ChakraCore icon indicating copy to clipboard operation
ChakraCore copied to clipboard
verified publisher icon chakra-core

Assertion Error in `BeginDumpObject`

Open bin2415 opened this issue 4 years ago • 1 comments

PoC:

function main() {
const v0 = parseInt;
const v2 = [13.37,13.37,13.37,13.37];
const v4 = [1337,1337,1337];
const v5 = [1337];
const v6 = {__proto__:1337,c:v4,constructor:v5,d:v4,e:v2};
const v10 = [13.37,13.37,13.37,13.37,13.37];
const v12 = [1337,1337,1337,1337,1337];
const v13 = [v12];
const v14 = {__proto__:1337,a:1337,b:v13,c:129,e:v10,length:13.37,toString:"undefined",valueOf:v12};
const v15 = {c:129,constructor:13.37,e:v12,valueOf:v10};
const v18 = [13.37,13.37,13.37,13.37,13.37];
const v20 = [-536870912];
const v21 = [13.37,Int16Array,13.37];
const v22 = {__proto__:v18,a:v21,b:-536870912};
const v24 = "kexCRFZqsO";
const v26 = [13.37];
const v28 = [1337,1337,1337,1337];
const v29 = [1337];
const v30 = {a:v29,e:v26,valueOf:2147483649};
let v34 = -1000.0;
const v35 = [v34,"65537",v30,v34];
function v37(v38,v39) {
}
const v40 = (v41,v42) => {
};
const v43 = [257];
const v44 = [Map,257,8,v35,257];
const v45 = {__proto__:v35,a:v35,c:v43,constructor:v43,d:v44,e:"65537",toString:v35,valueOf:"65537"};
const v46 = {b:257,d:v34,length:v43,valueOf:v45};
const v48 = [257];
const v49 = 3381155459;
const v50 = "65537";
const v52 = [1337];
const v53 = Object;
const v54 = String;
const v59 = [1337];
const v60 = [String,3381155459,3381155459,v34,1337];
const v61 = RegExp;
const v62 = Object;
const v63 = String;
const v64 = [-2.2250738585072014e-308,-2.2250738585072014e-308,-2.2250738585072014e-308,-2.2250738585072014e-308];
const v65 = 4294967297;
v34 = 3381155459;
const v66 = Object;
const v71 = [13.37,13.37,13.37,13.37];
const v73 = [1337];
const v74 = [Map,1337,8,13.37,1337];
const v75 = {__proto__:v71,a:v71,c:v73,constructor:v73,d:v74,e:"65537",toString:v71,valueOf:"65537"};
const v76 = {b:13.37,d:13.37,length:v73,valueOf:v75};
let v78 = "65537";
let v79 = Map;
let v80 = 13.37;
const v81 = [v80,v78,v80,v80];
v79 = v79;
const v88 = [1337];
const v89 = [String,1337,3381155459,-2.2250738585072014e-308,1337];
const v90 = Object;
const v92 = 1;
const v93 = (v94,v95) => {
};
const v96 = [1337];
const v97 = [v79,1337,8,v81,1337];
const v98 = {__proto__:v81,a:v81,c:v96,constructor:v96,d:v97,e:v78,toString:v81,valueOf:v78};
const v99 = {b:1337,d:v80,length:v96,valueOf:v98};
const v103 = [1337];
const v104 = [String,1337,8,v80,1337];
const v106 = Object();
const v109 = 2 && Object;
const v110 = 3381155459;
const v112 = [1337];
const v115 = Object;
const v116 = Object;
const v117 = [0,2,1337];
v78 = 1337;
const v120 = -2.2250738585072014e-308;
const v122 = [1337];
const v123 = [String,3381155459,3381155459,v80,1337];
const v124 = [-2.2250738585072014e-308,-2.2250738585072014e-308,-2.2250738585072014e-308,-2.2250738585072014e-308];
v80 = 3381155459;
const v126 = Object;
const v127 = Object;
const v128 = 3381155459;
const v129 = "65537";
const v130 = 1337;
const v131 = Object;
const v132 = [1337];
const v133 = [String,1337,3381155459,-2.2250738585072014e-308,1337];
const v134 = {__proto__:v124,a:v124,c:v132,toString:v132,d:v133,e:"65537",toString:v124,valueOf:"65537"};
const v135 = {b:-2.2250738585072014e-308,d:-2.2250738585072014e-308,length:String,valueOf:v134};
const v137 = Object;
const v138 = Object();
const v139 = Object();
const v140 = Object;
const v141 = String;
const v142 = RegExp;
const v143 = 3381155459;
const v144 = "65537";
const v145 = 0;
const v146 = 5;
const v147 = 1;
const v148 = String;
