ChakraCore
ChakraCore copied to clipboard
chakra-core
Assertion Failure in `FuncInfo::FindOrAddRootObjectInlineCacheId`
PoC:
function main() {
try {
} catch(v1) {
if (isConcatSpreadable) {
} else {
}
}
const v2 = `
let v3 = 0;
while (v3 < 10) {
const v8 = [1337,1337,1337,1337];
const v9 = v8.reduceRight(CollectGarbage);
const v10 = v3++;
}
function v11(v12) {
}
const v13 = v11;
const v16 = [13.37];
function v17(v18,v19) {
const v22 = v17(v16,"EPSILON",1337,13.37);
}
const v23 = v17();
v13;
`;
let v24 = eval;
const v25 = v24(v2);
const v26 = class V26 {
constructor(v28,v29,v30) {
v24 = v26;
}
fround(v32,v33,v34) {
}
};
CollectGarbage();
}
main();
Backtrace:
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
frame #0: 0x0000000102a90395 libChakraCore.dylib`FuncInfo::FindOrAddRootObjectInlineCacheId(this=0x00000009083503f0, propertyId=-1, isLoadMethod=true, isStore=false) at FuncInfo.cpp:217:5
214
215 uint FuncInfo::FindOrAddRootObjectInlineCacheId(Js::PropertyId propertyId, bool isLoadMethod, bool isStore)
216 {
-> 217 Assert(propertyId != Js::Constants::NoProperty);
218 Assert(!isLoadMethod || !isStore);
219 uint cacheId;
220 RootObjectInlineCacheIdMap * idMap = isStore ? rootObjectStoreInlineCacheMap : isLoadMethod ? rootObjectLoadMethodInlineCacheMap : rootObjectLoadInlineCacheMap;
Target 0: (ch) stopped.
(lldb) bt 20
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
* frame #0: 0x0000000102a90395 libChakraCore.dylib`FuncInfo::FindOrAddRootObjectInlineCacheId(this=0x00000009083503f0, propertyId=-1, isLoadMethod=true, isStore=false) at FuncInfo.cpp:217:5
frame #1: 0x0000000102986b4a libChakraCore.dylib`EmitMethodFld(isRoot=true, isScoped=false, location=4, callObjLocation=4294967293, propertyId=-1, byteCodeGenerator=0x00007ffeefbf8a10, funcInfo=0x00000009083503f0, registerCacheIdForCall=true) at ByteCodeEmitter.cpp:7895:34
frame #2: 0x0000000102986c9e libChakraCore.dylib`EmitMethodFld(pnode=0x000000090834eb20, callObjLocation=4294967293, propertyId=-1, byteCodeGenerator=0x00007ffeefbf8a10, funcInfo=0x00000009083503f0, registerCacheIdForCall=true) at ByteCodeEmitter.cpp:7908:5
frame #3: 0x0000000102987892 libChakraCore.dylib`EmitCallTarget(pnodeTarget=0x000000090834eb20, fSideEffectArgs=NO, thisLocation=0x00007ffeefbf6f50, releaseThisLocation=0x00007ffeefbf6f21, callObjLocation=0x00007ffeefbf6f4c, byteCodeGenerator=0x00007ffeefbf8a10, funcInfo=0x00000009083503f0, callApplyCallSiteId=0x00007ffeefbf6f1e) at ByteCodeEmitter.cpp:8170:17
frame #4: 0x00000001029720ed libChakraCore.dylib`EmitCall(pnodeCall=0x000000090834ec60, byteCodeGenerator=0x00007ffeefbf8a10, funcInfo=0x00000009083503f0, fReturnValue=NO, fEvaluateComponents=YES, overrideThisLocation=4294967295, newTargetLocation=4294967295) at ByteCodeEmitter.cpp:8575:13
frame #5: 0x000000010296672c libChakraCore.dylib`Emit(pnode=0x000000090834ec60, byteCodeGenerator=0x00007ffeefbf8a10, funcInfo=0x00000009083503f0, fReturnValue=NO, isConstructorCall=false, isTopLevel=false) at ByteCodeEmitter.cpp:11573:17
