search

chakra-core / ChakraCore

ChakraCore is an open source Javascript engine with a C API.
MIT License
9.13k stars 1.2k forks source link

Aborted (core dumped) in `ReportFatalException` #6752

Open YiWen-y opened 3 years ago

YiWen-y commented 3 years ago

Version:

ch version 1.12.0.0-beta

PoC:

let args = new Array(0x10000);
args.fill();
args = args.map((_, i) => 'a' + i).join(', ');

let gun = eval(`(function () {
    class A {
    }
    class B extends A {
        constructor(${args}) {
            () => {
                ${args};
                super();
            };
            class C {
                constructor() {
                }
                trigger() {
                    (() => {
                        super.x;
                    })();
                }
            }
            return new C();
        }
    }
    return new B();
})()`);
for (let i = 0; i < 0x10000; i++)
    gun.trigger();

Command 1:

./build.sh
~/ChakraCore/out/Release/ch PoC.js

Output 1:

Aborted (core dumped)

Backtrace (using gdb debugging) 1:

gdb -q -args ~/ChakraCore/out/Release/ch PoC.js 

(gdb) r
Starting program:~/ChakraCore/out/Release/ch PoC.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ff7f380f700 (LWP 5027)]
[New Thread 0x7ff7f2fdf700 (LWP 5028)]
[New Thread 0x7ff7f27de700 (LWP 5029)]

Thread 1 "ch" received signal SIGILL, Illegal instruction.
0x00007ffff4140eb1 in ReportFatalException ()

(gdb) bt
#0  0x00007ffff4140eb1 in ReportFatalException ()
#1  0x00007ffff4140fb9 in OutOfMemory_unrecoverable_error() () 
#2  0x00007ffff4193fac in Js::Exception::RaiseIfScriptActive(Js::ScriptContext*, unsigned int, void*) () 
#3  0x00007ffff4141159 in Js::Throw::OutOfMemory() () 
#4  0x00007ffff41341e9 in Math::DefaultOverflowPolicy() () 
#5  0x00007ffff4206090 in PreVisitFunction(ParseNodeFnc*, ByteCodeGenerator*, Js::ParseableFunctionInfo*) () 
#6  0x00007ffff420be94 in void VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)>(ParseNode*, ParseNode*, ByteCodeGenerator*, void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*), unsigned int*, bool) ()
#7  0x00007ffff420bc7c in void VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)>(ParseNode*, ParseNode*, ByteCodeGenerator*, void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*), unsigned int*, bool) () 
#8  0x00007ffff420bc7c in void VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)>(ParseNode*, ParseNode*, ByteCodeGenerator*, void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*), unsigned int*, bool) () 
#9  0x00007ffff420bc7c in void VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)>(ParseNode*, ParseNode*, ByteCodeGenerator*, void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*), unsigned int*, bool) () 
#10 0x00007ffff420bff5 in void VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)>(ParseNode*, ParseNode*, ByteCodeGenerator*, void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*), unsigned int*, bool) ()
#11 0x00007ffff420bc7c in void VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)>(ParseNode*, ParseNode*, ByteCodeGenerator*, void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*), unsigned int*, bool) ()
#12 0x00007ffff420a00d in void Visit<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)>(ParseNode*, ByteCodeGenerator*, void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*), ParseNode*) ()
#13 0x00007ffff4203a70 in ByteCodeGenerator::Generate(ParseNodeProg*, unsigned int, ByteCodeGenerator*, Js::ParseableFunctionInfo**, unsigned int, bool, Parser*, Js::ScriptFunction**) ()
#14 0x00007ffff42054af in GenerateByteCode(ParseNodeProg*, unsigned int, Js::ScriptContext*, Js::ParseableFunctionInfo**, unsigned int, bool, Parser*, CompileScriptException*, Js::ScopeInfo*, Js::ScriptFunction**) ()
#15 0x00007ffff43c9d94 in Js::GlobalObject::DefaultEvalHelper(Js::ScriptContext*, char16_t const*, int, unsigned int, unsigned int, char16_t const*, int, int, int) ()
#16 0x00007ffff43ca9c2 in Js::GlobalObject::VEval(Js::JavascriptLibrary*, Js::FrameDisplay*, unsigned int, bool, bool, Js::Arguments&, bool, bool, unsigned int, Js::ScriptContext*) ()
#17 0x00007ffff43cade2 in Js::GlobalObject::EntryEval(Js::RecyclableObject*, Js::CallInfo, ...) ()
#18 0x00007ffff45a6c0e in amd64_CallFunction ()
#19 0x00007ffff4350347 in void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) ()
#20 0x00007ffff4350120 in void Js::InterpreterStackFrame::OP_ProfileCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) ()
#21 0x00007ffff42fc537 in Js::InterpreterStackFrame::ProcessProfiled() ()
#22 0x00007ffff42d9d23 in Js::InterpreterStackFrame::Process() ()
#23 0x00007ffff42d94fb in Js::InterpreterStackFrame::InterpreterHelper(Js::ScriptFunction*, Js::ArgumentReader, void*, void*, Js::InterpreterStackFrame::AsmJsReturnStruct*) ()
#24 0x00007ffff42d8fb5 in Js::InterpreterStackFrame::InterpreterThunk(Js::JavascriptCallStackLayout*) ()
#25 0x00007ff7f1f30fa2 in ?? ()
#26 0x00007fffffffcce0 in ?? ()
#27 0x00007ffff45a6c0e in amd64_CallFunction ()

