AssertOrFailFast in Js::VarTo

[bin2415]

PoC:

function main() {
  async function* v1(v2,v3,v4) {
  }
  for (let v7 = 0; v7 < 1337; v7++) {
        v1.prototype = v7;
  }
  const v8 = v1();
}
main();

Backtrace:

(lldb) bt 30
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
  * frame #0: 0x0000000102121995 libChakraCore.dylib`Js::DynamicObject* Js::VarTo<Js::DynamicObject>(aValue=0x0001000000000538) at RecyclableObject.h:527:9
    frame #1: 0x000000010308d24d libChakraCore.dylib`Js::JavascriptAsyncGeneratorFunction::EntryAsyncGeneratorFunctionImplementation(function=0x0000000907a47640, callInfo=(Count = 1, Flags = CallFlags_Value, unused = 0)) at JavascriptAsyncGeneratorFunction.cpp:53:23
    frame #2: 0x000000010340d15e libChakraCore.dylib`amd64_CallFunction at JavascriptFunctionA.S:100
    frame #3: 0x00000001030c62db libChakraCore.dylib`void* Js::JavascriptFunction::CallFunction<true>(function=0x0000000907a47640, entryPoint=(libChakraCore.dylib`Js::JavascriptAsyncGeneratorFunction::EntryAsyncGeneratorFunctionImplementation(Js::RecyclableObject*, Js::CallInfo, ...) at JavascriptAsyncGeneratorFunction.cpp:44), args=Arguments @ 0x00007ffeefbfb6d8, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
    frame #4: 0x0000000102e29e7a libChakraCore.dylib`void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x00007ffeefbfc8f0, playout=0x000000010078d489, function=0x0000000907a47640, flags=2, spreadIndices=0x0000000000000000)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) at InterpreterStackFrame.cpp:3988:54
    frame #5: 0x0000000102e29771 libChakraCore.dylib`void Js::InterpreterStackFrame::OP_ProfileCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x00007ffeefbfc8f0, playout=0x000000010078d489, function=0x0000000907a47640, flags=0, profileId=0, inlineCacheIndex=4294967295, spreadIndices=0x0000000000000000)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) at InterpreterStackFrame.cpp:4016:9
    frame #6: 0x0000000102d04b03 libChakraCore.dylib`void Js::InterpreterStackFrame::OP_ProfiledCallI<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > >(this=0x00007ffeefbfc8f0, playout=0x000000010078d489)0> > > const __unaligned*) at InterpreterStackFrame.h:515:104
    frame #7: 0x0000000102cf965e libChakraCore.dylib`Js::InterpreterStackFrame::ProcessProfiled(this=0x00007ffeefbfc8f0) at InterpreterHandler.inl:87:3
    frame #8: 0x0000000102c938f4 libChakraCore.dylib`Js::InterpreterStackFrame::Process(this=0x00007ffeefbfc8f0) at InterpreterStackFrame.cpp:3472:20
    frame #9: 0x0000000102c923fc libChakraCore.dylib`Js::InterpreterStackFrame::InterpreterHelper(function=0x00000001007e6730, args=ArgumentReader @ 0x00007ffeefbfce20, returnAddress=0x0000000907a80f9a, addressOfReturnAddress=0x00007ffeefbfce68, asmJsReturn=0x0000000000000000) at InterpreterStackFrame.cpp:2153:40
    frame #10: 0x0000000102c91480 libChakraCore.dylib`Js::InterpreterStackFrame::InterpreterThunk(layout=0x00007ffeefbfce80) at InterpreterStackFrame.cpp:1833:16
    frame #11: 0x0000000907a80f9a
    frame #12: 0x000000010340d15e libChakraCore.dylib`amd64_CallFunction at JavascriptFunctionA.S:100
    frame #13: 0x00000001030c62db libChakraCore.dylib`void* Js::JavascriptFunction::CallFunction<true>(function=0x00000001007e6730, entryPoint=(libChakraCore.dylib`NativeCodeGenerator::CheckCodeGenThunk(Js::RecyclableObject*, Js::CallInfo, ...)), args=Arguments @ 0x00007ffeefbfcfb0, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
    frame #14: 0x0000000102e2be7f libChakraCore.dylib`void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x00007ffeefbfe180, playout=0x000000010078ce00, function=0x00000001007e6730, flags=16, spreadIndices=0x0000000000000000)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) at InterpreterStackFrame.cpp:3973:21
    frame #15: 0x0000000102e2b971 libChakraCore.dylib`void Js::InterpreterStackFrame::OP_ProfileCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x00007ffeefbfe180, playout=0x000000010078ce00, function=0x00000001007e6730, flags=0, profileId=0, inlineCacheIndex=0, spreadIndices=0x0000000000000000)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) at InterpreterStackFrame.cpp:4016:9
