Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid memory access in GetEntryPoint #6691

Open
Tracked by #6988
bin2415 opened this issue Apr 10, 2021 · 2 comments
Open
Tracked by #6988

Invalid memory access in GetEntryPoint #6691

bin2415 opened this issue Apr 10, 2021 · 2 comments
Labels
Bug Severity: 1

Comments

@bin2415
Copy link

bin2415 commented Apr 10, 2021

PoC:

function main() {
const v0 = {};
async function v1(v2,v3,v4,v5,v6) {
    function v7(v8) {
    }
    const v9 = v7;
    for (const v10 in v0) {
        const v12 = await 320832.93626390724;
    }
    const v13 = v1();
    let v15 = 1337;
    for (let v17 = 0; v17 < v15; v17 = v17 && 350074.8305491025) {
        v15 = v17;
    }
    const v19 = new Promise(v9);
}
const v20 = v1();
}
main();

Backtrace:

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x841f0f66db)
    frame #0: 0x00000001026b72ec libChakraCore.dylib`Js::Type::GetEntryPoint(this=0x000000841f0f66c3) const at Type.h:51:57
   48  	        inline TypeId GetTypeId() const { return typeId; }
   49  	        void SetTypeId(TypeId typeId) { this->typeId = typeId; }
   50  	        RecyclableObject* GetPrototype() const { return prototype; }
-> 51  	        JavascriptMethod GetEntryPoint() const { return entryPoint; }
   52  	        JavascriptLibrary* GetLibrary() const { return javascriptLibrary; }
   53  	        ScriptContext * GetScriptContext() const;
   54  	        Recycler * GetRecycler() const;
Target 0: (ch) stopped.
(lldb) bt 20
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x841f0f66db)
  * frame #0: 0x00000001026b72ec libChakraCore.dylib`Js::Type::GetEntryPoint(this=0x000000841f0f66c3) const at Type.h:51:57
    frame #1: 0x0000000103686e3d libChakraCore.dylib`Js::RecyclableObject::GetEntryPoint(this=0x0000000102206f0e) const at RecyclableObject.cpp:175:33
    frame #2: 0x0000000103036ee4 libChakraCore.dylib`Js::JavascriptConversion::IsCallable(aValue=0x0000000102206f0e) at JavascriptConversion.cpp:41:47
    frame #3: 0x0000000103036e47 libChakraCore.dylib`Js::JavascriptConversion::IsCallable(aValue=0x0000000102206f0e) at JavascriptConversion.cpp:35:16
    frame #4: 0x0000000103480b95 libChakraCore.dylib`Js::JavascriptPromise::NewInstance(function=0x00000009078f0100, callInfo=(Count = 2, Flags = CallFlags_New, unused = 0)) at JavascriptPromise.cpp:46:37
    frame #5: 0x0000000907c01679
    frame #6: 0x000000010360d15e libChakraCore.dylib`amd64_CallFunction at JavascriptFunctionA.S:100
    frame #7: 0x00000001032c62db libChakraCore.dylib`void* Js::JavascriptFunction::CallFunction<true>(function=0x00000001020e67d0, entryPoint=(0x0000000907c01000), args=Arguments @ 0x00007ffeef40df48, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
    frame #8: 0x00000001032d2a47 libChakraCore.dylib`Js::JavascriptGenerator::CallGenerator(this=0x0000000909434960, data=0x00000001020e5030, resumeKind=Normal) at JavascriptGenerator.cpp:185:26
    frame #9: 0x0000000103283904 libChakraCore.dylib`Js::JavascriptAsyncFunction::EntryAsyncSpawnStepNextFunction(function=0x000000090943b460, callInfo=(Count = 1, Flags = CallFlags_Value, unused = 0)) at JavascriptAsyncFunction.cpp:93:31
    frame #10: 0x0000000103283ae8 libChakraCore.dylib`Js::JavascriptAsyncFunction::AsyncSpawnStep(stepFunction=0x000000090943b460, generator=0x0000000909434960, resolve=0x000000090943d4e0, reject=0x000000090943d540) at JavascriptAsyncFunction.cpp:151:25
    frame #11: 0x00000001032837b6 libChakraCore.dylib`Js::JavascriptAsyncFunction::BeginAsyncFunctionExecution(generator=0x0000000909434960) at JavascriptAsyncFunction.cpp:73:9
    frame #12: 0x00000001032835a3 libChakraCore.dylib`Js::JavascriptAsyncFunction::EntryAsyncFunctionImplementation(function=0x0000000907b27880, callInfo=(Count = 1, Flags = CallFlags_Value, unused = 0)) at JavascriptAsyncFunction.cpp:52:12
    frame #13: 0x0000000907c0151d
    frame #14: 0x000000010360d15e libChakraCore.dylib`amd64_CallFunction at JavascriptFunctionA.S:100
    frame #15: 0x00000001032c62db libChakraCore.dylib`void* Js::JavascriptFunction::CallFunction<true>(function=0x00000001020e67d0, entryPoint=(0x0000000907c01000), args=Arguments @ 0x00007ffeef40e5d8, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
    frame #16: 0x00000001032d2a47 libChakraCore.dylib`Js::JavascriptGenerator::CallGenerator(this=0x0000000909434900, data=0x00000001020e5030, resumeKind=Normal) at JavascriptGenerator.cpp:185:26
    frame #17: 0x0000000103283904 libChakraCore.dylib`Js::JavascriptAsyncFunction::EntryAsyncSpawnStepNextFunction(function=0x000000090943b3f0, callInfo=(Count = 1, Flags = CallFlags_Value, unused = 0)) at JavascriptAsyncFunction.cpp:93:31
    frame #18: 0x0000000103283ae8 libChakraCore.dylib`Js::JavascriptAsyncFunction::AsyncSpawnStep(stepFunction=0x000000090943b3f0, generator=0x0000000909434900, resolve=0x000000090943d420, reject=0x000000090943d480) at JavascriptAsyncFunction.cpp:151:25
    frame #19: 0x00000001032837b6 libChakraCore.dylib`Js::JavascriptAsyncFunction::BeginAsyncFunctionExecution(generator=0x0000000909434900) at JavascriptAsyncFunction.cpp:73:9

