Segmentation fault in NativeCodeGenerator::CheckCodeGen

[anbu1024]

ChakraCore version:
commit c3ead3f

Build cmd:

./build.sh --debug --static

Test case:

function test(){

	async function foo(a1,a2) {
	
		for (let i = a1; i < foo; i = i + a2) {
		    const x = await -9007199254740992;
		}
	
		function bar() {
		}
		
		const b = new bar();
		b.__proto__ = foo;
		const names = Object.getOwnPropertyNames(bar);
	}
	
	const r = foo();
	return r;
}

for(let i=0; i<1024; i++)
{
	test();
}

Execute

./ch ./test.js

Error msg:

Segmentation fault in NativeCodeGenerator::CheckCodeGen

backtrace

#6  0x0000555556912b32 in NativeCodeGenerator::CheckCodeGen (function=0x2000001)
    at ChakraCore/lib/Backend/NativeCodeGenerator.cpp:1678
#7  0x00005555564a378e in amd64_CallFunction ()
    at ChakraCore/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100
#8  0x00005555561d79fb in Js::JavascriptFunction::CallFunction<true> (function=0x7ff7f4334dc0, 
    entryPoint=0x555556978d70 <NativeCodeGenerator::CheckCodeGenThunk(Js::RecyclableObject*, Js::CallInfo, ...)>, 
    args=..., useLargeArgCount=false)
    at ChakraCore/lib/Runtime/Library/JavascriptFunction.cpp:1364
#9  0x00005555561da43f in Js::JavascriptGenerator::CallGenerator (this=0x7ff7f43313c0, data=0x7ff7f4c75030, 
    resumeKind=Js::ResumeYieldKind::Normal)
    at ChakraCore/lib/Runtime/Library/JavascriptGenerator.cpp:198
#10 0x00005555561a8d64 in Js::JavascriptAsyncFunction::EntryAsyncSpawnStepNextFunction (function=0x7ff7f4282000, 
    callInfo=...) at ChakraCore/lib/Runtime/Library/JavascriptAsyncFunction.cpp:93
#11 0x00005555561a8f48 in Js::JavascriptAsyncFunction::AsyncSpawnStep (stepFunction=0x7ff7f4282000, 
    generator=0x7ff7f43313c0, resolve=0x7ff7f432ac60, reject=0x7ff7f432acc0)
    at ChakraCore/lib/Runtime/Library/JavascriptAsyncFunction.cpp:151
#12 0x00005555561a8c26 in Js::JavascriptAsyncFunction::BeginAsyncFunctionExecution (generator=0x7ff7f43313c0)
    at ChakraCore/lib/Runtime/Library/JavascriptAsyncFunction.cpp:73
#13 0x00005555561a8a42 in Js::JavascriptAsyncFunction::EntryAsyncFunctionImplementation (function=0x7ff7f4336f00, 
    callInfo=...) at ChakraCore/lib/Runtime/Library/JavascriptAsyncFunction.cpp:52
#14 0x00007ff7f42e0168 in ?? ()
#15 0x00007ff7f4336f00 in ?? ()
#16 0x0000000002000001 in ?? ()
#17 0x00007ff7f4c75030 in ?? ()
#18 0x00005555561cccf0 in Js::JavascriptOperators::GetTypeId (
    obj=0x5555557b37be <Js::JavascriptLibrary::GetScriptContext() const+30>)
    at ChakraCore/lib/Runtime/./Language/JavascriptOperators.inl:13
#19 Js::VarIsImpl<Js::JavascriptFunction> (obj=0x0)
    at ChakraCore/lib/Runtime/Library/JavascriptFunction.cpp:101
#20 0x00005555564a378e in amd64_CallFunction ()
    at ChakraCore/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100
#21 0x00005555561d79fb in Js::JavascriptFunction::CallFunction<true> (function=0x7ff7f4c76730, 
    entryPoint=0x7ff7f42e0000, args=..., useLargeArgCount=false)
    at ChakraCore/lib/Runtime/Library/JavascriptFunction.cpp:1364
#22 0x0000555555ffc5ce in Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (this=0x7fffffffc790, playout=0x7ff7f54cd491, function=0x7ff7f4c76730, flags=16, 
    spreadIndices=0x0)
    at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:3973
#23 0x0000555555ffc0b1 in Js::InterpreterStackFrame::OP_ProfileCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) (this=0x7fffffffc790, playout=0x7ff7f54cd491, 
    function=0x7ff7f4c76730, flags=0, profileId=0, inlineCacheIndex=0, spreadIndices=0x0)
    at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:4016
#24 0x0000555555fc7288 in Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > >(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > const __unaligned*) (this=0x7fffffffc790, playout=0x7ff7f54cd491)
    at ChakraCore/lib/Runtime/./Language/InterpreterStackFrame.h:520
#25 0x0000555555eac7b3 in Js::InterpreterStackFrame::ProcessProfiled (this=0x7fffffffc790)
    at ChakraCore/lib/Runtime/Language/InterpreterHandler.inl:91
#26 0x0000555555e520f2 in Js::InterpreterStackFrame::Process (this=0x7fffffffc790)
    at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:3472
#27 0x0000555555e50db3 in Js::InterpreterStackFrame::InterpreterHelper (function=0x7ff7f4c766e0, args=..., 
    returnAddress=0x7ff7f43c0fa2, addressOfReturnAddress=0x7fffffffccf8, asmJsReturn=0x0)
    at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:2153
#28 0x0000555555e4fe90 in Js::InterpreterStackFrame::InterpreterThunk (layout=0x7fffffffcd10)
    at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:1833
#29 0x00007ff7f43c0fa2 in ?? ()
#30 0x00007fffffffcd20 in ?? ()
#31 0x00005555564a378e in amd64_CallFunction ()
    at ChakraCore/lib/Runtime/Library/amd64/JavascriptFunctionA.S:10

[EmployedRussian]

Reproduced. Does not reproduce when ch is built with --no-jit.

[rhuanjl]

This is one of a number of bugs in the jitting of generator functions.

See #6293 #6533 #6662 #6684 #6700 and #6706 for progress on this area - I think currently we are planning to disable it by default before making any released version; it's a shame but I fear its implementation is just too fragile.

[ppenzin]

Maybe we should file a master issue for all of these, or start a "Project" board for it.