search

chakra-core / ChakraCore

ChakraCore is an open source Javascript engine with a C API.
MIT License
9.13k stars 1.2k forks source link

Assertion Failure: (!(flags & PropertyOperation_Root)) in ChakraCore/lib/Runtime/Library/GlobalObject.cpp, line 1963 #6914

Open JimWongM opened 1 year ago

JimWongM commented 1 year ago

Version

commit id: c3ead3f8a6e0bb8e32e043adc091c68cba5935e9

Platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build

./build.sh --debug --static

PoC

const a = new Proxy({}, {});
__proto__ = a;
b = 1

Execution steps & Output

./ch  poc.js
ASSERTION 437234: (/home/wjm/ChakraCore/lib/Runtime/Library/GlobalObject.cpp, line 1963) !(flags & PropertyOperation_Root)
 Failure: (!(flags & PropertyOperation_Root))
Signal: SIGILL (Illegal instruction)

Backtrace

(lldb) bt
* thread #1, name = 'ch', stop reason = signal SIGILL: illegal instruction operand
  * frame #0: 0x00005555561336f1 ch`Js::GlobalObject::SetProperty(this=0x00007ff7e7c74000, propertyId=765, value=0x0001000000000001, flags=PropertyOperation_Root, info=0x00007fffffffa9a0) at GlobalObject.cpp:1963:9
    frame #1: 0x00005555560510a9 ch`int Js::JavascriptOperators::SetProperty_Internal<false>(receiver=0x00007ff7e7c74000, object=0x00007ff7e6c2f2a0, isRoot=false, propertyId=765, newValue=0x0001000000000001, info=0x00007fffffffa9a0, requestContext=0x0000555557ee8e28, propertyOperationFlags=PropertyOperation_Root) at JavascriptOperators.cpp:2826:54
    frame #2: 0x000055555602ee9a ch`Js::JavascriptOperators::SetProperty(receiver=0x00007ff7e7c74000, object=0x00007ff7e6c2f2a0, propertyId=765, newValue=0x0001000000000001, info=0x00007fffffffa9a0, requestContext=0x0000555557ee8e28, propertyOperationFlags=PropertyOperation_Root) at JavascriptOperators.cpp:2675:16
    frame #3: 0x000055555603114d ch`Js::JavascriptOperators::SetProperty(instance=0x00007ff7e7c74000, object=0x00007ff7e6c2f2a0, propertyId=765, newValue=0x0001000000000001, requestContext=0x0000555557ee8e28, propertyOperationFlags=PropertyOperation_Root) at JavascriptOperators.cpp:11413:16
    frame #4: 0x00005555563b6fec ch`Js::JavascriptProxy::SetPropertyTrap(this=0x00007ff7e7c71de0, receiver=0x00007ff7e7c74000, setPropertyTrapKind=SetPropertyKind, propertyId=765, newValue=0x0001000000000001, requestContext=0x0000555557ee8e28, propertyOperationFlags=PropertyOperation_Root, skipPrototypeCheck=NO) at JavascriptProxy.cpp:1869:24
    frame #5: 0x000055555602f352 ch`Js::JavascriptOperators::SetAccessorOrNonWritableProperty(receiver=0x00007ff7e7c74000, object=0x00007ff7e7c74000, propertyId=765, newValue=0x0001000000000001, info=0x00007fffffffae60, requestContext=0x0000555557ee8e28, propertyOperationFlags=PropertyOperation_Root, isRoot=true, allowUndecInConsoleScope=false, result=NO) at JavascriptOperators.cpp:2753:34
    frame #6: 0x0000555556050b70 ch`int Js::JavascriptOperators::SetProperty_Internal<false>(receiver=0x00007ff7e7c74000, object=0x00007ff7e7c74000, isRoot=true, propertyId=765, newValue=0x0001000000000001, info=0x00007fffffffae60, requestContext=0x0000555557ee8e28, propertyOperationFlags=PropertyOperation_Root) at JavascriptOperators.cpp:2787:13
    frame #7: 0x000055555602eefc ch`Js::JavascriptOperators::SetRootProperty(instance=0x00007ff7e7c74000, propertyId=765, newValue=0x0001000000000001, info=0x00007fffffffae60, requestContext=0x0000555557ee8e28, propertyOperationFlags=PropertyOperation_Root) at JavascriptOperators.cpp:2680:16
    frame #8: 0x0000555556045ab7 ch`Js::JavascriptOperators::PatchPutRootValueNoFastPath(functionBody=0x00007ff7e6c37000, inlineCache=0x00007ff7e84caef0, inlineCacheIndex=4, instance=0x00007ff7e7c74000, propertyId=765, newValue=0x0001000000000001, flags=PropertyOperation_Root) at JavascriptOperators.cpp:8811:14
