ChakraCore icon indicating copy to clipboard operation
ChakraCore copied to clipboard
verified publisher icon chakra-core

Assertion Failure in Js::JavascriptArray::CopyWithinHelper

Open JimWongM opened this issue 2 years ago • 0 comments

Version

commit id: c3ead3f8a6e0bb8e32e043adc091c68cba5935e9

Platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build

  • Debug Mode
./build.sh --debug --static

PoC

const arr = [2];
arr.length = 4294967295;
arr.copyWithin();

Execution steps & Output

./ch --maxinterpretcount:10 --maxsimplejitruncount:100 -bgjit- poc.js
ASSERTION 422348: (/home/wjm/ChakraCore/lib/Runtime/Library/JavascriptArray.cpp, line 9407) direction == -1 || (fromVal + count < MaxArrayLength && toVal + count < MaxArrayLength)
 Failure: (direction == -1 || (fromVal + count < MaxArrayLength && toVal + count < MaxArrayLength))
Signal: SIGILL (Illegal instruction)

Backtrace

(lldb) bt
* thread #1, name = 'ch', stop reason = signal SIGILL: illegal instruction operand
  * frame #0: 0x000055555615e01c ch`Js::JavascriptArray::CopyWithinHelper(pArr=0x00007ff7e7c622a0, typedArrayBase=0x0000000000000000, obj=0x00007ff7e7c622a0, length=4294967295, args=0x00007fffffffae28, scriptContext=0x0000555557ee8f88) at JavascriptArray.cpp:9407:13
    frame #1: 0x000055555615cfca ch`Js::JavascriptArray::EntryCopyWithin(function=0x00007ff7e7bbbb00, callInfo=(Count = 1, Flags = CallFlags_NotUsed, unused = 0)) at JavascriptArray.cpp:9274:16
    frame #2: 0x00005555564a37de ch`amd64_CallFunction at JavascriptFunctionA.S:100
    frame #3: 0x00005555561d7a4b ch`void* Js::JavascriptFunction::CallFunction<true>(function=0x00007ff7e7bbbb00, entryPoint=(ch`Js::JavascriptArray::EntryCopyWithin(Js::RecyclableObject*, Js::CallInfo, ...) at JavascriptArray.cpp:9260), args=Arguments @ 0x00007fffffffafa0, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
    frame #4: 0x0000555555ffc5fe ch`void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x00007fffffffc040, playout=0x00007ff7e84cd498, function=0x00007ff7e7bbbb00, flags=16, spreadIndices=0x0000000000000000)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) at InterpreterStackFrame.cpp:3973:21
    frame #5: 0x0000555555fcdb05 ch`void Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x00007fffffffc040, playout=0x00007ff7e84cd498)0> > > __unaligned const __unaligned*) at InterpreterStackFrame.h:510:72
    frame #6: 0x0000555555e71df3 ch`Js::InterpreterStackFrame::ProcessUnprofiled(this=0x00007fffffffc040) at InterpreterHandler.inl:91:3
    frame #7: 0x0000555555e522be ch`Js::InterpreterStackFrame::Process(this=0x00007fffffffc040) at InterpreterStackFrame.cpp:3495:22
    frame #8: 0x0000555555e50dd3 ch`Js::InterpreterStackFrame::InterpreterHelper(function=0x00007ff7e7c766e0, args=ArgumentReader @ 0x00007fffffffc530, returnAddress=0x00007ff7e7bd0fa2, addressOfReturnAddress=0x00007fffffffc578, asmJsReturn=0x0000000000000000) at InterpreterStackFrame.cpp:2153:40
    frame #9: 0x0000555555e4feb0 ch`Js::InterpreterStackFrame::InterpreterThunk(layout=0x00007fffffffc590) at InterpreterStackFrame.cpp:1833:16
