryPoint=(libChakraCore.dylib`Js::JavascriptPromise::EntryReactionTaskFunction(Js::RecyclableObject*, Js::CallInfo, ...) at JavascriptPromise.cpp:1037), args=Arguments @ 0x00007ffeefbfeb10, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
frame #14: 0x00000001040c657f libChakraCore.dylib`Js::JavascriptFunction::CallRootFunctionInternal(obj=0x000000010277f190, args=Arguments @ 0x00007ffeefbfeb80, scriptContext=0x0000000909008258, inScript=true) at JavascriptFunction.cpp:772:24
frame #15: 0x00000001040c63bc libChakraCore.dylib`Js::JavascriptFunction::CallRootFunction(obj=0x000000010277f190, args=<unavailable>, scriptContext=0x0000000909008258, inScript=true) at JavascriptFunction.cpp:717:15
frame #16: 0x00000001040c6361 libChakraCore.dylib`Js::JavascriptFunction::CallRootFunction(this=0x000000010277f190, args=<unavailable>, scriptContext=0x0000000909008258, inScript=true) at JavascriptFunction.cpp:832:16
frame #17: 0x0000000103128435 libChakraCore.dylib`JsCallFunction::$_67::operator(this=0x00007ffeefbfeff0, scriptContext=0x0000000909008258, _actionEntryPopper=0x00007ffeefbfefd0)(Js::ScriptContext*, TTD::TTDJsRTActionResultAutoRecorder&) const at Jsrt.cpp:2842:41
frame #18: 0x0000000103127dc4 libChakraCore.dylib`_JsErrorCode ContextAPIWrapper<false, JsCallFunction::$_67>(this=0x00007ffeefbfef88, scriptContext=0x0000000909008258)::'lambda'(Js::ScriptContext*)::operator()(Js::ScriptContext*) const at JsrtInternal.h:237:16
frame #19: 0x0000000103127794 libChakraCore.dylib`_JsErrorCode ContextAPIWrapper_Core<false, _JsErrorCode ContextAPIWrapper<false, JsCallFunction::$_67>(JsCallFunction::$_67)::'lambda'(Js::ScriptContext*)>(fn=(anonymous class) @ 0x00007ffeefbfef88) at JsrtInternal.h:192:23
frame #20: 0x00000001030e3c56 libChakraCore.dylib`_JsErrorCode ContextAPIWrapper<false, JsCallFunction::$_67>(fn=(anonymous class) @ 0x00007ffeefbfeff0) at JsrtInternal.h:235:27
frame #21: 0x00000001030e3c19 libChakraCore.dylib`::JsCallFunction(function=0x000000010277f190, args=0x00007ffeefbff0c0, cargs=1, result=0x00007ffeefbff0b8) at Jsrt.cpp:2804:12
frame #22: 0x000000010000bdeb ch`ChakraRTInterface::JsCallFunction(function=0x000000010277f190, arguments=0x00007ffeefbff0c0, argumentCount=1, result=0x00007ffeefbff0b8) at ChakraRtInterface.h:416:149
frame #23: 0x000000010001b35a ch`WScriptJsrt::CallbackMessage::CallFunction(this=0x000000010030c110, fileName="./test.js") at WScriptJsrt.cpp:1988:21
frame #24: 0x000000010001b23d ch`WScriptJsrt::CallbackMessage::Call(this=0x000000010030c110, fileName="./test.js") at WScriptJsrt.cpp:1959:12
frame #25: 0x000000010000543e ch`MessageQueue::ProcessAll(this=0x0000000100607440, fileName="./test.js") at MessageQueue.h:256:18
frame #26: 0x0000000100004ba0 ch`RunScript(fileName="./test.js", fileContents="function main() {\nconst v3 = async (v4,v5,v6,v7) => {\n};\nconst v10 = [13.37];\nconst v11 = {__proto__:v10,e:\"e\",valueOf:v3};\nfor (let v14 = v11; v14 < 1337; v14 = v14 ^ 2) {\n const v15 = v14++;\n}\nasync function v16(v17,v18,v19,v20,v21) {\n for (let v24 = 0; v24 < 1337; v24++) {\n const v25 = await v24;\n }\n for (let v29 = 0; v29 < 1337; v29 = v29 + 128) {\n (1337)[v29] = 929444965;\n }\n}\nconst v30 = v16();\nfor (const v34 in \"undefined\") {\n for (let v35 = 1; v35 < v34; v35 = v35 + v34) {\n const v36 = v35++;\n }\n}\nfor (const v39 in \"undefined\") {\n for (let v40 = 1; v40 < v39; v40 = v40 + \"O6WVmPSpHT\") {\n const v41 = v40++;\n }\n}\n}\nmain();\n", fileLength=692, fileContentsFinalizeCallback=(ch`WScriptJsrt::FinalizeFree(void*) at WScriptJsrt.cpp:208), bufferValue=0x0000000000000000, fullPath="/Users/cpang/Desktop/graduate/javascript/ChakraCore/test.js", parserStateCache=0x0000000000000000)(void*), void*, char*, void*) at ch.cpp:480:17
frame #27: 0x0000000100006f9e ch`ExecuteTest(fileName="./test.js") at ch.cpp:917:13
frame #28: 0x000000010000734c ch`ExecuteTestWithMemoryCheck(fileName="./test.js") at ch.cpp:967:10
frame #29: 0x0000000100007c89 ch`main(argc=2, c_argv=0x00007ffeefbff7d0) at ch.cpp:1274:20
frame #30: 0x00007fff2034b621 libdyld.dylib`start + 1
How to reproduce:
- ./build.sh -j -d
- ch poc.js
