SEGV in JS::RecyclableObject::GetTypeId #6898
Description
Version
commit id: c3ead3f
Platform
Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
Build
- Debug Mode
./build.sh --debug --static
PoC
async function opt(arg1) {
await 1300055;
[arg1,1300055];
(1300055).indexOf;
}
for (let i = 0; i < 100; i++) {
opt(opt);
}
Execution steps & Output
./ch --maxinterpretcount:10 --maxsimplejitruncount:100 -bgjit- poc.js
Segmentation fault (core dumped)
Backtrace
* thread #1, name = 'ch', stop reason = signal SIGSEGV: invalid address (fault address: 0x0)
frame #0: 0x00005555558a424c ch`Js::Type::GetTypeId(this=0x0f0000000000841f) const at Type.h:48:50
45
46 public:
47 static DWORD GetJavascriptLibraryOffset() { return offsetof(Type, javascriptLibrary); }
-> 48 inline TypeId GetTypeId() const { return typeId; }
49 void SetTypeId(TypeId typeId) { this->typeId = typeId; }
50 RecyclableObject* GetPrototype() const { return prototype; }
51 JavascriptMethod GetEntryPoint() const { return entryPoint; }
(lldb) thread backtrace
* thread #1, name = 'ch', stop reason = signal SIGSEGV: invalid address (fault address: 0x0)
* frame #0: 0x00005555558a424c ch`Js::Type::GetTypeId(this=0x0f0000000000841f) const at Type.h:48:50
frame #1: 0x00005555558a415d ch`Js::RecyclableObject::GetTypeId(this=0x0000555556978bac) const at RecyclableObject.inl:13:33
frame #2: 0x000055555602d415 ch`Js::JavascriptOperators::IsUndefinedOrNull(instance=0x0000555556978bac) at JavascriptOperators.cpp:11022:69
frame #3: 0x00005555560265e7 ch`Js::JavascriptOperators::GetPropertyObject(instance=0x0000555556978bac, scriptContext=0x0000555557ee8ca8, propertyObject=0x00007fffffffbf08) at JavascriptOperators.cpp:2133:13
frame #4: 0x000055555606684f ch`void* Js::JavascriptOperators::PatchGetValue<true, Js::InlineCache>(Js::FunctionBody*, Js::InlineCache*, unsigned int, void*, int) [inlined] void* Js::JavascriptOperators::PatchGetValueWithThisPtr<true, Js::InlineCache>(functionBody=0x00007ff7e7c471f0, inlineCache=0x00007ff7e84caed0, inlineCacheIndex=3, instance=0x0000555556978bac, propertyId=185, thisInstance=0x0000555556978bac) at JavascriptOperators.cpp:7941:22
frame #5: 0x00005555560667ad ch`void* Js::JavascriptOperators::PatchGetValue<true, Js::InlineCache>(functionBody=0x00007ff7e7c471f0, inlineCache=0x00007ff7e84caed0, inlineCacheIndex=3, instance=0x0000555556978bac, propertyId=185) at JavascriptOperators.cpp:7927
frame #6: 0x00007ff7e7b912f7
frame #7: 0x00005555564a37de ch`amd64_CallFunction at JavascriptFunctionA.S:100
frame #8: 0x00005555561d7a4b ch`void* Js::JavascriptFunction::CallFunction<true>(function=0x00007ff7e7c76730, entryPoint=(ch`NativeCodeGenerator::CheckCodeGenThunk(Js::RecyclableObject*, Js::CallInfo, ...)), args=Arguments @ 0x00007fffffffc100, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
frame #9: 0x00005555561da48f ch`Js::JavascriptGenerator::CallGenerator(this=0x00007ff7e7c442a0, data=0x000100000013d657, resumeKind=Normal) at JavascriptGenerator.cpp:198:26
frame #10: 0x00005555561a8db4 ch`Js::JavascriptAsyncFunction::EntryAsyncSpawnStepNextFunction(function=0x00007ff7e7b133f0, callInfo=(Count = 1, Flags = CallFlags_Value, unused = 0)) at JavascriptAsyncFunction.cpp:93:31
frame #11: 0x00005555561a8f98 ch`Js::JavascriptAsyncFunction::AsyncSpawnStep(stepFunction=0x00007ff7e7b133f0, generator=0x00007ff7e7c442a0, resolve=0x00007ff7e7c4f0c0, reject=0x00007ff7e7c4f120) at JavascriptAsyncFunction.cpp:151:25
frame #12: 0x00005555561a99b6 ch`Js::JavascriptAsyncFunction::EntryAsyncSpawnCallStepFunction(function=0x00007ff7e7c4c460, callInfo=(Count = 2, Flags = CallFlags_Value, unused = 0)) at JavascriptAsyncFunction.cpp:130:5
frame #13: 0x00005555563a0164 ch`Js::JavascriptPromise::EntryReactionTaskFunction(function=0x00007ff7e7c76e10, callInfo=(Count = 1, Flags = CallFlags_None, unused = 0)) at JavascriptPromise.cpp:1273:37
