search

chakra-core / ChakraCore

ChakraCore is an open source Javascript engine with a C API.
MIT License
9.06k stars 1.19k forks source link

Segmentation fault in Js::RecyclableObject::GetType #6963

Open anbu1024 opened 7 months ago

anbu1024 commented 7 months ago

ChakraCore version: commit c3ead3f

Build cmd:

./build.sh --debug --static

Test case:

function test(){
    async function foo(a1,a2) {

        for (let i = a2; i < a1; i = i + foo) {
            const ret = await i;
        }

        function E() {
        }

        const p = new Proxy(Proxy,Reflect);
        const d = {};
        const v16 = new p(E,d);
    }

    foo();

    const s = new String();
    const z = Object.defineProperty(s,Proxy,Proxy);
    const r = foo(Proxy,z,String,s);
    return r;
}

for(let i=0; i<1024; i++)
{
    test();
}

Execute

./ch ./test.js

Error msg:

Segmentation fault in Js::RecyclableObject::GetType
lib/Runtime/Types/RecyclableObject.h

backtrace

Thread 1 "ch" received signal SIGSEGV, Segmentation fault.
0x00005555557b37ee in Js::RecyclableObject::GetType (this=0x1b57ebcd48)
    at ChakraCore/bin/ch/../../lib/Runtime/Types/RecyclableObject.h:275
275         inline Type * GetType() const { return type; }
(gdb) bt
#0  0x00005555557b37ee in Js::RecyclableObject::GetType (this=0x1b57ebcd48)
    at ChakraCore/bin/ch/../../lib/Runtime/Types/RecyclableObject.h:275
#1  0x00005555557b3785 in Js::RecyclableObject::GetLibrary (this=0x1b57ebcd48)
    at ChakraCore/bin/ch/../../lib/Runtime/Types/RecyclableObject.inl:18
#2  0x00005555557b3735 in Js::RecyclableObject::GetScriptContext (
    this=0x1b57ebcd48)
    at ChakraCore/bin/ch/../../lib/Runtime/Types/RecyclableObject.inl:23
#3  0x0000555555a7f778 in Js::CrossSite::NeedMarshalVar (
    instance=0x1b57ebcd48, requestContext=0x555557eeeca8)
    at ChakraCore/lib/Runtime/Base/CrossSite.cpp:32
#4  0x00005555558d453c in Js::JavascriptArray::VerifyNotNeedMarshal<void*> (
    this=0x7ff7f435bc40, value=0x1b57ebcd48)
    at ChakraCore/lib/Jsrt/../Runtime/Library/JavascriptArray.h:201
#5  0x00005555558d27f2 in Js::JavascriptArray::DirectSetItemInLastUsedSegmentAt<void*> (this=0x7ff7f435bc40, offset=0, newValue=0x1b57ebcd48)
    at ChakraCore/lib/Jsrt/../Runtime/Library/JavascriptArray.inl:502
#6  0x00005555558d251e in Js::JavascriptArray::DirectSetItemAt<void*> (
--Type <RET> for more, q to quit, c to continue without paging--
    f7f435bc40, itemIndex=0, newValue=0x1b57ebcd48)
    at ChakraCore/lib/Jsrt/../Runtime/Library/JavascriptArray.inl:460
#7  0x00005555563ad40b in Js::JavascriptProxy::FunctionCallTrap (function=0x7ff7f4357de0, callInfo=...)
    at ChakraCore/lib/Runtime/Library/JavascriptProxy.cpp:2262
rhuanjl commented 2 months ago

This is one of a number of bugs in the jitting of generator functions.

See #6293 #6533 #6662 #6684 #6700 and #6706 for progress on this area - I think currently we are planning to disable it by default before making any released version; it's a shame but I fear its implementation is just too fragile.