search

chakra-core / ChakraCore

ChakraCore is an open source Javascript engine with a C API.
MIT License
9.12k stars 1.2k forks source link

Assertion Failure : isNextFieldDateNegativeVersion5 == false in ChakraCore/lib/Runtime/Library/DateImplementation.cpp, line 1138 #6893

Open EJueon opened 1 year ago

EJueon commented 1 year ago
Version

Branch : master Version: https://github.com/chakra-core/ChakraCore/commit/c3ead3f8a6e0bb8e32e043adc091c68cba5935e9

Build platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build steps
POC
testcase

```JavaScript var e = [ 1 , 2 , 2 ] ; new Date ( " 1 - 1 0 - a " ) . toString ( ) , new Date ( 0 ) , Object . defineProperty ( e , 1 , { configurable : " abc " } ) ; ``` 

// poc.js
new Date ( " 1 - 1 0 - a " );
Execution steps & Output
$  ./ch poc.js
(gdb) bt
#0  0x0000555558912bb5 in Js::DateImplementation::UtcTimeFromStrCore (psz=<optimized out>, ulength=<optimized out>, retVal=<optimized out>, scriptContext=0x622000000158) at /chakracore/lib/Runtime/Library/DateImplementation.cpp:1138
#1  0x000055555890d815 in Js::DateImplementation::UtcTimeFromStr (scriptContext=<optimized out>, pParseString=0x7ffff283f280) at /chakracore/lib/Runtime/Library/DateImplementation.cpp:647
#2  0x0000555558b896bc in Js::JavascriptDate::ParseHelper (scriptContext=0x622000000158, str=0x10007fff7400) at /chakracore/lib/Runtime/Library/JavascriptDate.cpp:833
#3  Js::JavascriptDate::NewInstanceAsConstructor (args=..., scriptContext=0x622000000158, forceCurrentDate=<optimized out>) at /chakracore/lib/Runtime/Library/JavascriptDate.cpp:159
#4  0x0000555558b88567 in Js::JavascriptDate::NewInstance (function=<optimized out>, callInfo=...) at /chakracore/lib/Runtime/Library/JavascriptDate.cpp:97
#5  0x0000555559723c4e in amd64_CallFunction () at /chakracore/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100
#6  0x0000555558c16c5e in Js::JavascriptFunction::CallAsConstructor (v=0x7ffff2860240, overridingNewTarget=<optimized out>, args=..., scriptContext=<optimized out>, spreadIndices=<optimized out>) at /chakracore/lib/Runtime/Library/JavascriptFunction.cpp:972
#7  0x0000555558570f4d in Js::JavascriptOperators::NewScObject (callee=0x0, args=..., scriptContext=<optimized out>, spreadIndices=<optimized out>) at /chakracore/lib/Runtime/Language/JavascriptOperators.cpp:6931
#8  0x0000555558713ed7 in Js::ProfilingHelpers::ProfiledNewScObject (callee=0x7ffff2860240, args=..., callerFunctionBody=<optimized out>, profileId=<optimized out>, inlineCacheIndex=<optimized out>, spreadIndices=<optimized out>)
    at /chakracore/lib/Runtime/Language/ProfilingHelpers.cpp:720
#9  0x000055555830774f in Js::InterpreterStackFrame::ProfiledNewScObject_Helper (this=0x7fffffffc680, target=<optimized out>, ArgCount=2, profileId=<optimized out>, inlineCacheIndex=<optimized out>, spreadIndices=<optimized out>)
    at /chakracore/lib/Runtime/Language/InterpreterStackFrame.cpp:6596
#10 0x0000555557e01b2e in Js::InterpreterStackFrame::OP_NewScObject_Impl<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> >, true, false>(Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > const __unaligned*, unsigned int, Js::AuxArray<unsigned int> const*) (
    this=0x7fffffffc680, playout=0x7ffff28ef16d, inlineCacheIndex=4294967295, spreadIndices=0x0) at /chakracore/lib/Runtime/Language/InterpreterStackFrame.cpp:6464
#11 Js::InterpreterStackFrame::OP_ProfiledNewScObject_Impl<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> >, true, false>(Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > const __unaligned*, unsigned int, Js::AuxArray<unsigned int> const*) (this=0x7fffffffc680, 
    playout=0x7ffff28ef16d, inlineCacheIndex=4294967295, spreadIndices=0x0) at /chakracore/lib/Runtime/./Language/InterpreterStackFrame.h:759
#12 Js::InterpreterStackFrame::OP_ProfiledNewScObject<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > >(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > const __unaligned*) (this=0x7fffffffc680, playout=0x7ffff28ef16d)
    at /chakracore/lib/Runtime/./Language/InterpreterStackFrame.h:767
#13 Js::InterpreterStackFrame::ProcessProfiled (this=<optimized out>) at /chakracore/lib/Runtime/Language/InterpreterHandler.inl:302
#14 0x0000555557c426df in Js::InterpreterStackFrame::Process (this=0x7fffffffc680) at /chakracore/lib/Runtime/Language/InterpreterStackFrame.cpp:3472
#15 0x0000555557c3d150 in Js::InterpreterStackFrame::InterpreterHelper (function=<optimized out>, args=<error reading variable: Cannot access memory at address 0x0>, returnAddress=<optimized out>, addressOfReturnAddress=<optimized out>, asmJsReturn=<optimized out>)
    at /chakracore/lib/Runtime/Language/InterpreterStackFrame.cpp:2153
#16 0x0000555557c3a80d in Js::InterpreterStackFrame::InterpreterThunk (layout=0x7ffff26c0fa2) at /chakracore/lib/Runtime/Language/InterpreterStackFrame.cpp:1833
#17 0x00007ffff26c0fa2 in ?? ()
#18 0x00007fffffffcc50 in ?? ()
#19 0x0000555559723c4e in amd64_CallFunction () at /chakracore/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100
Outputs
ASSERTION 292943: (/chakracore/lib/Runtime/Library/DateImplementation.cpp, line 1138) isNextFieldDateNegativeVersion5 == false
 Failure: (isNextFieldDateNegativeVersion5 == false)
Illegal instruction

credits: @EJueon, @Ye0nny of the seclab-yonsei.

ppenzin commented 1 year ago

Thank you for the report, we definitely need a more graceful failure here.