ChakraCore
ChakraCore copied to clipboard
chakra-core
Aborted (core dumped) in `ReportFatalException`
Version:
ch version 1.12.0.0-beta
PoC:
let args = new Array(0x10000);
args.fill();
args = args.map((_, i) => 'a' + i).join(', ');
let gun = eval(`(function () {
class A {
}
class B extends A {
constructor(${args}) {
() => {
${args};
super();
};
class C {
constructor() {
}
trigger() {
(() => {
super.x;
})();
}
}
return new C();
}
}
return new B();
})()`);
for (let i = 0; i < 0x10000; i++)
gun.trigger();
Command 1:
./build.sh
~/ChakraCore/out/Release/ch PoC.js
Output 1:
Aborted (core dumped)
Backtrace (using gdb debugging) 1:
gdb -q -args ~/ChakraCore/out/Release/ch PoC.js
(gdb) r
Starting program:~/ChakraCore/out/Release/ch PoC.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ff7f380f700 (LWP 5027)]
[New Thread 0x7ff7f2fdf700 (LWP 5028)]
[New Thread 0x7ff7f27de700 (LWP 5029)]
Thread 1 "ch" received signal SIGILL, Illegal instruction.
0x00007ffff4140eb1 in ReportFatalException ()
(gdb) bt
#0 0x00007ffff4140eb1 in ReportFatalException ()
#1 0x00007ffff4140fb9 in OutOfMemory_unrecoverable_error() ()
#2 0x00007ffff4193fac in Js::Exception::RaiseIfScriptActive(Js::ScriptContext*, unsigned int, void*) ()
#3 0x00007ffff4141159 in Js::Throw::OutOfMemory() ()
#4 0x00007ffff41341e9 in Math::DefaultOverflowPolicy() ()
#5 0x00007ffff4206090 in PreVisitFunction(ParseNodeFnc*, ByteCodeGenerator*, Js::ParseableFunctionInfo*) ()
#6 0x00007ffff420be94 in void VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)>(ParseNode*, ParseNode*, ByteCodeGenerator*, void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*), unsigned int*, bool) ()
#7 0x00007ffff420bc7c in void VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)>(ParseNode*, ParseNode*, ByteCodeGenerator*, void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*), unsigned int*, bool) ()
#8 0x00007ffff420bc7c in void VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)>(ParseNode*, ParseNode*, ByteCodeGenerator*, void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*), unsigned int*, bool) ()
#9 0x00007ffff420bc7c in void VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)>(ParseNode*, ParseNode*, ByteCodeGenerator*, void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*), unsigned int*, bool) ()
#10 0x00007ffff420bff5 in void VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)>(ParseNode*, ParseNode*, ByteCodeGenerator*, void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*), unsigned int*, bool) ()
#11 0x00007ffff420bc7c in void VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)>(ParseNode*, ParseNode*, ByteCodeGenerator*, void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*), unsigned int*, bool) ()
#12 0x00007ffff420a00d in void Visit<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)>(ParseNode*, ByteCodeGenerator*, void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*), ParseNode*) ()
#13 0x00007ffff4203a70 in ByteCodeGenerator::Generate(ParseNodeProg*, unsigned int, ByteCodeGenerator*, Js::ParseableFunctionInfo**, unsigned int, bool, Parser*, Js::ScriptFunction**) ()
#14 0x00007ffff42054af in GenerateByteCode(ParseNodeProg*, unsigned int, Js::ScriptContext*, Js::ParseableFunctionInfo**, unsigned int, bool, Parser*, CompileScriptException*, Js::ScopeInfo*, Js::ScriptFunction**) ()