const v150 = "65537";
const v154 = [1337];
const v155 = [String,1337,3381155459,-2.2250738585072014e-308,1337];
const v156 = Object;
const v157 = Object;
const v158 = 1337;
const v159 = 1;
const v160 = "toString";
const v161 = Number;
const v162 = 13.37;
const v164 = [-9007199254740993,-9007199254740993,-9007199254740993,-9007199254740993];
const v169 = [13.37,13.37,13.37,13.37];
const v171 = [1337];
const v172 = [Map,1337,8,13.37,1337];
const v173 = {__proto__:v169,a:v169,c:v171,constructor:v171,d:v172,e:"65537",toString:v169,valueOf:"65537"};
const v174 = {b:13.37,d:13.37,length:v171,valueOf:v173};
let v176 = "65537";
const v179 = [13.37,v176,13.37,13.37];
const v186 = [-1024];
const v187 = [String,-1024,3381155459,-2.2250738585072014e-308,-1024];
const v188 = Object;
const v190 = 1;
const v191 = [1337];
const v192 = [Map,1337,8,v179,1337];
const v193 = {__proto__:v179,a:v179,c:v191,constructor:v191,d:v192,e:v176,toString:v179,valueOf:v176};
const v194 = {b:1337,d:13.37,length:v191,valueOf:v193};
const v195 = 3381155459;
const v196 = String;
const v197 = 1337;
const v198 = [1337];
const v199 = Object;
const v202 = 3381155459;
const v203 = "65537";
const v205 = [1337];
const v208 = Object;
const v209 = Object;
const v210 = [1073741824,2,1337];
v176 = 1337;
const v211 = 3381155459;
const v212 = String;
const v213 = -2.2250738585072014e-308;
const v214 = 1337;
const v215 = Object;
const v216 = [-2.2250738585072014e-308,-2.2250738585072014e-308,-2.2250738585072014e-308,-2.2250738585072014e-308];
const v218 = Object;
const v219 = Object;
const v220 = 3381155459;
const v221 = "65537";
const v222 = 1337;
const v223 = Object;
const v224 = [1337];
const v225 = [String,1337,3381155459,-2.2250738585072014e-308,1337];
const v226 = {__proto__:v216,a:v216,c:v224,constructor:v224,d:v225,e:"65537",toString:v216,valueOf:"65537"};
const v227 = {b:-2.2250738585072014e-308,d:-2.2250738585072014e-308,length:String,valueOf:v226};
const v228 = -2;
const v229 = "4096";
const v230 = Float64Array;
const v232 = [1337];
const v233 = {};
const v234 = -2;
const v235 = "object";
const v236 = Object;
const v238 = [13.37];
const v243 = [13.37,13.37,13.37,13.37];
const v245 = [1337];
const v246 = [Map,v238,8,13.37,1337];
const v247 = {__proto__:v243,a:v243,c:v245,constructor:v245,d:v246,e:"65537",toString:v243,valueOf:"65537"};
const v248 = {b:1337,d:13.37,length:v245,valueOf:v247};
const v249 = String;
const v250 = Int16Array;
const v252 = [13.37];
const v254 = [2854028078,2854028078,2854028078];
const v255 = [13.37,2854028078,v254];
const v259 = [13.37,13.37,13.37,13.37];
const v261 = [Map,"matchAll",13.37,Map];
const v262 = {__proto__:13.37,a:v261,c:"matchAll",d:1337,b:Map,valueOf:Map};
const v267 = [13.37,13.37,13.37];
const v269 = [1337,1337,1337];
const v270 = [v267,v269,JSON,v269,JSON,1024,1337,JSON];
const v271 = {b:1337,c:v270,constructor:"object",d:v270,e:JSON,toString:v267,valueOf:v270};
const v272 = {a:v271,constructor:v267,toString:"object"};
const v273 = JSON;
const v275 = "1073741824";
let v276 = 0;
const v277 = 4;
const v278 = v276++;
const v281 = [13.37,13.37,13.37,13.37,13.37];
const v283 = [1337];
const v284 = [13.37,Int16Array,13.37];
const v285 = 1;
const v286 = "arguments";
const v287 = Function;
const v288 = 13.37;
const v290 = {};
const v291 = 1;
const v292 = "toString";
const v294 = [13.37,13.37,13.37,13.37,13.37];
const v296 = [1337,1337,1337,1337];
const v297 = {};
const v302 = [13.37,13.37,13.37,13.37,13.37];
const v304 = [1337,1337,1337,1337];
const v305 = [Function,13.37,v304,1,1,Function,v304,1,1337];