Command 2:

./build.sh -b -j
~/ChakraCore/out/Debug/ch PoC.js

Output 2:

Aborted (core dumped)

Backtrace (using gdb debugging) 2:

gdb -q -args ~/ChakraCore/out/Debug/ch PoC.js

(gdb) r
Starting program: ~/ChakraCore/out/Debug/ch PoC.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ff7f229f700 (LWP 14422)]
[New Thread 0x7ff7f1a6f700 (LWP 14423)]
[New Thread 0x7ff7f126e700 (LWP 14424)]

Thread 1 "ch" received signal SIGTRAP, Trace/breakpoint trap.
DBG_DebugBreak ()

(gdb) bt
#0  DBG_DebugBreak () at ~/ChakraCore/pal/src/arch/i386/debugbreak.S:18
#1  0x00007ffff2a59001 in DebugBreak () at ~/ChakraCore/pal/src/debug/debug.cpp:408
#2  0x00007ffff30c8949 in ReportFatalException (context=0, exceptionCode=-2147024882, reasonCode=Fatal_OutOfMemory, scenario=9) at ~/ChakraCore/lib/Common/Exceptions/ReportError.cpp:20
#3  0x00007ffff30c8c96 in OutOfMemory_unrecoverable_error () at ~/ChakraCore/lib/Common/Exceptions/ReportError.cpp:145
#4  0x00007ffff323e800 in Js::Exception::RaiseIfScriptActive (scriptContext=0x0, kind=0, returnAddress=0x0) at ~/ChakraCore/lib/Runtime/Base/Exception.cpp:20
#5  0x00007ffff39d1b15 in JsUtil::ExternalApi::RaiseOutOfMemoryIfScriptActive () at ~/ChakraCore/lib/Runtime/Library/CommonExternalApiImpl.cpp:21
#6  0x00007ffff30c9378 in Js::Throw::OutOfMemory () at ~/ChakraCore/lib/Common/Exceptions/Throw.cpp:122
#7  0x00007ffff30a3f49 in Math::DefaultOverflowPolicy () at ~/ChakraCore/lib/Common/Common/MathUtil.cpp:37
#8  0x00007ffff33f5ddf in UInt16Math::Inc<void ()>(unsigned short&, void (&)()) (lhs=@0x7fffffff605e: 0, overflowFn=@0x7ffff30a3f40: {void (void)} 0x7ffff30a3f40 <Math::DefaultOverflowPolicy()>)
    at ~/ChakraCore/lib/Common/Common/UInt16Math.h:32
#9  0x00007ffff33f5d9c in UInt16Math::Inc (lhs=@0x7fffffff605e: 0) at ~/ChakraCore/lib/Common/Common/UInt16Math.h:53
#10 0x00007ffff33ee26c in PreVisitFunction(ParseNodeFnc*, ByteCodeGenerator*, Js::ParseableFunctionInfo*)::$_1::operator()(ParseNode*) const (this=0x7fffffff5f58, pnode=0x7ff7e2b4a150)
    at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:2534
#11 0x00007ffff33ee234 in _Z14MapFormalsImplIZ16PreVisitFunctionP12ParseNodeFncP17ByteCodeGeneratorPN2Js21ParseableFunctionInfoEE3$_1Lb0EEvS1_T_ (pnodeFunc=0x7ff7e3f59340, fn=...)
    at ~/ChakraCore/lib/Runtime/../Parser/FormalsUtil.h:11
#12 0x00007ffff33e64b5 in MapFormalsWithoutRest<PreVisitFunction(ParseNodeFnc*, ByteCodeGenerator*, Js::ParseableFunctionInfo*)::$_1>(ParseNodeFnc*, PreVisitFunction(ParseNodeFnc*, ByteCodeGenerator*, Js::ParseableFunctionInfo*)::$_1) (pnodeFunc=0x7ff7e3f59340, fn=...)
    at ~/ChakraCore/lib/Runtime/../Parser/FormalsUtil.h:22
#13 0x00007ffff33e60b9 in PreVisitFunction (pnodeFnc=0x7ff7e3f59340, byteCodeGenerator=0x7fffffff7618, reuseNestedFunc=0x0) at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:2534
#14 0x00007ffff33fbf02 in VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)> (pnodeScopeList=0x7ff7e3f59340, pnodeParent=0x7ff7e3f58300, byteCodeGenerator=0x7fffffff7618,
    prefix=0x7ffff33e1950 <Bind(ParseNode*, ByteCodeGenerator*)>, postfix=0x7ffff33e2410 <AssignRegisters(ParseNode*, ByteCodeGenerator*)>, pIndex=0x7fffffff6f5c, breakOnBodyScope=false)
    at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:3379