#15 0x00007ffff43c9d94 in Js::GlobalObject::DefaultEvalHelper(Js::ScriptContext*, char16_t const*, int, unsigned int, unsigned int, char16_t const*, int, int, int) ()
#16 0x00007ffff43ca9c2 in Js::GlobalObject::VEval(Js::JavascriptLibrary*, Js::FrameDisplay*, unsigned int, bool, bool, Js::Arguments&, bool, bool, unsigned int, Js::ScriptContext*) ()
#17 0x00007ffff43cade2 in Js::GlobalObject::EntryEval(Js::RecyclableObject*, Js::CallInfo, ...) ()
#18 0x00007ffff45a6c0e in amd64_CallFunction ()
#19 0x00007ffff4350347 in void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) ()
#20 0x00007ffff4350120 in void Js::InterpreterStackFrame::OP_ProfileCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) ()
#21 0x00007ffff42fc537 in Js::InterpreterStackFrame::ProcessProfiled() ()
#22 0x00007ffff42d9d23 in Js::InterpreterStackFrame::Process() ()
#23 0x00007ffff42d94fb in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) ()
#24 0x00007ffff42d8fb5 in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) ()
#25 0x00007ff7f1f30fa2 in ?? ()
#26 0x00007fffffffcce0 in ?? ()
#27 0x00007ffff45a6c0e in amd64_CallFunction ()
Command 2:
./build.sh -b -j
~/ChakraCore/out/Debug/ch PoC.js
Output 2:
Aborted (core dumped)
Backtrace (using gdb debugging) 2:
gdb -q -args ~/ChakraCore/out/Debug/ch PoC.js
(gdb) r
Starting program: ~/ChakraCore/out/Debug/ch PoC.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ff7f229f700 (LWP 14422)]
[New Thread 0x7ff7f1a6f700 (LWP 14423)]
[New Thread 0x7ff7f126e700 (LWP 14424)]
Thread 1 "ch" received signal SIGTRAP, Trace/breakpoint trap.
DBG_DebugBreak ()
(gdb) bt
#0 DBG_DebugBreak () at ~/ChakraCore/pal/src/arch/i386/debugbreak.S:18
#1 0x00007ffff2a59001 in DebugBreak () at ~/ChakraCore/pal/src/debug/debug.cpp:408
#2 0x00007ffff30c8949 in ReportFatalException (context=0, exceptionCode=-2147024882, reasonCode=Fatal_OutOfMemory, scenario=9) at ~/ChakraCore/lib/Common/Exceptions/ReportError.cpp:20
#3 0x00007ffff30c8c96 in OutOfMemory_unrecoverable_error () at ~/ChakraCore/lib/Common/Exceptions/ReportError.cpp:145
#4 0x00007ffff323e800 in Js::Exception::RaiseIfScriptActive (scriptContext=0x0, kind=0, returnAddress=0x0) at ~/ChakraCore/lib/Runtime/Base/Exception.cpp:20
#5 0x00007ffff39d1b15 in JsUtil::ExternalApi::RaiseOutOfMemoryIfScriptActive () at ~/ChakraCore/lib/Runtime/Library/CommonExternalApiImpl.cpp:21
#6 0x00007ffff30c9378 in Js::Throw::OutOfMemory () at ~/ChakraCore/lib/Common/Exceptions/Throw.cpp:122
#7 0x00007ffff30a3f49 in Math::DefaultOverflowPolicy () at ~/ChakraCore/lib/Common/Common/MathUtil.cpp:37
#8 0x00007ffff33f5ddf in UInt16Math::Inc<void ()>(unsigned short&, void (&)()) (lhs=@0x7fffffff605e: 0, overflowFn=@0x7ffff30a3f40: {void (void)} 0x7ffff30a3f40 <Math::DefaultOverflowPolicy()>)
at ~/ChakraCore/lib/Common/Common/UInt16Math.h:32
#9 0x00007ffff33f5d9c in UInt16Math::Inc (lhs=@0x7fffffff605e: 0) at ~/ChakraCore/lib/Common/Common/UInt16Math.h:53
#10 0x00007ffff33ee26c in PreVisitFunction(ParseNodeFnc*, ByteCodeGenerator*, Js::ParseableFunctionInfo*)::$_1::operator()(ParseNode*) const (this=0x7fffffff5f58, pnode=0x7ff7e2b4a150)
at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:2534
#11 0x00007ffff33ee234 in _Z14MapFormalsImplIZ16PreVisitFunctionP12ParseNodeFncP17ByteCodeGeneratorPN2Js21ParseableFunctionInfoEE3$_1Lb0EEvS1_T_ (pnodeFunc=0x7ff7e3f59340, fn=...)