    frame #9: 0x00005555560a73b1 ch`void Js::ProfilingHelpers::ProfiledStFld<true>(instance=0x00007ff7e7c74000, propertyId=765, inlineCache=0x00007ff7e84caef0, inlineCacheIndex=4, value=0x0001000000000001, flags=PropertyOperation_Root, scriptFunction=0x00007ff7e7c766e0, thisInstance=0x00007ff7e7c74000) at ProfilingHelpers.cpp:1267:21
    frame #10: 0x0000555555fffe0d ch`void Js::InterpreterStackFrame::ProfiledSetProperty<Js::OpLayoutT_ElementRootCP<Js::LayoutSizePolicy<(Js::LayoutSize)0> > const __unaligned, true>(this=0x00007fffffffc080, playout=0x00007ff7e84d40f8, instance=0x00007ff7e7c74000, flags=PropertyOperation_Root)0> > const __unaligned __unaligned*, void*, Js::PropertyOperationFlags) at InterpreterStackFrame.cpp:4697:9
    frame #11: 0x0000555555fc84ad ch`void Js::InterpreterStackFrame::OP_ProfiledSetRootProperty<Js::OpLayoutT_ElementRootCP<Js::LayoutSizePolicy<(Js::LayoutSize)0> > const __unaligned>(this=0x00007fffffffc080, playout=0x00007ff7e84d40f8)0> > const __unaligned __unaligned*) at InterpreterStackFrame.cpp:4782:9
    frame #12: 0x0000555555eb13ca ch`Js::InterpreterStackFrame::ProcessProfiled(this=0x00007fffffffc080) at InterpreterHandler.inl:207:3
    frame #13: 0x0000555555e52112 ch`Js::InterpreterStackFrame::Process(this=0x00007fffffffc080) at InterpreterStackFrame.cpp:3472:20
    frame #14: 0x0000555555e50dd3 ch`Js::InterpreterStackFrame::InterpreterHelper(function=0x00007ff7e7c766e0, args=ArgumentReader @ 0x00007fffffffc580, returnAddress=0x00007ff7e6bc0fa2, addressOfReturnAddress=0x00007fffffffc5c8, asmJsReturn=0x0000000000000000) at InterpreterStackFrame.cpp:2153:40
    frame #15: 0x0000555555e4feb0 ch`Js::InterpreterStackFrame::InterpreterThunk(layout=0x00007fffffffc5e0) at InterpreterStackFrame.cpp:1833:16
    frame #16: 0x00007ff7e6bc0fa2
    frame #17: 0x00005555564a37de ch`amd64_CallFunction at JavascriptFunctionA.S:100
    frame #18: 0x00005555561d7a4b ch`void* Js::JavascriptFunction::CallFunction<true>(function=0x00007ff7e7c766e0, entryPoint=(ch`NativeCodeGenerator::CheckCodeGenThunk(Js::RecyclableObject*, Js::CallInfo, ...)), args=Arguments @ 0x00007fffffffc7e8, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
    frame #19: 0x00005555561cf2f4 ch`Js::JavascriptFunction::CallRootFunctionInternal(obj=0x00007ff7e7c766e0, args=Arguments @ 0x00007fffffffc860, scriptContext=0x0000555557ee8e28, inScript=true) at JavascriptFunction.cpp:772:24
    frame #20: 0x00005555561cf10c ch`Js::JavascriptFunction::CallRootFunction(obj=0x00007ff7e7c766e0, args=<unavailable>, scriptContext=0x0000555557ee8e28, inScript=true) at JavascriptFunction.cpp:717:15
    frame #21: 0x00005555561cf0b1 ch`Js::JavascriptFunction::CallRootFunction(this=0x00007ff7e7c766e0, args=<unavailable>, scriptContext=0x0000555557ee8e28, inScript=true) at JavascriptFunction.cpp:832:16
    frame #22: 0x0000555555894a8e ch`RunScriptCore(this=0x00007fffffffcc30, scriptContext=0x0000555557ee8e28, _actionEntryPopper=0x00007fffffffcc10)::$_85::operator()(Js::ScriptContext*, TTD::TTDJsRTActionResultAutoRecorder&) const at Jsrt.cpp:3705:49
    frame #23: 0x0000555555894624 ch`_JsErrorCode ContextAPIWrapper<false, RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_85>(this=0x00007fffffffcbc8, scriptContext=0x0000555557ee8e28)::$_85)::'lambda'(Js::ScriptContext*)::operator()(Js::ScriptContext*) const at JsrtInternal.h:237:16
    frame #24: 0x0000555555893fc4 ch`_JsErrorCode ContextAPIWrapper_Core<false, _JsErrorCode ContextAPIWrapper<false, RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_85>(RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_85)::'lambda'(Js::ScriptContext*)>(fn=(anonymous class) @ 0x00007fffffffcbc8)::$_85) at JsrtInternal.h:192:23
