Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

[FatalInternalError] ReportFatalException14 #6637

Open
bird8693 opened this issue Mar 16, 2021 · 3 comments
Open

[FatalInternalError] ReportFatalException14 #6637

bird8693 opened this issue Mar 16, 2021 · 3 comments
Assignees
Labels

Comments

@bird8693
Copy link

enviroment

ubuntu 18

poc

function opt(index) {
    var flag = 0;
    var tmp = new String('aa');
    tmp.x = 2;
    var i = 0;
    function test() {
        testDate('0001-10-13T05:16:33Z');
        testDate('0011-10-13T05:16:33Z');
        var hiddenValue = getHiddenValue();
        var result;
        testDate('0111-10-13T05:16:33Z');
        testDate('1111-10-13T05:16:33Z');
        testDate('-000001-11-13T19:40:33Z');
        testDate('-000011-11-13T19:40:33Z');
        testDate('-000111-11-13T19:40:33Z');
        testDate('-001111-11-13T19:40:33Z');
    }
    var ary_3 = [
        1.1,
        2.2,
        3.3
    ];
    var error = null;
    var DjjB = tmp.trimLeft();
    var test12 = new Int32Array(0);
    once = 1;
    var i = 0;
    var go = function (a, b, c) {
        a[0] = 1.1;
        a[1] = 2.2;
        [...c];
        var fun = eval(str);
        b[0] = a[0];
        a[2] = 2.3023e-320;
    };
    for (let useless in tmp) {
        if (once) {
            var go = function (a, b, c) {
                a[0] = 1.1;
                a[1] = 2.2;
                [...c];
                b[0] = a[0];
                a[2] = 2.3023e-320;
            };
            delete tmp.x;
            var fun = eval(str);
            var object = {};
            var i = 0.26279099966609487;
            var f64_1 = new Float64Array(16);
            once = 0.2969306068681026;
        }
        var z = cache.push(i, String() * 42);
        tmp.y = index;
        for (var ijjkkk = 0; ijjkkk < 594; ++ijjkkk) {
            var KaRd = Symbol;
        }
        tmp.x = 1;
    }
    return [
        1,
        tmp.x - 524286
    ];
}
var cache = [];
for (let i = 0; i < 561; i++) {
    opt(1);
}
evil = opt(0);
function shouldBe(actual, expected) {
    ;
}
var str = 'class x extends Array{}';
var f64_1 = new Float64Array(16);
evil[0] = 1.1;

callstack

[#0] 0x555555d59fac → DebugBreak()
[#1] 0x555555d59fac → ReportFatalException(context=<optimized out>, exceptionCode=<optimized out>, reasonCode=<optimized out>, scenario=<optimized out>)
[#2] 0x555555d5a709 → Js::Throw::FatalInternalError(hr=0x7d7f7de0)
[#3] 0x555558643c89 → Lowerer::MapStFldHelper(this=<optimized out>, propertySymOpnd=<optimized out>, helperMethod=@0x7ff7ebffc6c0, polymorphicHelperMethod=@0x7ff7ebffc6d0)
[#4] 0x5555585bb33a → Lowerer::LowerStFld(this=<optimized out>, stFldInstr=<optimized out>, helperMethod=<optimized out>, polymorphicHelperMethod=<optimized out>, withInlineCache=0x0, labelBailOut=0x0, isHelper=<optimized out>, withPutFlags=<optimized out>, flags=<optimized out>)
[#5] 0x5555585a6efc → Lowerer::LowerRange(this=0x7ff7ebffd490, instrStart=<optimized out>, instrEnd=<optimized out>, defaultDoFastPath=<optimized out>, defaultDoLoopFastPath=0x0)
[#6] 0x55555859d345 → Lowerer::Lower(this=0x7ff7ebffd490)
[#7] 0x55555814f951 → Func::TryCodegen(this=<optimized out>)
[#8] 0x55555814d944 → Func::Codegen(alloc=0x7ff7ebffe6c0, workItem=0x7ffff1fc1030, threadContextInfo=0x622000000140, scriptContextInfo=0x61a000000680, outputData=0x7ff7ebffe8e0, epInfo=0x7ffff23c58c0, runtimeInfo=<optimized out>, polymorphicInlineCacheInfo=<optimized out>, codeGenAllocators=<optimized out>, codeGenProfiler=<optimized out>, isBackgroundJIT=<optimized out>)
[#9] 0x555557e4d330 → NativeCodeGenerator::CodeGen(this=<optimized out>, pageAllocator=<optimized out>, workItemData=0xc2200000061, jitWriteData=@0x7ff7ebffe8e0, foreground=0x0, epInfo=0x7ffff23c58c0)

@ppenzin ppenzin changed the title ReportFatalException14 [FatalInternalError] ReportFatalException14 Mar 17, 2021
@rhuanjl
Copy link
Collaborator

rhuanjl commented Mar 25, 2021

I'll look at this one.

@rhuanjl rhuanjl self-assigned this Mar 25, 2021
@rhuanjl
Copy link
Collaborator

rhuanjl commented Mar 28, 2021

Here's a reduction:

function opt() {
  var tmp = new String('aa');
  tmp.x = 2;

  for (let useless in tmp) {
      delete tmp.x;
      eval('class x extends Array{}');
      tmp.y = 1;
      tmp.x = 1;
  }
}

for (var i = 0; i < 561; i++) {
  opt();
}

The crash is something to do with jitting the let useless statement inside the loop control block BUT only occurs with all of the other components present (the deletion, the assignments AND the eval).

The same assertion is hit if you switch to const useless BUT the code can run to completion if it's var useless

@ppenzin ppenzin added Bug and removed Needs Triage labels Apr 1, 2021
@ppenzin
Copy link
Member

ppenzin commented Apr 1, 2021

Neat - thanks for reducing! I don't know what the severity should be on this, left out for now.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants