search

chakra-core / ChakraCore

ChakraCore is an open source Javascript engine with a C API.
MIT License
9.1k stars 1.19k forks source link

ASSERTION in ChakraCore/lib/Runtime/./Language/InlineCache.h, line 471 #6717

Open anbu1024 opened 3 years ago

anbu1024 commented 3 years ago

chakra version

Checked revision: 0fc6103461dac83f24e418b7013af5b4137607f5
Build command: ./build.sh --debug
$ chakra --version
ch version 1.12.0.0-beta

os

Ubuntu 20.04.2 LTS

Testcase, a common function, but it will lead the debug version to an assertion error.

function foo(...{
    0: a,
    1: b = 1
}) {
    return a+b+1;
}

foo(foo(4), 1);

Error message

ASSERTION 1616645: (ChakraCore/lib/Runtime/./Language/InlineCache.h, line 471) *propertyValue == slowPathValue || (VarIs<RootObjectBase>(propertyObject) && *propertyValue == rootObjectValue) || (slowPathValue == requestContext->GetLibrary()->GetNull() && requestContext->GetThreadContext()->IsDisableImplicitCall() && propertyObject->GetType()->IsExternal())
 Failure: (*propertyValue == slowPathValue || (VarIs<RootObjectBase>(propertyObject) && *propertyValue == rootObjectValue) || (slowPathValue == requestContext->GetLibrary()->GetNull() && requestContext->GetThreadContext()->IsDisableImplicitCall() && propertyObject->GetType()->IsExternal()))
Illegal instruction (core dumped)

Backtrace

#0  0x00007ffff4a26612 in Js::InlineCache::OutputPropertyValue<false, true, (Js::CacheType)2, (Js::SlotType)1>::impl (cache=0x7ff7f2beaf10, instance=0x7ff7f1372300, propertyObject=0x7ff7f1372300, propertyId=0x2fd, propertyValue=0x7fffffff9c98, requestContext=0x555555fb3a08) at ChakraCore/lib/Runtime/./Language/InlineCache.h:468
#1  0x00007ffff4a2cba3 in Js::InlineCache::OutputPropertyValueAndOperationInfo<false, true, true, (Js::CacheType)2, (Js::SlotType)1> (this=0x7ff7f2beaf10, instance=0x7ff7f1372300, propertyObject=0x7ff7f1372300, propertyId=0x2fd, propertyValue=0x7fffffff9c98, requestContext=0x555555fb3a08, operationInfo=0x7fffffff9c78) at ChakraCore/lib/Runtime/./Language/InlineCache.h:388
#2  0x00007ffff4a2c44b in Js::InlineCache::TryGetProperty<true, true, true, true, true, false> (this=0x7ff7f2beaf10, instance=0x7ff7f1372300, propertyObject=0x7ff7f1372300, propertyId=0x2fd, propertyValue=0x7fffffff9c98, requestContext=0x555555fb3a08, operationInfo=0x7fffffff9c78) at ChakraCore/lib/Runtime/./Language/InlineCache.inl:80
#3  0x00007ffff4a4add3 in Js::CacheOperators::TryGetProperty<true, true, true, true, true, true, true, false, true, false> (instance=0x7ff7f1372300, isRoot=0x0, object=0x7ff7f1372300, propertyId=0x2fd, propertyValue=0x7fffffff9c98, requestContext=0x555555fb3a08, operationInfo=0x7fffffff9c78, propertyValueInfo=0x7fffffff9c38) at ChakraCore/lib/Runtime/./Language/CacheOperators.inl:42
#4  0x00007ffff4a4769b in Js::ProfilingHelpers::ProfiledLdFld<false, false, false> (instance=0x7ff7f1372300, propertyId=0x2fd, inlineCache=0x7ff7f2beaf10, inlineCacheIndex=0x1, functionBody=0x7ff7f13571f0, thisInstance=0x7ff7f1372300) at ChakraCore/lib/Runtime/Language/ProfilingHelpers.cpp:977
#5  0x00007ffff49a2a05 in Js::InterpreterStackFrame::ProfiledGetProperty<Js::OpLayoutT_ElementCP<Js::LayoutSizePolicy<(Js::LayoutSize)0> > const __unaligned, false, false, false>(Js::OpLayoutT_ElementCP<Js::LayoutSizePolicy<(Js::LayoutSize)0> > const __unaligned __unaligned*, void*) (this=0x7fffffffad50, playout=0x7ff7f2bf40d9, instance=0x7ff7f1372300) at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:4177
#6  0x00007ffff496d2d2 in Js::InterpreterStackFrame::OP_ProfiledGetProperty<Js::OpLayoutT_ElementCP<Js::LayoutSizePolicy<(Js::LayoutSize)0> > const __unaligned>(Js::OpLayoutT_ElementCP<Js::LayoutSizePolicy<(Js::LayoutSize)0> > const __unaligned __unaligned*) (this=0x7fffffffad50, playout=0x7ff7f2bf40d9) at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:4350
#7  0x00007ffff48568bb in Js::InterpreterStackFrame::ProcessProfiled (this=0x7fffffffad50) at ChakraCore/lib/Runtime/Language/InterpreterHandler.inl:176
#8  0x00007ffff47f8372 in Js::InterpreterStackFrame::Process (this=0x7fffffffad50) at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:3472
#9  0x00007ffff47f7033 in Js::InterpreterStackFrame::InterpreterHelper (function=0x7ff7f2396730, args=..., returnAddress=0x7ff7f12e0f9a, addressOfReturnAddress=0x7fffffffb2a8, asmJsReturn=0x0) at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:2153
#10 0x00007ffff47f6110 in Js::InterpreterStackFrame::InterpreterThunk (layout=0x7fffffffb2c0) at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:1833
#11 0x00007ff7f12e0f9a in ?? ()
#12 0x00007fffffffb2f0 in ?? ()
#13 0x00007ffff4e8a43e in amd64_CallFunction () at ChakraCore/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100
Backtrace stopped: frame did not save the PC
rhuanjl commented 3 years ago

Thanks for the report, looks like something to do with ObjectSpread in param scope - will need some triage here.