    frame #16: 0x0000000102d04dd8 libChakraCore.dylib`void Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > >(this=0x00007ffeefbfe180, playout=0x000000010078ce00)0> > > const __unaligned*) at InterpreterStackFrame.h:520:115
    frame #17: 0x0000000102cf98f6 libChakraCore.dylib`Js::InterpreterStackFrame::ProcessProfiled(this=0x00007ffeefbfe180) at InterpreterHandler.inl:91:3
    frame #18: 0x0000000102c938f4 libChakraCore.dylib`Js::InterpreterStackFrame::Process(this=0x00007ffeefbfe180) at InterpreterStackFrame.cpp:3472:20
    frame #19: 0x0000000102c923fc libChakraCore.dylib`Js::InterpreterStackFrame::InterpreterHelper(function=0x00000001007e66e0, args=ArgumentReader @ 0x00007ffeefbfe670, returnAddress=0x0000000907a80fa2, addressOfReturnAddress=0x00007ffeefbfe6b8, asmJsReturn=0x0000000000000000) at InterpreterStackFrame.cpp:2153:40
    frame #20: 0x0000000102c91480 libChakraCore.dylib`Js::InterpreterStackFrame::InterpreterThunk(layout=0x00007ffeefbfe6d0) at InterpreterStackFrame.cpp:1833:16
    frame #21: 0x0000000907a80fa2
    frame #22: 0x000000010340d15e libChakraCore.dylib`amd64_CallFunction at JavascriptFunctionA.S:100
    frame #23: 0x00000001030c62db libChakraCore.dylib`void* Js::JavascriptFunction::CallFunction<true>(function=0x00000001007e66e0, entryPoint=(libChakraCore.dylib`NativeCodeGenerator::CheckCodeGenThunk(Js::RecyclableObject*, Js::CallInfo, ...)), args=Arguments @ 0x00007ffeefbfe8e0, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
    frame #24: 0x00000001030c65ff libChakraCore.dylib`Js::JavascriptFunction::CallRootFunctionInternal(obj=0x00000001007e66e0, args=Arguments @ 0x00007ffeefbfe950, scriptContext=0x0000000100811258, inScript=true) at JavascriptFunction.cpp:772:24
    frame #25: 0x00000001030c643c libChakraCore.dylib`Js::JavascriptFunction::CallRootFunction(obj=0x00000001007e66e0, args=<unavailable>, scriptContext=0x0000000100811258, inScript=true) at JavascriptFunction.cpp:717:15
    frame #26: 0x00000001030c63e1 libChakraCore.dylib`Js::JavascriptFunction::CallRootFunction(this=0x00000001007e66e0, args=<unavailable>, scriptContext=0x0000000100811258, inScript=true) at JavascriptFunction.cpp:832:16
    frame #27: 0x000000010213380f libChakraCore.dylib`RunScriptCore(this=0x00007ffeefbfed20, scriptContext=0x0000000100811258, _actionEntryPopper=0x00007ffeefbfed00)::$_85::operator()(Js::ScriptContext*, TTD::TTDJsRTActionResultAutoRecorder&) const at Jsrt.cpp:3705:49
    frame #28: 0x00000001021333b4 libChakraCore.dylib`_JsErrorCode ContextAPIWrapper<false, RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_85>(this=0x00007ffeefbfecb8, scriptContext=0x0000000100811258)::$_85)::'lambda'(Js::ScriptContext*)::operator()(Js::ScriptContext*) const at JsrtInternal.h:237:16
    frame #29: 0x0000000102132d84 libChakraCore.dylib`_JsErrorCode ContextAPIWrapper_Core<false, _JsErrorCode ContextAPIWrapper<false, RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_85>(RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_85)::'lambda'(Js::ScriptContext*)>(fn=(anonymous class) @ 0x00007ffeefbfecb8)::$_85) at JsrtInternal.h:192:23

The source code is

    // Cast the input parameter to another type, or crash if the cast is invalid.
    template <typename T> T* VarTo(Var aValue)
    {
        AssertOrFailFast(VarIs<T>(aValue));
        return reinterpret_cast<T*>(aValue);
    }

[rhuanjl]

Thanks for the report - the error will be at the call site of VarTo or earlier - the abort here is guarding against potentially undefined behaviour if we do an incorrect cast.

[ppenzin]

Reproduced on Ubuntu 18, here is the reduced example:

function main() {
  async function* v1() {
  }

  v1.prototype = 0;

  const v8 = v1();
}
main();

VarTo is getting invalid pointer when it is called from Js::JavascriptAsyncGeneratorFunction::EntryAsyncGeneratorFunctionImplementation, looks like pointer is for JS object for the prototype.

I think this is a bug, @rhuanjl what do you think?

[rhuanjl]

It's a bug and on reflection one of my PRs created it.

I'll fix.

[rhuanjl]

Thanks for the report @bin2415