Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Caching Error in Chakra #3064

Closed
natashenka opened this issue May 30, 2017 · 2 comments
Closed

Caching Error in Chakra #3064

natashenka opened this issue May 30, 2017 · 2 comments
Assignees
@suwc
Labels
Bug Compatibility
Milestone
1.6

Comments

@natashenka
Copy link

natashenka commented May 30, 2017
edited
Loading

The following code behaves incorrectly (inconsistent with the standard and other engines) in Chakra due to a missing cache update:

  function Base() { }

  Base.prototype = {
    f() {
      return "Base " + this.toString();
    },
    x: 15,
    toString() {
      return "this is Base";
    }
  };

  function Derived() {
    this.derivedDataProperty = "xxx";
  }
  Derived.prototype = {
    __proto__: Base.prototype,
    toString() { return "this is Derived"; },
    x: 27,
    f() {

      var a = super.x;

      print(this.x);
      return "Derived";
    }
  };

  print(new Base().f());
  print(new Derived().f());

It should print 27 as the value of Derived.x, but instead prints 15. This code hits an assert in the debug build:

ASSERTION 5639: (/home/user/test_everywhere/ChakraCore/lib/Runtime/Types/TypePropertyCache.cpp, line 277) *propertyValue == JavascriptOperators::GetProperty(propertyObject, propertyId, requestContext)
Failure: (*propertyValue == JavascriptOperators::GetProperty(propertyObject, propertyId, requestContext))
Illegal instruction (core dumped)
@Penguinwizzard Penguinwizzard self-assigned this May 30, 2017
@Penguinwizzard
Copy link
Contributor

Self assigned due to looking at another bug hitting the same assert at the moment.

@dilijev dilijev added this to the 1.6 milestone May 30, 2017
@Penguinwizzard
Copy link
Contributor

@suwc: @LouisLaf suggested sending this your way.

@suwc suwc mentioned this issue Jul 13, 2017
Merged
suwc pushed a commit to suwc/ChakraCore that referenced this issue Jul 25, 2017
Fix Issue#3064/chakra-core#3423: Cache conflicts in super property ac…
f2d0e2e 
…cess

Accesses to super properties are cached on 'this' object (vs. the
"super" object), causing conflict between e.g. super.x and this.x.
Similar conflicts cause Issue#3423 for GetProperty cases.
Fix by adding 'isSuper' flag to use appropriate object for caching.

Fixes chakra-core#3064, chakra-core#3423
chakrabot pushed a commit that referenced this issue Aug 11, 2017
[MERGE #3336 @suwc] Fix Issue#3064/#3423: Cache conflicts in super pr…
85ff17d 
…operty access

Merge pull request #3336 from suwc:build/suwc/Issue3064

Accesses to super properties are cached on 'this' object (vs. the
"super" object), causing conflict between e.g. super.x and this.x.
Similar conflicts cause Issue#3423 for GetProperty cases.
Fix by adding 'isSuper' flag to use appropriate object for caching.

Fixes #3064, Fixes #3423
@suwc suwc closed this as completed Aug 11, 2017
chakrabot pushed a commit that referenced this issue Aug 11, 2017
[1.6>1.7] [MERGE #3336 @suwc] Fix Issue#3064/#3423: Cache conflicts i…
7fc3e4c 
…n super property access

Merge pull request #3336 from suwc:build/suwc/Issue3064

Accesses to super properties are cached on 'this' object (vs. the
"super" object), causing conflict between e.g. super.x and this.x.
Similar conflicts cause Issue#3423 for GetProperty cases.
Fix by adding 'isSuper' flag to use appropriate object for caching.

Fixes #3064, Fixes #3423
chakrabot pushed a commit that referenced this issue Aug 11, 2017
[1.7>master] [1.6>1.7] [MERGE #3336 @suwc] Fix Issue#3064/#3423: Cach…
2b9da66 
…e conflicts in super property access

Merge pull request #3336 from suwc:build/suwc/Issue3064

Accesses to super properties are cached on 'this' object (vs. the
"super" object), causing conflict between e.g. super.x and this.x.
Similar conflicts cause Issue#3423 for GetProperty cases.
Fix by adding 'isSuper' flag to use appropriate object for caching.

Fixes #3064, Fixes #3423
agarwal-sandeep added a commit to agarwal-sandeep/ChakraCore that referenced this issue Oct 10, 2017
@agarwal-sandeep
[CVE-2017-11799] Edge - Chakra: JIT: Incorrect GenerateBailOut callin…
2e2270c 
…g patterns.

Due to a bug in super property access we were reaching the code path where we had src2 on instrcution but didn't freed it before generating bailout. After the fix for issue chakra-core#3423/chakra-core#3064 went in 2b9da66 the bu no longer reproes but for previous branches I am putting a conservative fix to always free src2 if we have it and don't have src1. For RS4 we have a WI to add asserts to better track no. of surces on instruction and add checks.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@suwc suwc

Labels
Bug Compatibility
Projects
None yet
Milestone
1.6
Development

No branches or pull requests
4 participants
@Penguinwizzard @dilijev @natashenka @suwc