chakra-core/ChakraCore

Crash in ProfiledNewScObjArraySpread_Jit on linux

SWW13 opened this issue · 0 comments

SWW13 commented

I have attached crashing inputs crashes-jit.zip with backtrace and context during crash.

To reproduce the issue run ch on linux with the crashing input as script:

$ ./ch <crashing input>

The crash only occurs when new Array(...[]) is executed as JIT code, so you may have to increase recursion.

Here is a dump of the produced JIT code along with some debugging comments: jit.zip

Backtrace:

#0  0x0000555555da88a0 in Js::RecyclableObject::GetType (this=<optimized out>) at /home/sww13/fuzz/target/ChakraCore/lib/Runtime/./Types/RecyclableObject.h:278
#1  Js::RecyclableObject::GetLibrary (this=<optimized out>) at /home/sww13/fuzz/target/ChakraCore/lib/Runtime/./Types/RecyclableObject.inl:51
#2  Js::RecyclableObject::GetScriptContext (this=<optimized out>) at /home/sww13/fuzz/target/ChakraCore/lib/Runtime/./Types/RecyclableObject.inl:56
#3  Js::CrossSite::MarshalVar (scriptContext=0x61a00001ec80, value=0x1, fRequestWrapper=false) at /home/sww13/fuzz/target/ChakraCore/lib/Runtime/Base/CrossSite.cpp:163
#4  0x0000555556983f0a in Js::JavascriptArray::GetSpreadArgLen (spreadArg=0x1, scriptContext=0x9) at /home/sww13/fuzz/target/ChakraCore/lib/Runtime/Library/JavascriptArray.cpp:11604
#5  0x0000555556a834f2 in Js::JavascriptFunction::GetSpreadSize (args=..., spreadIndices=<optimized out>, scriptContext=0x61a00001ec80) at /home/sww13/fuzz/target/ChakraCore/lib/Runtime/Library/JavascriptFunction.cpp:1024
#6  0x000055555682449b in Js::ProfilingHelpers::ProfiledNewScObjArraySpread_Jit (spreadIndices=0x7ffff7e5ca10, callee=0x7ffff21a7a40, framePointer=<optimized out>, profileId=1, arrayProfileId=1, callInfo=...) at /home/sww13/fuzz/target/ChakraCore/lib/Runtime/Language/ProfilingHelpers.cpp:561

git bisect reveals this issue is present since the merge of JIT:

$ git bisect skip
There are only 'skip'ped commits left to test.
The first bad commit could be any of:
5e1aca9f64c8d77a8214ba794165451b48350b33
4f93a9d8ce86b835159b867c24d72c241f20215f
ce9c17386ae3701121fec48c1ede73ab0dd298ef
3ab6f3e971776a0cf6b34c416d619dc3e4a390f3
960ec9a5a6a2d33d9a8cd67fc8a4a2cc7b717789
68e819f2e8bba958dd109db9c12015a0a7fb8a96
We cannot bisect more!

---

* 68e819f2e (HEAD, refs/bisect/bad) JIT: (xplat) address CR issues
* 3ab6f3e97 (refs/bisect/skip-3ab6f3e971776a0cf6b34c416d619dc3e4a390f3) JIT: signed integer overflow and other fixes
* ce9c17386 (refs/bisect/skip-ce9c17386ae3701121fec48c1ede73ab0dd298ef) JIT: build and test changes
* 5e1aca9f6 (refs/bisect/skip-5e1aca9f64c8d77a8214ba794165451b48350b33) JIT: PAL related changes
* 4f93a9d8c (refs/bisect/skip-4f93a9d8ce86b835159b867c24d72c241f20215f) JIT: to compile on Linux
* 960ec9a5a (refs/bisect/skip-960ec9a5a6a2d33d9a8cd67fc8a4a2cc7b717789) JIT: enable JIT on Linux
*   1834318a9 (refs/bisect/good-1834318a96565906ea212d7482d12c020009aa53) [MERGE #1675 @MikeHolman] fix bug with trying to use full JS strings from JIT

We can verify the issue against commit fc08987.

Credits: Simon Wörner, Cornelius Aschermann, Daniel Teuchert, Tommaso Frassetto (all of Ruhr-Universität Bochum)