Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

AssertOrFailFast in MapStFldHelper #6683

Open
bin2415 opened this issue Apr 8, 2021 · 1 comment
Open

AssertOrFailFast in MapStFldHelper #6683

bin2415 opened this issue Apr 8, 2021 · 1 comment
Labels
Bug Duplicate

Comments

@bin2415
Copy link

bin2415 commented Apr 8, 2021

PoC:

function main() {
do {
    function v2(v3,v4,v5,v6,v7) {
        const v15 = [13.37,13.37,13.37,13.37];
        const v16 = v15[13.37];
        const v17 = eval(1,..."ignoreCase",v16,..."pS1LFZI9uc",1);
    }
    const v19 = [13.37,13.37,13.37,13.37,13.37];
    const v20 = v19.concat();
    v19.valueOf = v2;
} while (0 <= 255);
}
main();

backtrace:

* thread #5, stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
    frame #0: 0x000000010257ce19 libChakraCore.dylib`Lowerer::MapStFldHelper(this=0x000070000783ae88, propertySymOpnd=0x0000000907af4d98, helperMethod=0x0000700007839214, polymorphicHelperMethod=0x0000700007839210) at Lower.cpp:7221:17
   7218	                // an object that does.
   7219	                break;
   7220	            default:
-> 7221	                AssertOrFailFast(false);
   7222	                break;
   7223	        }
   7224	    }
Target 0: (ch) stopped.
(lldb) bt
* thread #5, stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
  * frame #0: 0x000000010257ce19 libChakraCore.dylib`Lowerer::MapStFldHelper(this=0x000070000783ae88, propertySymOpnd=0x0000000907af4d98, helperMethod=0x0000700007839214, polymorphicHelperMethod=0x0000700007839210) at Lower.cpp:7221:17
    frame #1: 0x000000010253ccfc libChakraCore.dylib`Lowerer::LowerStFld(this=0x000070000783ae88, stFldInstr=0x0000000907afe6e0, helperMethod=HelperOp_InitConstFld, polymorphicHelperMethod=HelperOp_InitConstFld, withInlineCache=false, labelBailOut=0x0000000000000000, isHelper=false, withPutFlags=false, flags=PropertyOperation_None) at Lower.cpp:7101:13
    frame #2: 0x000000010253a1d5 libChakraCore.dylib`Lowerer::LowerRange(this=0x000070000783ae88, instrStart=0x0000000907af2170, instrEnd=0x0000000907af21d0, defaultDoFastPath=true, defaultDoLoopFastPath=true) at Lower.cpp:2542:13
    frame #3: 0x00000001025300b3 libChakraCore.dylib`Lowerer::Lower(this=0x000070000783ae88) at Lower.cpp:104:11
    frame #4: 0x00000001022ac97e libChakraCore.dylib`Func::TryCodegen(this=0x000070000783b150) at Func.cpp:475:17
    frame #5: 0x00000001022abfef libChakraCore.dylib`Func::Codegen(alloc=0x000070000783b6e0, workItem=0x0000000907ae1030, threadContextInfo=0x000000010080fc58, scriptContextInfo=0x0000000100817058, outputData=0x000070000783bb20, epInfo=0x00000009077f3200, runtimeInfo=0x0000000000000000, polymorphicInlineCacheInfo=0x0000000907aa6920, codeGenAllocators=0x0000000100819a58, codeGenProfiler=0x0000000000000000, isBackgroundJIT=true) at Func.cpp:325:18
    frame #6: 0x00000001025fd931 libChakraCore.dylib`NativeCodeGenerator::CodeGen(this=0x0000000100308cc8, pageAllocator=0x0000000100309498, workItemData=0x0000000100607310, jitWriteData=0x000070000783bb20, foreground=false, epInfo=0x00000009077f3200) at NativeCodeGenerator.cpp:890:9
    frame #7: 0x00000001026000b8 libChakraCore.dylib`NativeCodeGenerator::CodeGen(this=0x0000000100308cc8, pageAllocator=0x0000000100309498, workItem=0x00000001006072e8, foreground=false) at NativeCodeGenerator.cpp:1007:5
    frame #8: 0x0000000102603777 libChakraCore.dylib`NativeCodeGenerator::Process(this=0x0000000100308cc8, job=0x00000001006072f0, threadData=0x0000000100309478) at NativeCodeGenerator.cpp:1895:13
    frame #9: 0x00000001026b8541 libChakraCore.dylib`JsUtil::BackgroundJobProcessor::Process(this=0x0000000100308e38, job=0x00000001006072f0, threadData=0x0000000100309478) at Jobs.cpp:1037:36
    frame #10: 0x00000001026b8b26 libChakraCore.dylib`JsUtil::BackgroundJobProcessor::Run(this=0x0000000100308e38, threadData=0x0000000100309478) at Jobs.cpp:1135:44
    frame #11: 0x00000001026b6062 libChakraCore.dylib`JsUtil::BackgroundJobProcessor::StaticThreadProc(lpParam=0x0000000100309478) at Jobs.cpp:1319:20
    frame #12: 0x00000001020dda83 libChakraCore.dylib`CorUnix::CPalThread::ThreadEntry(pvParam=0x0000000100818600) at pal_thread.cpp:1605:16
    frame #13: 0x00007fff20330950 libsystem_pthread.dylib`_pthread_start + 224
    frame #14: 0x00007fff2032c47b libsystem_pthread.dylib`thread_start + 15

It is reproducable both in Release and Debug mode.
@rhuanjl
Copy link
Collaborator

rhuanjl commented Apr 14, 2021

I think this is a duplicate of #6637 it's the same AssertOrFailFast; in both cases InitConst gets to a place it doesn't belong.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
Bug Duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bin2415 @rhuanjl