frame #6: 0x0000000102967c70 libChakraCore.dylib`Emit(pnode=0x000000090834ea50, byteCodeGenerator=0x00007ffeefbf8a10, funcInfo=0x00000009083503f0, fReturnValue=NO, isConstructorCall=false, isTopLevel=true) at ByteCodeEmitter.cpp:11913:17
frame #7: 0x0000000102964adf libChakraCore.dylib`ByteCodeGenerator::EmitTopLevelStatement(this=0x00007ffeefbf8a10, stmt=0x000000090834ea50, funcInfo=0x00000009083503f0, fReturnValue=NO) at ByteCodeEmitter.cpp:984:5
frame #8: 0x000000010297467c libChakraCore.dylib`ByteCodeGenerator::EmitFunctionBody(this=0x00007ffeefbf8a10, funcInfo=0x00000009083503f0) at ByteCodeEmitter.cpp:2557:9
frame #9: 0x00000001029771c3 libChakraCore.dylib`ByteCodeGenerator::EmitOneFunction(this=0x00007ffeefbf8a10, pnodeFnc=0x000000090834e450) at ByteCodeEmitter.cpp:3123:13
frame #10: 0x0000000102974cd0 libChakraCore.dylib`ByteCodeGenerator::EmitScopeList(this=0x00007ffeefbf8a10, pnode=0x000000090834e450, breakOnBodyScopeNode=0x0000000000000000) at ByteCodeEmitter.cpp:3436:23
frame #11: 0x0000000102974de5 libChakraCore.dylib`ByteCodeGenerator::EmitScopeList(this=0x00007ffeefbf8a10, pnode=0x000000090834e170, breakOnBodyScopeNode=0x0000000000000000) at ByteCodeEmitter.cpp:3449:19
frame #12: 0x0000000102974a86 libChakraCore.dylib`ByteCodeGenerator::EmitProgram(this=0x00007ffeefbf8a10, pnodeProg=0x000000090834e030) at ByteCodeEmitter.cpp:2587:15
frame #13: 0x00000001029af34b libChakraCore.dylib`ByteCodeGenerator::Generate(pnodeProg=0x000000090834e030, grfscr=8390706, byteCodeGenerator=0x00007ffeefbf8a10, ppRootFunc=0x00007ffeefbf8f10, sourceIndex=1, forceNoNative=false, parser=0x00007ffeefbf9080, functionRef=0x00007ffeefbf9c10) at ByteCodeGenerator.cpp:2045:24
frame #14: 0x00000001029b414a libChakraCore.dylib`GenerateByteCode(pnode=0x000000090834e030, grfscr=8390706, scriptContext=0x000000010180f458, ppRootFunc=0x00007ffeefbf8f10, sourceIndex=1, forceNoNative=false, parser=0x00007ffeefbf9080, pse=0x00007ffeefbf8f38, parentScopeInfo=0x00000009076e1bd0, functionRef=0x00007ffeefbf9c10) at ByteCodeGenerator.cpp:2220:9
frame #15: 0x00000001027f95a0 libChakraCore.dylib`Js::ParseableFunctionInfo::Parse(this=0x000000090832bd80, functionRef=0x00007ffeefbf9c10, isByteCodeDeserialization=false) at FunctionBody.cpp:2529:46
frame #16: 0x00000001030c86b8 libChakraCore.dylib`Js::JavascriptFunction::DeferredParseCore(functionRef=0x00007ffeefbf9c10, fParsed=254) at JavascriptFunction.cpp:1667:38
frame #17: 0x00000001030c85f9 libChakraCore.dylib`Js::JavascriptFunction::DeferredParse(functionRef=0x00007ffeefbf9c10) at JavascriptFunction.cpp:1653:16
frame #18: 0x000000010340d1d0 libChakraCore.dylib`Js::JavascriptFunction::DeferredParsingThunk(Js::RecyclableObject*, Js::CallInfo, ...) at JavascriptFunctionA.S:197
frame #19: 0x000000010340d14e libChakraCore.dylib`amd64_CallFunction at JavascriptFunctionA.S:100
How to reproduce it:
- ./build.sh -d -j
- ./ch -collectGarbage poc.js
Note severity 2 as:
- weird/unlikely code pattern
- long standing bug this has not been introduced by any recent change
- non-fatal error in release build