    frame #25: 0x00005555558608f6 ch`_JsErrorCode ContextAPIWrapper<false, RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_85>(fn=(anonymous class) @ 0x00007fffffffcc30)::$_85) at JsrtInternal.h:235:27
    frame #26: 0x00005555558607fb ch`RunScriptCore(scriptSource=0x00007ff7e6c34000, script="const a = new Proxy({}, {});\n__proto__ = a;\nb = 1\n\n// CRASH INFO\n// ==========\n// TERMSIG: 4\n// STDERR:\n// ASSERTION 3268212: (/home/wjm/ChakraCore/lib/Runtime/Library/GlobalObject.cpp, line 1963) !(flags & PropertyOperation_Root)\n//  Failure: (!(flags & PropertyOperation_Root))\n// STDOUT:\n// ARGS: /home/wjm/ChakraCore/out/Debug/ch --maxinterpretcount:10 --maxsimplejitruncount:100 -bgjit- -reprl fuzzcode.js\n// EXECUTION TIME: 18 ms\n\n\n/*\n\nTitle: Assertion Failure: \n\n## Version\ncommit id: c3ead3f8a6e0bb8e32e043adc091c68cba5935e9\n\n## Platform\nUbuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)\n\n## Build\n- Debug Mode\n\n```\n./build.sh --debug --static\n```\n\n## PoC\n```\n\n```\n\n## Execution steps & Output\n```\n./ch --maxinterpretcount:10 --maxsimplejitruncount:100 -bgjit- poc.js\n\n```\n## Backtrace\n```\n\n\n```\n\n*\/\n", cb=810, loadScriptFlag=LoadScriptFlag_Utf8Source | LoadScriptFlag_ExternalArrayBuffer, sourceContext=0, sourceUrl=u"/home/wjm/DiTing-pocs/chakra/bug29_root.js", parseOnly=false, parseAttributes=JsParseScriptAttributeNone, isSourceModule=false, result=0x0000000000000000) at Jsrt.cpp:3656:12
    frame #27: 0x0000555555862f6e ch`::JsRun(JsValueRef, JsSourceContext, JsValueRef, JsParseScriptAttributes, JsValueRef *) [inlined] CompileRun(scriptVal=0x00007ff7e6c34000, sourceContext=0, sourceUrl=0x00007ff7e7c71cf0, parseAttributes=JsParseScriptAttributeNone, result=0x0000000000000000, parseOnly=false) at Jsrt.cpp:5019:12
    frame #28: 0x0000555555862db9 ch`::JsRun(scriptVal=0x00007ff7e6c34000, sourceContext=0, sourceUrl=0x00007ff7e7c71cf0, parseAttributes=JsParseScriptAttributeNone, result=0x0000000000000000) at Jsrt.cpp:5041
    frame #29: 0x0000555555787293 ch`ChakraRTInterface::JsRun(script=0x00007ff7e6c34000, sourceContext=0, sourceUrl=0x00007ff7e7c71cf0, parseAttributes=JsParseScriptAttributeNone, result=0x0000000000000000) at ChakraRtInterface.h:487:179
    frame #30: 0x0000555555784924 ch`RunScript(fileName="bug29_root.js", fileContents="const a = new Proxy({}, {});\n__proto__ = a;\nb = 1\n\n// CRASH INFO\n// ==========\n// TERMSIG: 4\n// STDERR:\n// ASSERTION 3268212: (/home/wjm/ChakraCore/lib/Runtime/Library/GlobalObject.cpp, line 1963) !(flags & PropertyOperation_Root)\n//  Failure: (!(flags & PropertyOperation_Root))\n// STDOUT:\n// ARGS: /home/wjm/ChakraCore/out/Debug/ch --maxinterpretcount:10 --maxsimplejitruncount:100 -bgjit- -reprl fuzzcode.js\n// EXECUTION TIME: 18 ms\n\n\n/*\n\nTitle: Assertion Failure: \n\n## Version\ncommit id: c3ead3f8a6e0bb8e32e043adc091c68cba5935e9\n\n## Platform\nUbuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)\n\n## Build\n- Debug Mode\n\n```\n./build.sh --debug --static\n```\n\n## PoC\n```\n\n```\n\n## Execution steps & Output\n```\n./ch --maxinterpretcount:10 --maxsimplejitruncount:100 -bgjit- poc.js\n\n```\n## Backtrace\n```\n\n\n```\n\n*\/\n", fileLength=810, fileContentsFinalizeCallback=(ch`WScriptJsrt::FinalizeFree(void*) at WScriptJsrt.cpp:217), bufferValue=0x0000000000000000, fullPath="/home/wjm/DiTing-pocs/chakra/bug29_root.js", parserStateCache=0x0000000000000000)(void*), void*, char*, void*) at ch.cpp:451:25
    frame #31: 0x00005555557863f0 ch`ExecuteTest(fileName="bug29_root.js") at ch.cpp:917:13
    frame #32: 0x00005555557864ac ch`ExecuteTestWithMemoryCheck(fileName="bug29_root.js") at ch.cpp:967:10
    frame #33: 0x0000555555786d7a ch`main(argc=2, c_argv=0x00007fffffffd698) at ch.cpp:1274:20
    frame #34: 0x00007ffff778d1e2 libc.so.6`__libc_start_main + 242
    frame #35: 0x0000555555783b7e ch`_start + 46