Skip to content

[Bug]: Prefix decrement on import expression causes engine crash #7054

New issue
New issue
Open
Open
[Bug]: Prefix decrement on import expression causes engine crash#7054
Labels
Bug
@bendrissou

Description

@bendrissou
bendrissou
opened on Jan 6, 2026

ChakraCore Version

622c745

Steps to reproduce

Build ChakraCore with the default configuration:

./build.sh -d

Run ChakraCore with the provided input:

./out/Debug/ch test.js

Proof of concept

a = "./mymodule.js"
const p = --import(a) + 1;

Exception or Error

ASSERTION 2767988: (/home/chakracore/lib/Runtime/ByteCode/FuncInfo.cpp, line 380) tmpReg == this->curTmpReg - 1
 Failure: (tmpReg == this->curTmpReg - 1)
Illegal instruction (core dumped)

(gdb) run
Starting program: /home/chakracore/out/Debug/ch test.js
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fcf7344f700 (LWP 2767998)]
[New Thread 0x7fcf72c1f700 (LWP 2767999)]
[New Thread 0x7fcf7241e700 (LWP 2768000)]
ASSERTION 2767994: (/home/chakracore/lib/Runtime/ByteCode/FuncInfo.cpp, line 380) tmpReg == this->curTmpReg - 1
 Failure: (tmpReg == this->curTmpReg - 1)