#15 0x00007ffff33fc7bf in VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)> (pnodeScopeList=0x7ff7e3f58a30, pnodeParent=0x7ff7e3f58300, byteCodeGenerator=0x7fffffff7618,
    prefix=0x7ffff33e1950 <Bind(ParseNode*, ByteCodeGenerator*)>, postfix=0x7ffff33e2410 <AssignRegisters(ParseNode*, ByteCodeGenerator*)>, pIndex=0x7fffffff6f5c, breakOnBodyScope=false)
    at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:3499
#16 0x00007ffff33fc7bf in VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)> (pnodeScopeList=0x7ff7e3f58870, pnodeParent=0x7ff7e3f58300, byteCodeGenerator=0x7fffffff7618,
    prefix=0x7ffff33e1950 <Bind(ParseNode*, ByteCodeGenerator*)>, postfix=0x7ffff33e2410 <AssignRegisters(ParseNode*, ByteCodeGenerator*)>, pIndex=0x7fffffff6f5c, breakOnBodyScope=false)
    at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:3499
#17 0x00007ffff33fc7bf in VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)> (pnodeScopeList=0x7ff7e3f586d0, pnodeParent=0x7ff7e3f58300, byteCodeGenerator=0x7fffffff7618,
    prefix=0x7ffff33e1950 <Bind(ParseNode*, ByteCodeGenerator*)>, postfix=0x7ffff33e2410 <AssignRegisters(ParseNode*, ByteCodeGenerator*)>, pIndex=0x7fffffff6f5c, breakOnBodyScope=false)
    at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:3499
#18 0x00007ffff33fc293 in VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)> (pnodeScopeList=0x7ff7e3f58300, pnodeParent=0x7ff7e3f58030, byteCodeGenerator=0x7fffffff7618,
    prefix=0x7ffff33e1950 <Bind(ParseNode*, ByteCodeGenerator*)>, postfix=0x7ffff33e2410 <AssignRegisters(ParseNode*, ByteCodeGenerator*)>, pIndex=0x7fffffff73a0, breakOnBodyScope=false)
    at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:3426
#19 0x00007ffff33fc7bf in VisitNestedScopes<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)> (pnodeScopeList=0x7ff7e3f58260, pnodeParent=0x7ff7e3f58030, byteCodeGenerator=0x7fffffff7618,
    prefix=0x7ffff33e1950 <Bind(ParseNode*, ByteCodeGenerator*)>, postfix=0x7ffff33e2410 <AssignRegisters(ParseNode*, ByteCodeGenerator*)>, pIndex=0x7fffffff73a0, breakOnBodyScope=false)
    at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:3499
#20 0x00007ffff33f1946 in Visit<void (*)(ParseNode*, ByteCodeGenerator*), void (*)(ParseNode*, ByteCodeGenerator*)> (pnode=0x7ff7e3f58030, byteCodeGenerator=0x7fffffff7618, prefix=0x7ffff33e1950 <Bind(ParseNode*, ByteCodeGenerator*)>,
    postfix=0x7ffff33e2410 <AssignRegisters(ParseNode*, ByteCodeGenerator*)>, pnodeParent=0x0) at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:341
#21 0x00007ffff33e0dde in ByteCodeGenerator::Generate (pnodeProg=0x7ff7e3f58030, grfscr=7226, byteCodeGenerator=0x7fffffff7618, ppRootFunc=0x7fffffff8698, sourceIndex=2, forceNoNative=false, parser=0x7fffffff7ac0, functionRef=0x0)
    at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:2042
#22 0x00007ffff33e4b5d in GenerateByteCode (pnode=0x7ff7e3f58030, grfscr=7226, scriptContext=0x5555561b4028, ppRootFunc=0x7fffffff8698, sourceIndex=2, forceNoNative=false, parser=0x7fffffff7ac0, pse=0x7fffffff86a0, parentScopeInfo=0x0, functionRef=0x0)
    at ~/ChakraCore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:2220
#23 0x00007ffff3a155b3 in Js::GlobalObject::DefaultEvalHelper (scriptContext=0x5555561b4028,