frame #14: 0x00005555564a37de ch`amd64_CallFunction at JavascriptFunctionA.S:100
frame #15: 0x00005555561d7a4b ch`void* Js::JavascriptFunction::CallFunction<true>(function=0x00007ff7e7c76e10, entryPoint=(ch`Js::JavascriptPromise::EntryReactionTaskFunction(Js::RecyclableObject*, Js::CallInfo, ...) at JavascriptPromise.cpp:1236), args=Arguments @ 0x00007fffffffc8b8, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
frame #16: 0x00005555561cf2f4 ch`Js::JavascriptFunction::CallRootFunctionInternal(obj=0x00007ff7e7c76e10, args=Arguments @ 0x00007fffffffc930, scriptContext=0x0000555557ee8ca8, inScript=true) at JavascriptFunction.cpp:772:24
frame #17: 0x00005555561cf10c ch`Js::JavascriptFunction::CallRootFunction(obj=0x00007ff7e7c76e10, args=<unavailable>, scriptContext=0x0000555557ee8ca8, inScript=true) at JavascriptFunction.cpp:717:15
frame #18: 0x00005555561cf0b1 ch`Js::JavascriptFunction::CallRootFunction(this=0x00007ff7e7c76e10, args=<unavailable>, scriptContext=0x0000555557ee8ca8, inScript=true) at JavascriptFunction.cpp:832:16
frame #19: 0x000055555588add5 ch`JsCallFunction::$_67::operator(this=0x00007fffffffcda0, scriptContext=0x0000555557ee8ca8, _actionEntryPopper=0x00007fffffffcd80)(Js::ScriptContext*, TTD::TTDJsRTActionResultAutoRecorder&) const at Jsrt.cpp:2842:41
frame #20: 0x000055555588a764 ch`_JsErrorCode ContextAPIWrapper<false, JsCallFunction::$_67>(this=0x00007fffffffcd38, scriptContext=0x0000555557ee8ca8)::'lambda'(Js::ScriptContext*)::operator()(Js::ScriptContext*) const at JsrtInternal.h:237:16
frame #21: 0x000055555588a104 ch`_JsErrorCode ContextAPIWrapper_Core<false, _JsErrorCode ContextAPIWrapper<false, JsCallFunction::$_67>(JsCallFunction::$_67)::'lambda'(Js::ScriptContext*)>(fn=(anonymous class) @ 0x00007fffffffcd38) at JsrtInternal.h:192:23
frame #22: 0x000055555585f1b6 ch`_JsErrorCode ContextAPIWrapper<false, JsCallFunction::$_67>(fn=(anonymous class) @ 0x00007fffffffcda0) at JsrtInternal.h:235:27
frame #23: 0x000055555585f179 ch`::JsCallFunction(function=0x00007ff7e7c76e10, args=0x00007fffffffce70, cargs=1, result=0x00007fffffffce68) at Jsrt.cpp:2804:12
frame #24: 0x000055555578bf80 ch`ChakraRTInterface::JsCallFunction(function=0x00007ff7e7c76e10, arguments=0x00007fffffffce70, argumentCount=1, result=0x00007fffffffce68) at ChakraRtInterface.h:416:149
frame #25: 0x0000555555797a7a ch`WScriptJsrt::CallbackMessage::CallFunction(this=0x0000555557eff340, fileName="bug02_await.js") at WScriptJsrt.cpp:2009:21
frame #26: 0x000055555579795d ch`WScriptJsrt::CallbackMessage::Call(this=0x0000555557eff340, fileName="bug02_await.js") at WScriptJsrt.cpp:1980:12
frame #27: 0x00005555557872fe ch`MessageQueue::ProcessAll(this=0x0000555557ef4660, fileName="bug02_await.js") at MessageQueue.h:256:18
frame #28: 0x000055555578499c ch`RunScript(fileName="bug02_await.js", fileContents="\nasync function opt(arg1) {\n await 1300055;\n [arg1,1300055];\n (1300055).indexOf;\n}\n\nfor (let i = 0; i < 100; i++) {\n opt(opt);\n}\n\n// ARGS: /home/wjm/ChakraCore/out/Debug/ch --maxinterpretcount:10 --maxsimplejitruncount:100 -bgjit- \n\n", fileLength=245, fileContentsFinalizeCallback=(ch`WScriptJsrt::FinalizeFree(void*) at WScriptJsrt.cpp:217), bufferValue=0x0000000000000000, fullPath="/home/wjm/DiTing-pocs/chakra/bug02_await.js", parserStateCache=0x0000000000000000)(void*), void*, char*, void*) at ch.cpp:480:17
frame #29: 0x00005555557863f0 ch`ExecuteTest(fileName="bug02_await.js") at ch.cpp:917:13
frame #30: 0x00005555557864ac ch`ExecuteTestWithMemoryCheck(fileName="bug02_await.js") at ch.cpp:967:10
frame #31: 0x0000555555786d7a ch`main(argc=5, c_argv=0x00007fffffffd648) at ch.cpp:1274:20
frame #32: 0x00007ffff778d1e2 libc.so.6`__libc_start_main + 242
frame #33: 0x0000555555783b7e ch`_start + 46