    frame #10: 0x00007ff7e7bd0fa2
    frame #11: 0x00005555564a37de ch`amd64_CallFunction at JavascriptFunctionA.S:100
    frame #12: 0x00005555561d7a4b ch`void* Js::JavascriptFunction::CallFunction<true>(function=0x00007ff7e7c766e0, entryPoint=(ch`NativeCodeGenerator::CheckCodeGenThunk(Js::RecyclableObject*, Js::CallInfo, ...)), args=Arguments @ 0x00007fffffffc798, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
    frame #13: 0x00005555561cf2f4 ch`Js::JavascriptFunction::CallRootFunctionInternal(obj=0x00007ff7e7c766e0, args=Arguments @ 0x00007fffffffc810, scriptContext=0x0000555557ee8f88, inScript=true) at JavascriptFunction.cpp:772:24
    frame #14: 0x00005555561cf10c ch`Js::JavascriptFunction::CallRootFunction(obj=0x00007ff7e7c766e0, args=<unavailable>, scriptContext=0x0000555557ee8f88, inScript=true) at JavascriptFunction.cpp:717:15
    frame #15: 0x00005555561cf0b1 ch`Js::JavascriptFunction::CallRootFunction(this=0x00007ff7e7c766e0, args=<unavailable>, scriptContext=0x0000555557ee8f88, inScript=true) at JavascriptFunction.cpp:832:16
    frame #16: 0x0000555555894a8e ch`RunScriptCore(this=0x00007fffffffcbe0, scriptContext=0x0000555557ee8f88, _actionEntryPopper=0x00007fffffffcbc0)::$_85::operator()(Js::ScriptContext*, TTD::TTDJsRTActionResultAutoRecorder&) const at Jsrt.cpp:3705:49
    frame #17: 0x0000555555894624 ch`_JsErrorCode ContextAPIWrapper<false, RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_85>(this=0x00007fffffffcb78, scriptContext=0x0000555557ee8f88)::$_85)::'lambda'(Js::ScriptContext*)::operator()(Js::ScriptContext*) const at JsrtInternal.h:237:16
    frame #18: 0x0000555555893fc4 ch`_JsErrorCode ContextAPIWrapper_Core<false, _JsErrorCode ContextAPIWrapper<false, RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_85>(RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_85)::'lambda'(Js::ScriptContext*)>(fn=(anonymous class) @ 0x00007fffffffcb78)::$_85) at JsrtInternal.h:192:23
    frame #19: 0x00005555558608f6 ch`_JsErrorCode ContextAPIWrapper<false, RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_85>(fn=(anonymous class) @ 0x00007fffffffcbe0)::$_85) at JsrtInternal.h:235:27
    frame #20: 0x00005555558607fb ch`RunScriptCore(scriptSource=0x00007ff7e7c44000, script="const arr = [2];\narr.length = 4294967295;\narr.copyWithin();\n\n// CRASH INFO\n// ==========\n// TERMSIG: 4\n// STDERR:\n// ASSERTION 1666667: (/home/wjm/ChakraCore/lib/Runtime/Library/JavascriptArray.cpp, line 9407) direction == -1 || (fromVal + count < MaxArrayLength && toVal + count < MaxArrayLength)\n//  Failure: (direction == -1 || (fromVal + count < MaxArrayLength && toVal + count < MaxArrayLength))\n// STDOUT:\n// ARGS: /home/wjm/ChakraCore/out/Debug/ch --maxinterpretcount:10 --maxsimplejitruncount:100 -bgjit- -reprl fuzzcode.js\n// EXECUTION TIME: 11 ms\n\n/*\n\nTitle: Assertion Failure in Js::JavascriptArray::CopyWithinHelper\n\n## Version\ncommit id: c3ead3f8a6e0bb8e32e043adc091c68cba5935e9\n\n## Platform\nUbuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)\n\n## Build\n- Debug Mode\n\n```\n./build.sh --debug --static\n```\n\n## PoC\n```\n\n```\n\n## Execution steps & Output\n```\n./ch --maxinterpretcount:10 --maxsimplejitruncount:100 -bgjit- poc.js\n\n```\n## Backtrace\n```\n\n\n```\n\n*\/\n", cb=969, loadScriptFlag=LoadScriptFlag_Utf8Source | LoadScriptFlag_ExternalArrayBuffer, sourceContext=0, sourceUrl=u"/home/wjm/DiTing-pocs/chakra/bug36_maxLength.js", parseOnly=false, parseAttributes=JsParseScriptAttributeNone, isSourceModule=false, result=0x0000000000000000) at Jsrt.cpp:3656:12