    source=0x7ff7e3b8b020 u"(function () {\n    class A {\n    }\n    class B extends A {\n        constructor(a0, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20, a21, a22, a23, a24, a25, a"..., sourceLength=1026801,
    moduleID=0, grfscr=7226, pszTitle=0x7ffff4342b00 <Js::Constants::EvalCode> u"eval code", registerDocument=1, isIndirect=0, strictMode=0) at ~/ChakraCore/lib/Runtime/Library/GlobalObject.cpp:895
#24 0x00007ffff3a16c3e in Js::GlobalObject::VEval (library=0x7ff7f1a88000, environment=0x7ffff4bed8b0 <Js::NullFrameDisplay>, moduleID=0, strictMode=false, isIndirect=false, args=..., isLibraryCode=false, registerDocument=true, additionalGrfscr=0,
    debugEvalScriptContext=0x0) at ~/ChakraCore/lib/Runtime/Library/GlobalObject.cpp:609
#25 0x00007ffff3a167af in Js::GlobalObject::EntryEvalHelper (scriptContext=0x5555561b4028, function=0x7ff7f0a465c0, args=...) at ~/ChakraCore/lib/Runtime/Library/GlobalObject.cpp:519
#26 0x00007ffff3a174e8 in Js::GlobalObject::EntryEval (function=0x7ff7f0a465c0, callInfo=...) at ~/ChakraCore/lib/Runtime/Library/GlobalObject.cpp:549
#27 0x00007ffff3e1150e in amd64_CallFunction () at ~/ChakraCore/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100
#28 0x00007ffff3b0290e in Js::JavascriptFunction::CallFunction<true> (function=0x7ff7f0a465c0, entryPoint=0x7ffff3a172b0 <Js::GlobalObject::EntryEval(Js::RecyclableObject*, Js::CallInfo, ...)>, args=..., useLargeArgCount=false)
    at ~/ChakraCore/lib/Runtime/Library/JavascriptFunction.cpp:1364
#29 0x00007ffff38b1c4f in Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (this=0x7fffffffbda0, playout=0x7ff7f09e80c4, function=0x7ff7f0a465c0, flags=10, spreadIndices=0x0)
    at ~/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:3988
#30 0x00007ffff38b14d4 in Js::InterpreterStackFrame::OP_ProfileCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) (this=0x7fffffffbda0, playout=0x7ff7f09e80c4, function=0x7ff7f0a465c0, flags=8, profileId=4,
    inlineCacheIndex=4294967295, spreadIndices=0x0) at ~/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:4016
#31 0x00007ffff387a4b1 in Js::InterpreterStackFrame::OP_ProfiledCallIExtendedFlags<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > >(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > const __unaligned*) (this=0x7fffffffbda0, playout=0x7ff7f09e80c4) at ~/ChakraCore/lib/Runtime/./Language/InterpreterStackFrame.h:518
#32 0x00007ffff37204fe in Js::InterpreterStackFrame::ProcessProfiled (this=0x7fffffffbda0) at ~/ChakraCore/lib/Runtime/Language/InterpreterHandler.inl:90
#33 0x00007ffff36af49d in Js::InterpreterStackFrame::Process (this=0x7fffffffbda0) at ~/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:3472
#34 0x00007ffff36adfdb in Js::InterpreterStackFrame::InterpreterHelper (function=0x7ff7f1a76730, args=..., returnAddress=0x7ff7f09c0fa2, addressOfReturnAddress=0x7fffffffc368, asmJsReturn=0x0)
    at ~/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:2153
#35 0x00007ffff36ad0a8 in Js::InterpreterStackFrame::InterpreterThunk (layout=0x7fffffffc380) at ~/ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:1833
#36 0x00007ff7f09c0fa2 in ?? ()
#37 0x00007fffffffc390 in ?? ()
#38 0x00007ffff3e1150e in amd64_CallFunction ()
ppenzin commented 3 years ago