at ~/ChakraCore/lib/Runtime/../Parser/FormalsUtil.h:11
#12 0x00007ffff33e64b5 in MapFormalsWithoutRest<PreVisitFunction(ParseNodeFnc*, ByteCodeGenerator*, Js::ParseableFunctionInfo*)::$_1>(ParseNodeFnc*, PreVisitFunction(ParseNodeFnc*, ByteCodeGenerator*, Js::ParseableFunctionInfo*)::$_1) (pnodeFunc=0x7ff7e3f59340, fn=...)
at ~/ChakraCore/lib/Runtime/../Parser/FormalsUtil.h:22
#13 0x00007ffff33e60b9 in PreVisitFunction (pnodeFnc=0x7ff7e3f59340, byteCodeGenerator=0x7fffffff7618, reuseNestedFunc=0x0) at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:2534
#14 0x00007ffff33fbf02 in VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)> (pnodeScopeList=0x7ff7e3f59340, pnodeParent=0x7ff7e3f58300, byteCodeGenerator=0x7fffffff7618,
prefix=0x7ffff33e1950 <Bind(ParseNode*, ByteCodeGenerator*)>, postfix=0x7ffff33e2410 <AssignRegisters(ParseNode*, ByteCodeGenerator*)>, pIndex=0x7fffffff6f5c, breakOnBodyScope=false)
at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:3379
#15 0x00007ffff33fc7bf in VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)> (pnodeScopeList=0x7ff7e3f58a30, pnodeParent=0x7ff7e3f58300, byteCodeGenerator=0x7fffffff7618,
prefix=0x7ffff33e1950 <Bind(ParseNode*, ByteCodeGenerator*)>, postfix=0x7ffff33e2410 <AssignRegisters(ParseNode*, ByteCodeGenerator*)>, pIndex=0x7fffffff6f5c, breakOnBodyScope=false)
at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:3499
#16 0x00007ffff33fc7bf in VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)> (pnodeScopeList=0x7ff7e3f58870, pnodeParent=0x7ff7e3f58300, byteCodeGenerator=0x7fffffff7618,
prefix=0x7ffff33e1950 <Bind(ParseNode*, ByteCodeGenerator*)>, postfix=0x7ffff33e2410 <AssignRegisters(ParseNode*, ByteCodeGenerator*)>, pIndex=0x7fffffff6f5c, breakOnBodyScope=false)
at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:3499
#17 0x00007ffff33fc7bf in VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)> (pnodeScopeList=0x7ff7e3f586d0, pnodeParent=0x7ff7e3f58300, byteCodeGenerator=0x7fffffff7618,
prefix=0x7ffff33e1950 <Bind(ParseNode*, ByteCodeGenerator*)>, postfix=0x7ffff33e2410 <AssignRegisters(ParseNode*, ByteCodeGenerator*)>, pIndex=0x7fffffff6f5c, breakOnBodyScope=false)
at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:3499
#18 0x00007ffff33fc293 in VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)> (pnodeScopeList=0x7ff7e3f58300, pnodeParent=0x7ff7e3f58030, byteCodeGenerator=0x7fffffff7618,
prefix=0x7ffff33e1950 <Bind(ParseNode*, ByteCodeGenerator*)>, postfix=0x7ffff33e2410 <AssignRegisters(ParseNode*, ByteCodeGenerator*)>, pIndex=0x7fffffff73a0, breakOnBodyScope=false)
at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:3426
#19 0x00007ffff33fc7bf in VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)> (pnodeScopeList=0x7ff7e3f58260, pnodeParent=0x7ff7e3f58030, byteCodeGenerator=0x7fffffff7618,
prefix=0x7ffff33e1950 <Bind(ParseNode*, ByteCodeGenerator*)>, postfix=0x7ffff33e2410 <AssignRegisters(ParseNode*, ByteCodeGenerator*)>, pIndex=0x7fffffff73a0, breakOnBodyScope=false)
at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:3499
