You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have attached crashing inputs crashes-jit.zip with backtrace and context during crash.
To reproduce the issue run ch on linux with the crashing input as script:
$ ./ch <crashing input>
The crash only occurs when new Array(...[]) is executed as JIT code, so you may have to increase recursion.
Here is a dump of the produced JIT code along with some debugging comments: jit.zip
Backtrace:
#0 0x0000555555da88a0 in Js::RecyclableObject::GetType (this=<optimized out>) at /home/sww13/fuzz/target/ChakraCore/lib/Runtime/./Types/RecyclableObject.h:278
#1 Js::RecyclableObject::GetLibrary (this=<optimized out>) at /home/sww13/fuzz/target/ChakraCore/lib/Runtime/./Types/RecyclableObject.inl:51
#2 Js::RecyclableObject::GetScriptContext (this=<optimized out>) at /home/sww13/fuzz/target/ChakraCore/lib/Runtime/./Types/RecyclableObject.inl:56
#3 Js::CrossSite::MarshalVar (scriptContext=0x61a00001ec80, value=0x1, fRequestWrapper=false) at /home/sww13/fuzz/target/ChakraCore/lib/Runtime/Base/CrossSite.cpp:163
#4 0x0000555556983f0a in Js::JavascriptArray::GetSpreadArgLen (spreadArg=0x1, scriptContext=0x9) at /home/sww13/fuzz/target/ChakraCore/lib/Runtime/Library/JavascriptArray.cpp:11604
#5 0x0000555556a834f2 in Js::JavascriptFunction::GetSpreadSize (args=..., spreadIndices=<optimized out>, scriptContext=0x61a00001ec80) at /home/sww13/fuzz/target/ChakraCore/lib/Runtime/Library/JavascriptFunction.cpp:1024
#6 0x000055555682449b in Js::ProfilingHelpers::ProfiledNewScObjArraySpread_Jit (spreadIndices=0x7ffff7e5ca10, callee=0x7ffff21a7a40, framePointer=<optimized out>, profileId=1, arrayProfileId=1, callInfo=...) at /home/sww13/fuzz/target/ChakraCore/lib/Runtime/Language/ProfilingHelpers.cpp:561
git bisect reveals this issue is present since the merge of JIT:
$ git bisect skip
There are only 'skip'ped commits left to test.
The first bad commit could be any of:
5e1aca9f64c8d77a8214ba794165451b48350b33
4f93a9d8ce86b835159b867c24d72c241f20215f
ce9c17386ae3701121fec48c1ede73ab0dd298ef
3ab6f3e971776a0cf6b34c416d619dc3e4a390f3
960ec9a5a6a2d33d9a8cd67fc8a4a2cc7b717789
68e819f2e8bba958dd109db9c12015a0a7fb8a96
We cannot bisect more!
---
* 68e819f2e (HEAD, refs/bisect/bad) JIT: (xplat) address CR issues
* 3ab6f3e97 (refs/bisect/skip-3ab6f3e971776a0cf6b34c416d619dc3e4a390f3) JIT: signed integer overflow and other fixes
* ce9c17386 (refs/bisect/skip-ce9c17386ae3701121fec48c1ede73ab0dd298ef) JIT: build and test changes
* 5e1aca9f6 (refs/bisect/skip-5e1aca9f64c8d77a8214ba794165451b48350b33) JIT: PAL related changes
* 4f93a9d8c (refs/bisect/skip-4f93a9d8ce86b835159b867c24d72c241f20215f) JIT: to compile on Linux
* 960ec9a5a (refs/bisect/skip-960ec9a5a6a2d33d9a8cd67fc8a4a2cc7b717789) JIT: enable JIT on Linux
* 1834318a9 (refs/bisect/good-1834318a96565906ea212d7482d12c020009aa53) [MERGE #1675 @MikeHolman] fix bug with trying to use full JS strings from JIT
I have attached crashing inputs crashes-jit.zip with backtrace and context during crash.
To reproduce the issue run
chon linux with the crashing input as script:The crash only occurs when
new Array(...[])is executed as JIT code, so you may have to increase recursion.Here is a dump of the produced JIT code along with some debugging comments: jit.zip
Backtrace:
git bisectreveals this issue is present since the merge of JIT:We can verify the issue against commit fc08987.
Credits: Simon Wörner, Cornelius Aschermann, Daniel Teuchert, Tommaso Frassetto (all of Ruhr-Universität Bochum)
The text was updated successfully, but these errors were encountered: