Invalid Memory Access in GetScriptContext #6704
Description
PoC:
function main() {
const v0 = {};
async function v1(v2,v3,v4,v5,v6) {
for (const v7 in v0) {
let v8 = 0;
const v9 = v8++;
const v10 = await v9;
}
function v11(v12,v13) {
}
const v15 = new Promise(v11);
const v18 = Object();
const v19 = class V19 {
constructor(v21,v22) {
const v23 = v18 in BigInt;
}
p(v25) {
}
};
const v26 = v1();
}
const v27 = v1();
CollectGarbage();
}
main();Backtrace:
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
frame #0: 0x0000000103006dee libChakraCore.dylib`Js::JavascriptLibrary::GetScriptContext(this=0xc08148008b480000) const at JavascriptLibrary.h:594:58
591 void Initialize(ScriptContext* scriptContext, GlobalObject * globalObject);
592 void Uninitialize();
593 GlobalObject* GetGlobalObject() const { return globalObject; }
-> 594 ScriptContext* GetScriptContext() const { return scriptContext; }
595
596 Recycler * GetRecycler() const { return recycler; }
597 Var GetTrueOrFalse(BOOL value) { return value ? booleanTrue : booleanFalse; }
Target 0: (ch) stopped.
(lldb) bt 20
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
* frame #0: 0x0000000103006dee libChakraCore.dylib`Js::JavascriptLibrary::GetScriptContext(this=0xc08148008b480000) const at JavascriptLibrary.h:594:58
frame #1: 0x0000000103006d6d libChakraCore.dylib`Js::RecyclableObject::GetScriptContext(this=0x00007ffeefa83ed0) const at RecyclableObject.inl:23:36
frame #2: 0x00000001031b7e29 libChakraCore.dylib`CheckIsExecutable(function=0x00007ffeefa83ed0, entrypoint=(0x401f0f00000b768e))(Js::RecyclableObject*, Js::CallInfo, ...)) at BackendApi.cpp:143:51
frame #3: 0x0000000104280d68 libChakraCore.dylib`Js::JavascriptPromise::NewInstance(function=0x00000001024101c0, callInfo=(Count = 2, Flags = CallFlags_New, unused = 0)) at JavascriptPromise.cpp:76:17
frame #4: 0x000000010254266e
frame #5: 0x000000010440d14e libChakraCore.dylib`amd64_CallFunction at JavascriptFunctionA.S:100
frame #6: 0x00000001040c625b libChakraCore.dylib`void* Js::JavascriptFunction::CallFunction<true>(function=0x00000001022e67d0, entryPoint=(libChakraCore.dylib`NativeCodeGenerator::CheckCodeGenThunk(Js::RecyclableObject*, Js::CallInfo, ...)), args=Arguments @ 0x00007ffeefa84008, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
frame #7: 0x00000001040d29c7 libChakraCore.dylib`Js::JavascriptGenerator::CallGenerator(this=0x00000001027092a0, data=0x00000001022e5030, resumeKind=Normal) at JavascriptGenerator.cpp:185:26
frame #8: 0x0000000104083814 libChakraCore.dylib`Js::JavascriptAsyncFunction::EntryAsyncSpawnStepNextFunction(function=0x00000001025b6e00, callInfo=(Count = 1, Flags = CallFlags_Value, unused = 0)) at JavascriptAsyncFunction.cpp:93:31
frame #9: 0x00000001040839f8 libChakraCore.dylib`Js::JavascriptAsyncFunction::AsyncSpawnStep(stepFunction=0x00000001025b6e00, generator=0x00000001027092a0, resolve=0x0000000102707d20, reject=0x0000000102707d80) at JavascriptAsyncFunction.cpp:151:25
frame #10: 0x00000001040836c6 libChakraCore.dylib`Js::JavascriptAsyncFunction::BeginAsyncFunctionExecution(generator=0x00000001027092a0) at JavascriptAsyncFunction.cpp:73:9
frame #11: 0x00000001040834b3 libChakraCore.dylib`Js::JavascriptAsyncFunction::EntryAsyncFunctionImplementation(function=0x0000000102447b00, callInfo=(Count = 1, Flags = CallFlags_Value, unused = 0)) at JavascriptAsyncFunction.cpp:52:12
frame #12: 0x000000010440d14e libChakraCore.dylib`amd64_CallFunction at JavascriptFunctionA.S:100
frame #13: 0x00000001040c625b libChakraCore.dylib`void* Js::JavascriptFunction::CallFunction<true>(function=0x0000000102447b00, entryPoint=(libChakraCore.dylib`Js::JavascriptAsyncFunction::EntryAsyncFunctionImplementation(Js::RecyclableObject*, Js::CallInfo, ...) at JavascriptAsyncFunction.cpp:42), args=Arguments @ 0x00007ffeefa84558, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
frame #14: 0x0000000103e29d8a libChakraCore.dylib`void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x000000010270d000, playout=0x000000010246d0b5, function=0x0000000102447b00, flags=2, spreadIndices=0x0000000000000000)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) at InterpreterStackFrame.cpp:3988:54
frame #15: 0x0000000103e29681 libChakraCore.dylib`void Js::InterpreterStackFrame::OP_ProfileCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x000000010270d000, playout=0x000000010246d0b5, function=0x0000000102447b00, flags=0, profileId=2, inlineCacheIndex=4294967295, spreadIndices=0x0000000000000000)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) at InterpreterStackFrame.cpp:4016:9
frame #16: 0x0000000103d04a13 libChakraCore.dylib`void Js::InterpreterStackFrame::OP_ProfiledCallI<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<(Js::LayoutSize)0> > >(this=0x000000010270d000, playout=0x000000010246d0b5)0> > > const __unaligned*) at InterpreterStackFrame.h:515:104
frame #17: 0x0000000103cf956e libChakraCore.dylib`Js::InterpreterStackFrame::ProcessProfiled(this=0x000000010270d000) at InterpreterHandler.inl:87:3
frame #18: 0x0000000103c93804 libChakraCore.dylib`Js::InterpreterStackFrame::Process(this=0x000000010270d000) at InterpreterStackFrame.cpp:3472:20
frame #19: 0x0000000103c9230c libChakraCore.dylib`Js::InterpreterStackFrame::InterpreterHelper(function=0x00000001022e67d0, args=ArgumentReader @ 0x00007ffeefa85ab0, returnAddress=0x0000000102480f92, addressOfReturnAddress=0x00007ffeefa85af8, asmJsReturn=0x0000000000000000) at InterpreterStackFrame.cpp:2153:40
How to reproduce it:
- ./build.sh -d -j
- ./ch poc.js