#20 0x00007ffff33f1946 in Visit<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)> (pnode=0x7ff7e3f58030, byteCodeGenerator=0x7fffffff7618, prefix=0x7ffff33e1950 <Bind(ParseNode*, ByteCodeGenerator*)>,
postfix=0x7ffff33e2410 <AssignRegisters(ParseNode*, ByteCodeGenerator*)>, pnodeParent=0x0) at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:341
#21 0x00007ffff33e0dde in ByteCodeGenerator::Generate (pnodeProg=0x7ff7e3f58030, grfscr=7226, byteCodeGenerator=0x7fffffff7618, ppRootFunc=0x7fffffff8698, sourceIndex=2, forceNoNative=false, parser=0x7fffffff7ac0, functionRef=0x0)
at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:2042
#22 0x00007ffff33e4b5d in GenerateByteCode (pnode=0x7ff7e3f58030, grfscr=7226, scriptContext=0x5555561b4028, ppRootFunc=0x7fffffff8698, sourceIndex=2, forceNoNative=false, parser=0x7fffffff7ac0, pse=0x7fffffff86a0, parentScopeInfo=0x0, functionRef=0x0)
at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:2220
#23 0x00007ffff3a155b3 in Js::GlobalObject::DefaultEvalHelper (scriptContext=0x5555561b4028,
source=0x7ff7e3b8b020 u"(function () {\n class A {\n }\n class B extends A {\n constructor(a0, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20, a21, a22, a23, a24, a25, a"..., sourceLength=1026801,
moduleID=0, grfscr=7226, pszTitle=0x7ffff4342b00 <Js::Constants::EvalCode> u"eval code", registerDocument=1, isIndirect=0, strictMode=0) at ~/ChakraCore/lib/Runtime/Library/GlobalObject.cpp:895
#24 0x00007ffff3a16c3e in Js::GlobalObject::VEval (library=0x7ff7f1a88000, environment=0x7ffff4bed8b0 <Js::NullFrameDisplay>, moduleID=0, strictMode=false, isIndirect=false, args=..., isLibraryCode=false, registerDocument=true, additionalGrfscr=0,
debugEvalScriptContext=0x0) at ~/ChakraCore/lib/Runtime/Library/GlobalObject.cpp:609
#25 0x00007ffff3a167af in Js::GlobalObject::EntryEvalHelper (scriptContext=0x5555561b4028, function=0x7ff7f0a465c0, args=...) at ~/ChakraCore/lib/Runtime/Library/GlobalObject.cpp:519
#26 0x00007ffff3a174e8 in Js::GlobalObject::EntryEval (function=0x7ff7f0a465c0, callInfo=...) at ~/ChakraCore/lib/Runtime/Library/GlobalObject.cpp:549
#27 0x00007ffff3e1150e in amd64_CallFunction () at ~/ChakraCore/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100
#28 0x00007ffff3b0290e in Js::JavascriptFunction::CallFunction<true> (function=0x7ff7f0a465c0, entryPoint=0x7ffff3a172b0 <Js::GlobalObject::EntryEval(Js::RecyclableObject*, Js::CallInfo, ...)>, args=..., useLargeArgCount=false)
at ~/ChakraCore/lib/Runtime/Library/JavascriptFunction.cpp:1364
#29 0x00007ffff38b1c4f in Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (this=0x7fffffffbda0, playout=0x7ff7f09e80c4, function=0x7ff7f0a465c0, flags=10, spreadIndices=0x0)
at ~/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:3988
#30 0x00007ffff38b14d4 in Js::InterpreterStackFrame::OP_ProfileCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) (this=0x7fffffffbda0, playout=0x7ff7f09e80c4, function=0x7ff7f0a465c0, flags=8, profileId=4,
inlineCacheIndex=4294967295, spreadIndices=0x0) at ~/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:4016
