chakra-core/ChakraCore

Assertion failure in OutputPropertyValue<T>::impl

Open

#6,539 opened on 2020年12月16日

GitHub で見る
 (1 comment) (0 reactions) (0 assignees)JavaScript (9,000 stars) (1,374 forks)batch import
Bughelp wanted

説明

Hello, executing following code in ch 1.11.24(debug), an assertion will be thrown.

'use strict';
function func(arr) {
    var a = new Promise(function() {});
    arr.__proto__.__proto__ = a;
}

for (var i = 0; i < 2; i++) {
    var arr = [
    ,
    {}
    ];
    Object.prototype.toString.call(Array());
    func(arr);
}

output:

ASSERTION 14228: (c:\users\sunlili\documents\workspace\jsenginesfordebug\chakracore-1.11.24\lib\runtime\language\inlinecache.h, line 471) *propertyValue == slowPathValue || (RootObjectBase::Is(propertyObject) && *propertyValue == rootObjectValue) || (slowPathValue == requestContext->GetLibrary()->GetNull() && requestContext->GetThreadContext()->IsDisableImplicitCall() && propertyObject->GetType()->IsExternal())
 Failure: (*propertyValue == slowPathValue || (RootObjectBase::Is(propertyObject) && *propertyValue == rootObjectValue) || (slowPathValue == requestContext->GetLibrary()->GetNull() && requestContext->GetThreadContext()->IsDisableImplicitCall() && propertyObject->GetType()->IsExternal()))
FATAL ERROR: ch.exe failed due to exception code c0000420

The assertion is triggered when the second time executing Object.prototype.toString.call(Array()). According to [http://www.ecma-international.org/ecma-262/#sec-object.prototype.tostring], toString should get @@toStringTag. https://github.com/microsoft/ChakraCore/blob/7d4bdd821d452d6b91a21936257d7e352ea7dc4b/lib/Runtime/Library/JavascriptObject.cpp#L444-L445 Since Array does not contain @@toStringTag, undefined is fetched for the first time, and the value is stored in inline cache. After calling func(arr), Array contains @@toStringTag, which is inherited by the Promise object. However, the value in inline cache is not invalid. When Object.prototype.toString.call(Array()) is executed again, the assertion is triggered and the old value undefined is fetched.

ISec Lab. 2020.12.16

コントリビューターガイド

技術スタック
javascriptcpp
領域
backendperformance
Issue 種別
bug
難度新しい貢献者にとっての実装難度です。1 は非常に小さな変更、5 は専門的な作業です。
5
推定時間経験ある貢献者が調査、実装、テスト、pull request 準備にかけるおおよその時間範囲です。
over 1 week
活動状況Issue が今どれだけ取り組みやすいかを示します。新しい、活発、古い、ブロック中、またはメンテナー入力待ちなどです。
stale
明確さ期待される変更、受け入れ条件、次の手順がどれだけ明確かを示します。
clear
前提条件
Understanding of JavaScript engine architectureKnowledge of inline cachesC++ debugging skills
初心者向け度初回貢献者にどれだけ取り組みやすいかを 1-100 で推定したスコアです。
10
調査方針
Investigate the inline cache invalidation logic in ChakraCore. The issue identifies that after modifying Array @@toStringTag via prototype chain, the inline cache for Object.prototype.toString is not invalidated. Focus on the code at lib/Runtime/Language/InlineCache.h line 471 and lib/Runtime/Library/JavascriptObject.cpp lines 444-445. Determine why the cache is not invalidated when the property value changes via prototype chain mutation.