Thank you for the demo. Could you please state what you are reporting, is that the shell running out of memory?

yeguixin commented 3 years ago

@ppenzin Chakra (both the release and debug version of V1.12.0.0-beta) is crashed when running the above PoC which had triggered a CVE of Safari. Maybe Chakra produces the same issue with Safari, which allows remote attackers to execute arbitrary code or cause a denial of service.

In addition, if the for statement is replaced as follows:

for (let i = 0; i < 100; i++)
    gun.trigger();

Chakra can run it without any exception.

YiWen-y commented 3 years ago

Thanks for your reply. As @yeguixin said, this PoC comes from CVE_2017-2531. When I execute this PoC using the newer versions of other engines, v8 and SpiderMonkey throw a syntax error SyntaxError: too many function arguments, JavascriptCore passes normally, only chakra outputs Aborted (core dumped), which causes the program to exit abnormally and there is no additional information.

ppenzin commented 3 years ago

@yeguixin @YiWen-y thank you for the explanation. I believe we catch the attempt to go out of bounds, integer overflow is detected:

#7  0x00007ffff30a3f49 in Math::DefaultOverflowPolicy () at ~/ChakraCore/lib/Common/Common/MathUtil.cpp:37
#8  0x00007ffff33f5ddf in UInt16Math::Inc<void ()>(unsigned short&, void (&)()) (lhs=@0x7fffffff605e: 0, overflowFn=@0x7ffff30a3f40: {void (void)} 0x7ffff30a3f40 <Math::DefaultOverflowPolicy()>)
    at ~/ChakraCore/lib/Common/Common/UInt16Math.h:32

https://github.com/chakra-core/ChakraCore/blob/master/lib/Common/Common/UInt16Math.h#L32

We probably do need a better error message instead of a silent core dump.

ppenzin commented 3 years ago

@rhuanjl I feel like we had a discussion about overflow handling before. From purely practical point of view, I feel it is OK for this kind of situations to get overly vague errors as long as nothing dangerous can happen. What do you think?

rhuanjl commented 3 years ago

Hmm - this is detecting that running this (technically valid) code would result in going out of memory leading to arbitrary results - so it's calling abort to stop it.

It may be possible to throw a nicer error if we can ensure we're catching it long before the out of memory.

But the current behaviour is basically by design.