const v306 = {a:Function,b:1337,constructor:13.37,e:v305,length:13.37,toString:"toString",valueOf:13.37};
const v307 = {};
const v308 = 1;
const v312 = [13.37,13.37,13.37,13.37,13.37];
const v317 = [13.37,13.37,13.37,13.37,13.37];
const v319 = "object";
const v321 = 8;
const v322 = 0;
const v323 = 1;
const v324 = class V324 {
    constructor(v326,v327) {
    }
    getUint32(v329,v330,v331) {
    }
    entries(v333,...v334) {
    }
};
const v335 = 1337;
const v336 = Object.__proto__;
const v337 = [1337,1337,1337,1337];
const v338 = [Function,13.37,v337,1,1,Function,v337,1,1337];
const v339 = Map;
const v341 = [1337,1337,1337,1337];
const v344 = [-2.2250738585072014e-308,13.37,13.37,-2.2250738585072014e-308];
const v345 = [1337];
const v346 = {__proto__:v79,a:v294,c:v304,constructor:v345,d:v296,e:"toString",toString:v344,valueOf:"65537"};
const v347 = Object();
const v348 = {a:Function,b:1337,constructor:13.37,e:v338,length:13.37,toString:"toString",valueOf:13.37};
const v349 = {};
const v350 = Object;
const v351 = Function();
const v352 = Object;
const v355 = [1337,1337,13.37,1337];
const v356 = {a:Function,b:1337,constructor:13.37,e:Object,length:13.37,toString:"toString",valueOf:13.37};
const v357 = {};
async function v358(v359,v360,v361,v362) {
}
const v364 = Object();
const v365 = Object();
const v366 = {};
const v371 = [13.37,13.37,13.37,13.37,13.37];
const v374 = [1337,1337,13.37,1337];
const v375 = [Function,13.37,v374,1,1,Function,v374,1,v371];
const v376 = {a:Function,b:1337,constructor:13.37,e:Object,length:13.37,toString:"toString",valueOf:13.37};
const v377 = {};
const v379 = Object();
const v384 = [13.37,13.37,13.37,13.37,13.37];
const v387 = [1337,1337,1337,1337];
const v388 = [Function,13.37,v387,1,1,Function,v387,1,1337];
const v389 = {a:Function,b:1337,constructor:13.37,e:v388,length:13.37,toString:"toString",valueOf:13.37};
const v390 = {};
const v392 = Object();
const v393 = Object();
const v394 = Symbol;
const v400 = [0];
const v402 = {apply:Object,defineProperty:Object,get:Object,getPrototypeOf:NaN,ownKeys:Array,setPrototypeOf:Object};
const v407 = [13.37,13.37,13.37,13.37,13.37];
const v410 = [1337,1337,1337,1337];
const v411 = [Function,13.37,v410,1,1,Function,v410,1,1337];
const v412 = {a:Function,b:1337,constructor:13.37,e:v411,length:13.37,toString:"toString",valueOf:13.37};
const v413 = {};
const v415 = Object();
const v416 = Object();
const v417 = {d:-536870912};
const v418 = {__proto__:v281,a:v284,b:1337};
const v423 = [13.37,13.37,13.37,13.37,13.37];
const v425 = [1337,1337,1337,1337];
const v427 = [1337,1337,1337];
const v428 = [v427,13.37,v427,3656152034,3656152034,"global",Uint8ClampedArray,v427,Uint8ClampedArray,v427];
const v429 = {__proto__:v423,c:v423,length:"global",valueOf:v428};
const v430 = [];
const v431 = v430.some;
const v432 = v425 in v417;
const v433 = Uint8ClampedArray;
const v435 = [13.37,13.37,13.37,13.37,13.37];
const v436 = "IJ8FcfXm6Z";
const v437 = eval;
const v440 = Promise;
const v443 = [13.37,13.37,13.37,13.37];
const v445 = [1337];
const v446 = [Map,1337,8,13.37,1337];
const v447 = {__proto__:v443,a:v443,c:v445,constructor:v445,d:v446,e:"65537",toString:v443,valueOf:"65537"};
const v451 = [13.37,13.37];
const v453 = [v451];
const v454 = {__proto__:1337,a:v453,c:4096,e:NaN,toString:v21};
const v456 = JSON.stringify(v454);
const v458 = JSON.parse(v456,CollectGarbage);
for (let v462 = 0; v462 < 4; v462++) {
}
const v464 = class V464 extends Object {
    constructor(v466,v467,v468) {
    }
    join(v470) {
    }
};
CollectGarbage();
}
main();