How to reproduce it:

- ./build.sh -d -j
- ch poc.js

Its backtrace is similar with #6690. I am not sure if their root cause are same.
@rhuanjl
Copy link
Collaborator

rhuanjl commented Apr 14, 2021

Hmm - this is a different issue to the ScopeArray points I've been looking at - will investigate seperately.

@rhuanjl rhuanjl mentioned this issue Apr 16, 2021
Merged
@rhuanjl
Copy link
Collaborator

rhuanjl commented Apr 16, 2021
edited
Loading

Simplified repro:

{
    let i = 0;
    function* v1() {
        function v7() {}
        for (var v10 in []) {
            yield undefined;
        }
        if(++i < 4)
            v1().next()
        v7 + 1;
    }
}
v1().next();

Use flags -mic:1 -off:simplejit -bgjit-

Note - in the original repro code runs fine until stack overflow occurs - then after top function throws 2nd function down tries to execute to run to completion - error is seen in fulljitted code of the whole function.

Simplified repro triggers the continuation with a control variable instead of waiting for stack overflow - flags force the fulljit to occur sooner without needing 50+ iterations. (or 3000+ to get stack overflow)

Problem is to do with lifetime of the function v7 across a for...in loop containing a yield (or await if using an async function) that is never invoked - slightly obscure; but another one we need to fix if we're keeping generator jit on.

This was referenced Apr 17, 2021
Open
Closed
@ShortDevelopment ShortDevelopment mentioned this issue Apr 23, 2024
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Severity: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Disable OpHelperReg optimisation for Coroutines rhuanjl/ChakraCore
2 participants
@bin2415 @rhuanjl