search

chakra-core / ChakraCore

ChakraCore is an open source Javascript engine with a C API.
MIT License
9.1k stars 1.19k forks source link

ASSERTION (skipAssert || value == nullptr || *value == property) failed in Js::JavascriptOperators::GetProperty_Internal #6010

Open renatahodovan opened 5 years ago

renatahodovan commented 5 years ago
ChakraCore version:
Checked revision: a247f4f3c
Build command: ./build.sh --debug
OS:
Linux-4.15.0-43-generic-x86_64-with-Ubuntu-18.04-bionic
Test case:
var obj = {};
Object.defineProperty(obj, "test", {
    get: function() {
        delete obj.test;
        obj.test = 0;
        return Object.create(this)
    },
    configurable: true
});

WScript(obj.test);
Backtrace:
ASSERTION 15161: (ChakraCore/lib/Runtime/Language/JavascriptOperators.cpp, line 1931) skipAssert || value == nullptr || *value == property
 Failure: (skipAssert || value == nullptr || *value == property)

Thread 1 "ch" received signal SIGILL, Illegal instruction.
0x00007ffff35e0c90 in Js::JavascriptOperators::GetProperty_Internal<false> (instance=0x7ffff7ea52a0, propertyObject=
    0x7ffff7ea52a0, isRoot=false, propertyId=346, value=0x7fffffff8fd8, requestContext=0x5555561b2ac8, info=0x7fffffff9028)
    at ChakraCore/lib/Runtime/Language/JavascriptOperators.cpp:1931
1931                        Assert(skipAssert || value == nullptr || *value == property);
(gdb) bt
#0  0x00007ffff35e0c90 in Js::JavascriptOperators::GetProperty_Internal<false> (instance=0x7ffff7ea52a0, 
    propertyObject=0x7ffff7ea52a0, isRoot=false, propertyId=346, value=0x7fffffff8fd8, requestContext=0x5555561b2ac8, 
    info=0x7fffffff9028) at ChakraCore/lib/Runtime/Language/JavascriptOperators.cpp:1931
#1  0x00007ffff35b2503 in Js::JavascriptOperators::GetProperty (instance=0x7ffff7ea52a0, propertyObject=0x7ffff7ea52a0, 
    propertyId=346, value=0x7fffffff8fd8, requestContext=0x5555561b2ac8, info=0x7fffffff9028)
    at ChakraCore/lib/Runtime/Language/JavascriptOperators.cpp:1830
#2  0x00007ffff35d3afa in Js::JavascriptOperators::GetProperty (instance=0x7ffff7ea52a0, propertyObject=0x7ffff7ea52a0, 
    propertyId=346, requestContext=0x5555561b2ac8, info=0x7fffffff9028)
    at ChakraCore/lib/Runtime/Language/JavascriptOperators.cpp:11150
#3  0x00007ffff35d49e9 in Js::JavascriptOperators::PatchGetValueWithThisPtrNoFastPath (functionBody=0x7ffff7eab000, 
    inlineCache=0x7ffff7e88050, inlineCacheIndex=3, instance=0x7ffff7ea52a0, propertyId=346, thisInstance=0x7ffff7ea52a0)
    at ChakraCore/lib/Runtime/Language/JavascriptOperators.cpp:8021
#4  0x00007ffff363f203 in Js::ProfilingHelpers::ProfiledLdFld<false, false, false> (instance=0x7ffff7ea52a0, propertyId=346, 
    inlineCache=0x7ffff7e88050, inlineCacheIndex=3, functionBody=0x7ffff7eab000, thisInstance=0x7ffff7ea52a0)
    at ChakraCore/lib/Runtime/Language/ProfilingHelpers.cpp:995
#5  0x00007ffff35862e5 in Js::InterpreterStackFrame::ProfiledGetProperty<Js::OpLayoutT_ElementCP<Js::LayoutSizePolicy<(Js::LayoutSize)0> > const __unaligned, false, false, false>(Js::OpLayoutT_ElementCP<Js::LayoutSizePolicy<(Js::LayoutSize)0> > const __unaligned __unaligned*, void*) (this=0x7fffffffc410, playout=0x7ffff7e8706e, instance=0x7ffff7ea52a0)
    at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:4058
#6  0x00007ffff354c732 in Js::InterpreterStackFrame::OP_ProfiledGetProperty<Js::OpLayoutT_ElementCP<Js::LayoutSizePolicy<(Js::LayoutSize)0> > const __unaligned>(Js::OpLayoutT_ElementCP<Js::LayoutSizePolicy<(Js::LayoutSize)0> > const __unaligned __unaligned*) (
    this=0x7fffffffc410, playout=0x7ffff7e8706e)
    at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:4231
#7  0x00007ffff3400d2c in Js::InterpreterStackFrame::ProcessProfiled (this=0x7fffffffc410)
    at ChakraCore/lib/Runtime/Language/InterpreterHandler.inl:165
#8  0x00007ffff338d59d in Js::InterpreterStackFrame::Process (this=0x7fffffffc410)
    at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:3357
#9  0x00007ffff338c307 in Js::InterpreterStackFrame::InterpreterHelper (function=0x7ffff7f066e0, args=..., 
    returnAddress=0x7ffff7e60fa2, addressOfReturnAddress=0x7fffffffc978, asmJsReturn=0x0)
    at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:2051
#10 0x00007ffff338b4d8 in Js::InterpreterStackFrame::InterpreterThunk (layout=0x7fffffffc990)
    at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:1763
#11 0x00007ffff7e60fa2 in ?? ()
#12 0x00007fffffffc9a0 in ?? ()
#13 0x00007ffff3ab445e in amd64_CallFunction ()
    at ChakraCore/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100

Found by Fuzzinator with grammarinator.

pleath commented 5 years ago

Thanks, @renatahodovan . I'll take a look at this.