backtrace:

* thread #4, stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
    frame #0: 0x0000000102797d04 libChakraCore.dylib`Memory::RecyclerObjectGraphDumper::BeginDumpObject(this=0x00007ffeefbf8a98, objectAddress=0x0000000908229000) at RecyclerObjectGraphDumper.cpp:45:5
   42  	void RecyclerObjectGraphDumper::BeginDumpObject(void * objectAddress)
   43  	{
   44  	    Assert(dumpObjectName == nullptr);
-> 45  	    Assert(dumpObject == nullptr);
   46  	    this->dumpObject = objectAddress;
   47  	#ifdef PROFILE_RECYCLER_ALLOC
   48  	    if (recycler->trackerDictionary)
Target 0: (ch) stopped.
(lldb) bt
* thread #4, stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
  * frame #0: 0x0000000102797d04 libChakraCore.dylib`Memory::RecyclerObjectGraphDumper::BeginDumpObject(this=0x00007ffeefbf8a98, objectAddress=0x0000000908229000) at RecyclerObjectGraphDumper.cpp:45:5
    frame #1: 0x0000000102789007 libChakraCore.dylib`void Memory::MarkContext::ScanObject<true, false>(this=0x0000700002b94d78, obj=0x0000000908229000, byteCount=96) at MarkContext.inl:149:5
    frame #2: 0x0000000102788f00 libChakraCore.dylib`void Memory::MarkContext::ProcessMark<true, false>(this=0x0000700002b94d78) at MarkContext.inl:257:21
    frame #3: 0x0000000102767966 libChakraCore.dylib`void Memory::Recycler::ProcessMarkContext<true, false>(this=0x00000001007a0058, markContext=0x00000001007a0158) at Recycler.cpp:2168:26
    frame #4: 0x0000000102767774 libChakraCore.dylib`Memory::Recycler::ProcessParallelMark(this=0x00000001007a0058, background=false, markContext=0x00000001007a0158) at Recycler.cpp:2248:15
    frame #5: 0x000000010276c9d7 libChakraCore.dylib`Memory::Recycler::DoBackgroundWork(this=0x00000001007a0058, forceForeground=false) at Recycler.cpp:6157:15
    frame #6: 0x00000001027742eb libChakraCore.dylib`Memory::Recycler::ThreadProc(this=0x00000001007a0058) at Recycler.cpp:6470:9
    frame #7: 0x00000001027722bf libChakraCore.dylib`Memory::Recycler::StaticThreadProc(lpParameter=0x00000001007a0058) at Recycler.cpp:6120:25
    frame #8: 0x000000010209da83 libChakraCore.dylib`CorUnix::CPalThread::ThreadEntry(pvParam=0x000000090780e200) at pal_thread.cpp:1605:16
    frame #9: 0x00007fff20330950 libsystem_pthread.dylib`_pthread_start + 224
    frame #10: 0x00007fff2032c47b libsystem_pthread.dylib`thread_start + 15

How to reproduce:

./build.sh -d -j
./ch -collectGarbage  poc.js

bin2415 avatar Apr 08 '21 17:04 bin2415

This can ben only reproduced if CollectGarbage (CC-specific aAPI call available only with -collectGarbage flag) is used as reviewer in JSON.parse. It also gets triggered only if the code above it is intact.

ppenzin avatar Apr 18 '21 15:04 ppenzin