#31 0x00007ffff387a4b1 in Js::InterpreterStackFrame::OP_ProfiledCallIExtendedFlags<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > >(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > const __unaligned*) (this=0x7fffffffbda0, playout=0x7ff7f09e80c4) at ~/ChakraCore/lib/Runtime/./Language/InterpreterStackFrame.h:518
#32 0x00007ffff37204fe in Js::InterpreterStackFrame::ProcessProfiled (this=0x7fffffffbda0) at ~/ChakraCore/lib/Runtime/Language/InterpreterHandler.inl:90
#33 0x00007ffff36af49d in Js::InterpreterStackFrame::Process (this=0x7fffffffbda0) at ~/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:3472
#34 0x00007ffff36adfdb in Js::InterpreterStackFrame::InterpreterHelper (function=0x7ff7f1a76730, args=..., returnAddress=0x7ff7f09c0fa2, addressOfReturnAddress=0x7fffffffc368, asmJsReturn=0x0)
at ~/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:2153
#35 0x00007ffff36ad0a8 in Js::InterpreterStackFrame::InterpreterThunk (layout=0x7fffffffc380) at ~/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:1833
#36 0x00007ff7f09c0fa2 in ?? ()
#37 0x00007fffffffc390 in ?? ()
#38 0x00007ffff3e1150e in amd64_CallFunction ()
Thank you for the demo. Could you please state what you are reporting, is that the shell running out of memory?
@ppenzin Chakra (both the release and debug version of V1.12.0.0-beta) is crashed when running the above PoC which had triggered a CVE of Safari. Maybe Chakra produces the same issue with Safari, which allows remote attackers to execute arbitrary code or cause a denial of service.
In addition, if the for statement is replaced as follows:
for (let i = 0; i < 100; i++)
gun.trigger();
Chakra can run it without any exception.
Thanks for your reply. As @yeguixin said, this PoC comes from CVE_2017-2531. When I execute this PoC using the newer versions of other engines, v8 and SpiderMonkey throw a syntax error SyntaxError: too many function arguments, JavascriptCore passes normally, only chakra outputs Aborted (core dumped), which causes the program to exit abnormally and there is no additional information.
@yeguixin @YiWen-y thank you for the explanation. I believe we catch the attempt to go out of bounds, integer overflow is detected:
#7 0x00007ffff30a3f49 in Math::DefaultOverflowPolicy () at ~/ChakraCore/lib/Common/Common/MathUtil.cpp:37
#8 0x00007ffff33f5ddf in UInt16Math::Inc<void ()>(unsigned short&, void (&)()) (lhs=@0x7fffffff605e: 0, overflowFn=@0x7ffff30a3f40: {void (void)} 0x7ffff30a3f40 <Math::DefaultOverflowPolicy()>)
at ~/ChakraCore/lib/Common/Common/UInt16Math.h:32
https://github.com/chakra-core/ChakraCore/blob/master/lib/Common/Common/UInt16Math.h#L32
We probably do need a better error message instead of a silent core dump.
@rhuanjl I feel like we had a discussion about overflow handling before. From purely practical point of view, I feel it is OK for this kind of situations to get overly vague errors as long as nothing dangerous can happen. What do you think?
Hmm - this is detecting that running this (technically valid) code would result in going out of memory leading to arbitrary results - so it's calling abort to stop it.
It may be possible to throw a nicer error if we can ensure we're catching it long before the out of memory.
But the current behaviour is basically by design.