    frame #21: 0x0000555555862f6e ch`::JsRun(JsValueRef, JsSourceContext, JsValueRef, JsParseScriptAttributes, JsValueRef *) [inlined] CompileRun(scriptVal=0x00007ff7e7c44000, sourceContext=0, sourceUrl=0x00007ff7e7c71cf0, parseAttributes=JsParseScriptAttributeNone, result=0x0000000000000000, parseOnly=false) at Jsrt.cpp:5019:12
    frame #22: 0x0000555555862db9 ch`::JsRun(scriptVal=0x00007ff7e7c44000, sourceContext=0, sourceUrl=0x00007ff7e7c71cf0, parseAttributes=JsParseScriptAttributeNone, result=0x0000000000000000) at Jsrt.cpp:5041
    frame #23: 0x0000555555787293 ch`ChakraRTInterface::JsRun(script=0x00007ff7e7c44000, sourceContext=0, sourceUrl=0x00007ff7e7c71cf0, parseAttributes=JsParseScriptAttributeNone, result=0x0000000000000000) at ChakraRtInterface.h:487:179
    frame #24: 0x0000555555784924 ch`RunScript(fileName="bug36_maxLength.js", fileContents="const arr = [2];\narr.length = 4294967295;\narr.copyWithin();\n\n// CRASH INFO\n// ==========\n// TERMSIG: 4\n// STDERR:\n// ASSERTION 1666667: (/home/wjm/ChakraCore/lib/Runtime/Library/JavascriptArray.cpp, line 9407) direction == -1 || (fromVal + count < MaxArrayLength && toVal + count < MaxArrayLength)\n//  Failure: (direction == -1 || (fromVal + count < MaxArrayLength && toVal + count < MaxArrayLength))\n// STDOUT:\n// ARGS: /home/wjm/ChakraCore/out/Debug/ch --maxinterpretcount:10 --maxsimplejitruncount:100 -bgjit- -reprl fuzzcode.js\n// EXECUTION TIME: 11 ms\n\n/*\n\nTitle: Assertion Failure in Js::JavascriptArray::CopyWithinHelper\n\n## Version\ncommit id: c3ead3f8a6e0bb8e32e043adc091c68cba5935e9\n\n## Platform\nUbuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)\n\n## Build\n- Debug Mode\n\n```\n./build.sh --debug --static\n```\n\n## PoC\n```\n\n```\n\n## Execution steps & Output\n```\n./ch --maxinterpretcount:10 --maxsimplejitruncount:100 -bgjit- poc.js\n\n```\n## Backtrace\n```\n\n\n```\n\n*\/\n", fileLength=969, fileContentsFinalizeCallback=(ch`WScriptJsrt::FinalizeFree(void*) at WScriptJsrt.cpp:217), bufferValue=0x0000000000000000, fullPath="/home/wjm/DiTing-pocs/chakra/bug36_maxLength.js", parserStateCache=0x0000000000000000)(void*), void*, char*, void*) at ch.cpp:451:25
    frame #25: 0x00005555557863f0 ch`ExecuteTest(fileName="bug36_maxLength.js") at ch.cpp:917:13
    frame #26: 0x00005555557864ac ch`ExecuteTestWithMemoryCheck(fileName="bug36_maxLength.js") at ch.cpp:967:10
    frame #27: 0x0000555555786d7a ch`main(argc=5, c_argv=0x00007fffffffd648) at ch.cpp:1274:20
    frame #28: 0x00007ffff778d1e2 libc.so.6`__libc_start_main + 242
    frame #29: 0x0000555555783b7e ch`_start + 46

JimWongM avatar May 13 '23 04:05 JimWongM