search

chakra-core / ChakraCore

ChakraCore is an open source Javascript engine with a C API.
MIT License
9.11k stars 1.2k forks source link

Assertion Failure: (propertyValue && VarIs<T>(propertyValue)) in ChakraCore/lib/Runtime/Library/IntlEngineInterfaceExtensionObject.cpp, line 372 #6905

Open JimWongM opened 1 year ago

JimWongM commented 1 year ago

Version

commit id: c3ead3f8a6e0bb8e32e043adc091c68cba5935e9

Platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build

./build.sh --debug --static

PoC

function f14() {
    try {
        f14();
    } catch(e20) {
    }
    ("test")["localeCompare"]("test");
}
f14();

Execution steps & Output

./ch --maxinterpretcount:10 --maxsimplejitruncount:100 -bgjit- poc.js
ASSERTION 384876: (/home/wjm/ChakraCore/lib/Runtime/Library/IntlEngineInterfaceExtensionObject.cpp, line 372) propertyValue && VarIs<T>(propertyValue)
 Failure: (propertyValue && VarIs<T>(propertyValue))
Signal: SIGILL (Illegal instruction)

Backtrace

(lldb) bt 30
* thread #1, name = 'ch', stop reason = signal SIGILL: illegal instruction operand
  * frame #0: 0x0000555556a8794b ch`Js::JavascriptString* Js::AssertProperty<Js::JavascriptString>(state=0x00007ff7e7af5880, propertyId=(_value = 525)) at IntlEngineInterfaceExtensionObject.cpp:372:9
    frame #1: 0x0000555556a84931 ch`Js::AssertStringProperty(state=0x00007ff7e7af5880, propertyId=(_value = 525)) at IntlEngineInterfaceExtensionObject.cpp:379:16
    frame #2: 0x0000555556a7ee6e ch`Js::IntlEngineInterfaceExtensionObject::EntryIntl_LocaleCompare(function=0x00007ff7e7b4a480, callInfo=(Count = 5, Flags = CallFlags_Value, unused = 0)) at IntlEngineInterfaceExtensionObject.cpp:1869:41
    frame #3: 0x00005555564a37de ch`amd64_CallFunction at JavascriptFunctionA.S:100
    frame #4: 0x00005555561d7a4b ch`void* Js::JavascriptFunction::CallFunction<true>(function=0x00007ff7e7b4a480, entryPoint=(ch`Js::IntlEngineInterfaceExtensionObject::EntryIntl_LocaleCompare(Js::RecyclableObject*, Js::CallInfo, ...) at IntlEngineInterfaceExtensionObject.cpp:1827), args=Arguments @ 0x00007fffff81a178, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
    frame #5: 0x0000555555ffc808 ch`void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x00007fffff81b250, playout=0x0000555556f808b5, function=0x00007ff7e7b4a480, flags=2, spreadIndices=0x0000000000000000)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) at InterpreterStackFrame.cpp:3988:54
    frame #6: 0x0000555555fcdb05 ch`void Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x00007fffff81b250, playout=0x0000555556f808b5)0> > > __unaligned const __unaligned*) at InterpreterStackFrame.h:510:72
    frame #7: 0x0000555555e71df3 ch`Js::InterpreterStackFrame::ProcessUnprofiled(this=0x00007fffff81b250) at InterpreterHandler.inl:91:3
    frame #8: 0x0000555555e522be ch`Js::InterpreterStackFrame::Process(this=0x00007fffff81b250) at InterpreterStackFrame.cpp:3495:22
    frame #9: 0x0000555555e50dd3 ch`Js::InterpreterStackFrame::InterpreterHelper(function=0x00007ff7e7af4190, args=ArgumentReader @ 0x00007fffff81b7b0, returnAddress=0x00007ff7e7bd0f1a, addressOfReturnAddress=0x00007fffff81b7f8, asmJsReturn=0x0000000000000000) at InterpreterStackFrame.cpp:2153:40
    frame #10: 0x0000555555e4feb0 ch`Js::InterpreterStackFrame::InterpreterThunk(layout=0x00007fffff81b810) at InterpreterStackFrame.cpp:1833:16
    frame #11: 0x00007ff7e7bd0f1a
    frame #12: 0x00005555564a37de ch`amd64_CallFunction at JavascriptFunctionA.S:100
    frame #13: 0x00005555561d7a4b ch`void* Js::JavascriptFunction::CallFunction<true>(function=0x00007ff7e7af4190, entryPoint=(ch`NativeCodeGenerator::CheckCodeGenThunk(Js::RecyclableObject*, Js::CallInfo, ...)), args=Arguments @ 0x00007fffff81b8b8, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
