ChakraCore icon indicating copy to clipboard operation
ChakraCore copied to clipboard
verified publisher icon chakra-core

Assertion Error in `TrySetProperty`

Open bin2415 opened this issue 4 years ago • 0 comments

PoC:

function main() {
const v2 = {constructor:"ffsJvcB1uX"};
for (let v5 = 1; v5 < 6; v5 = v5 + -2) {
    const v8 = Function();
    v8.__proto__ = v2;
    v8[4294967297] = parseFloat;
    const v9 = {};
    v8.length = v9;
}
}
main();

Backtrace:

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
    frame #0: 0x0000000104eb7ce0 libChakraCore.dylib`bool Js::InlineCache::TrySetProperty<true, true, true, true>(this=0x000000010318aef0, object=0x00000001031e69b0, propertyId=206, propertyValue=0x0000000103544740, requestContext=0x0000000100811658, operationInfo=0x00007ffeefbfb8d0, propertyOperationFlags=PropertyOperation_None) at InlineCache.inl:240:13
   237 	                operationInfo->cacheType = CacheType_Local;
   238 	                operationInfo->slotType = SlotType_Aux;
   239 	            }
-> 240 	            Assert(canSetField);
   241 	            return true;
   242 	        }
   243
Target 0: (ch) stopped.
(lldb) bt 20
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
  * frame #0: 0x0000000104eb7ce0 libChakraCore.dylib`bool Js::InlineCache::TrySetProperty<true, true, true, true>(this=0x000000010318aef0, object=0x00000001031e69b0, propertyId=206, propertyValue=0x0000000103544740, requestContext=0x0000000100811658, operationInfo=0x00007ffeefbfb8d0, propertyOperationFlags=PropertyOperation_None) at InlineCache.inl:240:13
    frame #1: 0x0000000104ede3f5 libChakraCore.dylib`bool Js::CacheOperators::TrySetProperty<true, true, true, true, true, true, false, true>(object=0x00000001031e69b0, isRoot=false, propertyId=206, propertyValue=0x0000000103544740, requestContext=0x0000000100811658, propertyOperationFlags=PropertyOperation_None, operationInfo=0x00007ffeefbfb8d0, propertyValueInfo=0x00007ffeefbfb890) at CacheOperators.inl:157:34
    frame #2: 0x0000000104edcee8 libChakraCore.dylib`void Js::ProfilingHelpers::ProfiledStFld<false>(instance=0x00000001031e69b0, propertyId=206, inlineCache=0x000000010318aef0, inlineCacheIndex=2, value=0x0000000103544740, flags=PropertyOperation_None, scriptFunction=0x00000001031e6780, thisInstance=0x00000001031e69b0) at ProfilingHelpers.cpp:1249:17
    frame #3: 0x0000000104e2efcb libChakraCore.dylib`void Js::InterpreterStackFrame::ProfiledSetProperty<Js::OpLayoutT_ElementCP<Js::LayoutSizePolicy<(Js::LayoutSize)0> > const __unaligned, false>(this=0x00007ffeefbfc9d0, playout=0x000000010356805a, instance=0x00000001031e69b0, flags=PropertyOperation_None)0> > const __unaligned __unaligned*, void*, Js::PropertyOperationFlags) at InterpreterStackFrame.cpp:4697:9
    frame #4: 0x0000000104d05df4 libChakraCore.dylib`void Js::InterpreterStackFrame::OP_ProfiledSetProperty<Js::OpLayoutT_ElementCP<Js::LayoutSizePolicy<(Js::LayoutSize)0> > const __unaligned>(this=0x00007ffeefbfc9d0, playout=0x000000010356805a)0> > const __unaligned __unaligned*) at InterpreterStackFrame.cpp:4752:9
    frame #5: 0x0000000104cfdd4c libChakraCore.dylib`Js::InterpreterStackFrame::ProcessProfiled(this=0x00007ffeefbfc9d0) at InterpreterHandler.inl:202:3
    frame #6: 0x0000000104c93804 libChakraCore.dylib`Js::InterpreterStackFrame::Process(this=0x00007ffeefbfc9d0) at InterpreterStackFrame.cpp:3472:20
    frame #7: 0x0000000104c9230c libChakraCore.dylib`Js::InterpreterStackFrame::InterpreterHelper(function=0x00000001031e6780, args=ArgumentReader @ 0x00007ffeefbfcf30, returnAddress=0x0000000103580f9a, addressOfReturnAddress=0x00007ffeefbfcf78, asmJsReturn=0x0000000000000000) at InterpreterStackFrame.cpp:2153:40
    frame #8: 0x0000000104c91390 libChakraCore.dylib`Js::InterpreterStackFrame::InterpreterThunk(layout=0x00007ffeefbfcf90) at InterpreterStackFrame.cpp:1833:16
    frame #9: 0x0000000103580f9a
    frame #10: 0x000000010540d14e libChakraCore.dylib`amd64_CallFunction at JavascriptFunctionA.S:100
    frame #11: 0x00000001050c625b libChakraCore.dylib`void* Js::JavascriptFunction::CallFunction<true>(function=0x00000001031e6780, entryPoint=(libChakraCore.dylib`NativeCodeGenerator::CheckCodeGenThunk(Js::RecyclableObject*, Js::CallInfo, ...)), args=Arguments @ 0x00007ffeefbfd0c0, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
    frame #12: 0x0000000104e2bd8f libChakraCore.dylib`void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x00007ffeefbfe290, playout=0x000000010318cdd0, function=0x00000001031e6780, flags=16, spreadIndices=0x0000000000000000)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) at InterpreterStackFrame.cpp:3973:21
    frame #13: 0x0000000104e2b881 libChakraCore.dylib`void Js::InterpreterStackFrame::OP_ProfileCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x00007ffeefbfe290, playout=0x000000010318cdd0, function=0x00000001031e6780, flags=0, profileId=0, inlineCacheIndex=0, spreadIndices=0x0000000000000000)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) at InterpreterStackFrame.cpp:4016:9
    frame #14: 0x0000000104d04ce8 libChakraCore.dylib`void Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > >(this=0x00007ffeefbfe290, playout=0x000000010318cdd0)0> > > const __unaligned*) at InterpreterStackFrame.h:520:115
    frame #15: 0x0000000104cf9806 libChakraCore.dylib`Js::InterpreterStackFrame::ProcessProfiled(this=0x00007ffeefbfe290) at InterpreterHandler.inl:91:3
    frame #16: 0x0000000104c93804 libChakraCore.dylib`Js::InterpreterStackFrame::Process(this=0x00007ffeefbfe290) at InterpreterStackFrame.cpp:3472:20
    frame #17: 0x0000000104c9230c libChakraCore.dylib`Js::InterpreterStackFrame::InterpreterHelper(function=0x00000001031e6730, args=ArgumentReader @ 0x00007ffeefbfe780, returnAddress=0x0000000103580fa2, addressOfReturnAddress=0x00007ffeefbfe7c8, asmJsReturn=0x0000000000000000) at InterpreterStackFrame.cpp:2153:40
    frame #18: 0x0000000104c91390 libChakraCore.dylib`Js::InterpreterStackFrame::InterpreterThunk(layout=0x00007ffeefbfe7e0) at InterpreterStackFrame.cpp:1833:16
    frame #19: 0x0000000103580fa2

How to reproduce:

- ./build.sh -d -j
- ch poc.js

bin2415 avatar Apr 11 '21 13:04 bin2415