    frame #14: 0x00005555561d0eb7 ch`Js::JavascriptFunction::CallFunction(this=0x00007ff7e7af4190, args=Arguments @ 0x00007fffff81b968) at JavascriptFunction.cpp:1159:16
    frame #15: 0x00005555563df8ec ch`Js::JavascriptString::EntryLocaleCompare(function=0x00007ff7e7c4c880, callInfo=(Count = 2, Flags = CallFlags_NotUsed, unused = 0)) at JavascriptString.cpp:1408:38
    frame #16: 0x00005555564a37de ch`amd64_CallFunction at JavascriptFunctionA.S:100
    frame #17: 0x00005555561d7a4b ch`void* Js::JavascriptFunction::CallFunction<true>(function=0x00007ff7e7c4c880, entryPoint=(ch`Js::JavascriptString::EntryLocaleCompare(Js::RecyclableObject*, Js::CallInfo, ...) at JavascriptString.cpp:1356), args=Arguments @ 0x00007fffff81bb50, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
    frame #18: 0x0000555555ffc5fe ch`void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x00007fffff81cd10, playout=0x00007ff7e84d40f1, function=0x00007ff7e7c4c880, flags=16, spreadIndices=0x0000000000000000)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) at InterpreterStackFrame.cpp:3973:21
    frame #19: 0x0000555555ffc0e1 ch`void Js::InterpreterStackFrame::OP_ProfileCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x00007fffff81cd10, playout=0x00007ff7e84d40f1, function=0x00007ff7e7c4c880, flags=0, profileId=1, inlineCacheIndex=0, spreadIndices=0x0000000000000000)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) at InterpreterStackFrame.cpp:4016:9
    frame #20: 0x0000555555fc72a8 ch`void Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > >(this=0x00007fffff81cd10, playout=0x00007ff7e84d40f1)0> > > const __unaligned*) at InterpreterStackFrame.h:520:115
    frame #21: 0x0000555555eac7d3 ch`Js::InterpreterStackFrame::ProcessProfiled(this=0x00007fffff81cd10) at InterpreterHandler.inl:91:3
    frame #22: 0x0000555555e52112 ch`Js::InterpreterStackFrame::Process(this=0x00007fffff81cd10) at InterpreterStackFrame.cpp:3472:20
    frame #23: 0x000055555681d6c8 ch`BailOutRecord::BailOutHelper(layout=0x00007fffff81d930, functionRef=0x00007fffff81d930, args=0x00007fffff81d3a0, isInlinee=false, bailOutRecord=0x0000555557efe0b8, bailOutOffset=3, returnAddress=0x00007ff7e7b90544, bailOutKind=BailOutOnNoProfile, registerSaves=0x00007fffff81d450, bailOutReturnValue=0x0000000000000000, pArgumentsObject=0x00007fffff81d918, branchValue=0x0000000000000000, argoutRestoreAddress=0x0000000000000000) at BailOut.cpp:1785:78
    frame #24: 0x000055555681bf20 ch`BailOutRecord::BailOutCommonNoCodeGen(layout=0x00007fffff81d930, bailOutRecord=0x0000555557efe0b8, bailOutOffset=3, returnAddress=0x00007ff7e7b90544, bailOutKind=BailOutOnNoProfile, branchValue=0x0000000000000000, registerSaves=0x00007fffff81d450, bailOutReturnValue=0x0000000000000000, argoutRestoreAddress=0x0000000000000000) at BailOut.cpp:1153:22
    frame #25: 0x000055555681b853 ch`BailOutRecord::BailOutCommon(layout=0x00007fffff81d930, bailOutRecord=0x0000555557efe0b8, bailOutOffset=3, returnAddress=0x00007ff7e7b90544, bailOutKind=BailOutOnNoProfile, savedImplicitCallFlags=ImplicitCall_None, branchValue=0x0000000000000000, bailOutReturnValue=0x0000000000000000, argoutRestoreAddress=0x0000000000000000) at BailOut.cpp:1176:22
    frame #26: 0x000055555681b6a3 ch`BailOutRecord::BailOutFromFunction(layout=0x00007fffff81d930, bailOutRecord=0x0000555557efe0b8, returnAddress=0x00007ff7e7b90544, argoutRestoreAddress=0x0000000000000000, savedImplicitCallFlags=ImplicitCall_None) at BailOut.cpp:1127:12
    frame #27: 0x000055555681b341 ch`BailOutRecord::BailOut(bailOutRecord=0x0000555557efe0b8) at BailOut.cpp:1112:12
    frame #28: 0x00007ff7e7b90544
    frame #29: 0x00005555564a37de ch`amd64_CallFunction at JavascriptFunctionA.S:100