Thread 1 "ch" received signal SIGILL, Illegal instruction.
0x00007fd7740fd8a4 in FuncInfo::ReleaseTmpRegister (this=0x7fcf71b94070, tmpReg=1)
    at /home/chakracore/lib/Runtime/ByteCode/FuncInfo.cpp:380
380           Assert(tmpReg == this->curTmpReg - 1);
(gdb) bt
#0  0x00007fd7740fd8a4 in FuncInfo::ReleaseTmpRegister (this=0x7fcf71b94070, tmpReg=1)
    at /home/chakracore/lib/Runtime/ByteCode/FuncInfo.cpp:380
#1  0x00007fd7740fd781 in FuncInfo::ReleaseLoc (this=0x7fcf71b94070, pnode=0x7fcf71b93390)
    at /home/chakracore/lib/Runtime/ByteCode/FuncInfo.cpp:269
#2  0x00007fd7740fd943 in FuncInfo::ReleaseLoad (this=0x7fcf71b94070, pnode=0x7fcf71b93390)
    at /home/chakracore/lib/Runtime/ByteCode/FuncInfo.cpp:284
#3  0x00007fd773fce1e3 in Emit (pnode=0x7fcf71b933c0, byteCodeGenerator=0x7ffe2b8049c0, funcInfo=0x7fcf71b94070, fReturnValue=0, 
    isConstructorCall=false, isTopLevel=false)
    at /home/chakracore/lib/Runtime/ByteCode/ByteCodeEmitter.cpp:11347
#4  0x00007fd773fefc9e in EmitBinaryOpnds (pnode1=0x7fcf71b933c0, pnode2=0x7fcf71b933e0, byteCodeGenerator=0x7ffe2b8049c0, 
    funcInfo=0x7fcf71b94070, computedPropertyLocation=4294967295)
    at /home/chakracore/lib/Runtime/ByteCode/ByteCodeEmitter.cpp:10098
#5  0x00007fd773ff432d in EmitBinary (opcode=Js::OpCode::Add_A, pnode=0x7fcf71b93400, byteCodeGenerator=0x7ffe2b8049c0, 
    funcInfo=0x7fcf71b94070) at /home/chakracore/lib/Runtime/ByteCode/ByteCodeEmitter.cpp:10198
#6  0x00007fd773ff5551 in EmitAdd (pnode=0x7fcf71b93400, byteCodeGenerator=0x7ffe2b8049c0, funcInfo=0x7fcf71b94070)
    at /home/chakracore/lib/Runtime/ByteCode/ByteCodeEmitter.cpp:10417
#7  0x00007fd773fce802 in Emit (pnode=0x7fcf71b93400, byteCodeGenerator=0x7ffe2b8049c0, funcInfo=0x7fcf71b94070, fReturnValue=0, 
    isConstructorCall=false, isTopLevel=false)
    at /home/chakracore/lib/Runtime/ByteCode/ByteCodeEmitter.cpp:11437
#8  0x00007fd773fd06bd in Emit (pnode=0x7fcf71b932a0, byteCodeGenerator=0x7ffe2b8049c0, funcInfo=0x7fcf71b94070, fReturnValue=0, 
    isConstructorCall=false, isTopLevel=true)
    at /home/chakracore/lib/Runtime/ByteCode/ByteCodeEmitter.cpp:11922
#9  0x00007fd773fcd59f in ByteCodeGenerator::EmitTopLevelStatement (this=0x7ffe2b8049c0, stmt=0x7fcf71b932a0, 
    funcInfo=0x7fcf71b94070, fReturnValue=0) at /home/chakracore/lib/Runtime/ByteCode/ByteCodeEmitter.cpp:984
#10 0x00007fd773fdbf4e in ByteCodeGenerator::EmitGlobalBody (this=0x7ffe2b8049c0, funcInfo=0x7fcf71b94070)
    at /home/chakracore/lib/Runtime/ByteCode/ByteCodeEmitter.cpp:2513
#11 0x00007fd773fdecf1 in ByteCodeGenerator::EmitOneFunction (this=0x7ffe2b8049c0, pnodeFnc=0x7fcf71b93030)
    at /home/chakracore/lib/Runtime/ByteCode/ByteCodeEmitter.cpp:3119
#12 0x00007fd773fdc801 in ByteCodeGenerator::EmitScopeList (this=0x7ffe2b8049c0, pnode=0x7fcf71b93030, breakOnBodyScopeNode=0x0)
    at /home/chakracore/lib/Runtime/ByteCode/ByteCodeEmitter.cpp:3436
#13 0x00007fd773fdc5ce in ByteCodeGenerator::EmitProgram (this=0x7ffe2b8049c0, pnodeProg=0x7fcf71b93030)
    at /home/chakracore/lib/Runtime/ByteCode/ByteCodeEmitter.cpp:2591
#14 0x00007fd77401752b in ByteCodeGenerator::Generate (pnodeProg=0x7fcf71b93030, grfscr=4112, byteCodeGenerator=0x7ffe2b8049c0, 
    ppRootFunc=0x7ffe2b804c48, sourceIndex=0, forceNoNative=false, parser=0x7ffe2b804e20, functionRef=0x0)
    at /home/chakracore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:2105
--Type <RET> for more, q to quit, c to continue without paging--
#15 0x00007fd77401ac9a in GenerateByteCode (pnode=0x7fcf71b93030, grfscr=4112, scriptContext=0x5614e3114778, 
    ppRootFunc=0x7ffe2b804c48, sourceIndex=0, forceNoNative=false, parser=0x7ffe2b804e20, pse=0x7ffe2b805d60, parentScopeInfo=0x0, 
    functionRef=0x0) at /home/chakracore/lib/Runtime/ByteCode/ByteCodeGenerator.cpp:2282
#16 0x00007fd773ee8b95 in Js::ScriptContext::GenerateRootFunction (this=0x5614e3114778, parseTree=0x7fcf71b93030, sourceIndex=0, 
    parser=0x7ffe2b804e20, grfscr=4112, pse=0x7ffe2b805d60, rootDisplayName=0x7fd774e20270 <Js::Constants::GlobalCode> u"Global code")
    at /home/chakracore/lib/Runtime/Base/ScriptContext.cpp:2626
#17 0x00007fd773ee88ac in Js::ScriptContext::LoadScriptInternal (this=0x5614e3114778, parser=0x7ffe2b804e20, 
    script=0x5614e30e23a0 "a = \"./mymodule.js\"\nconst p = --import(a) + 1;\n", cb=47, pSrcInfo=0x7ffe2b805a38, pse=0x7ffe2b805d60, 
    ppSourceInfo=0x7ffe2b805a30, rootDisplayName=0x7fd774e20270 <Js::Constants::GlobalCode> u"Global code", 
    loadScriptFlag=(LoadScriptFlag_Utf8Source | LoadScriptFlag_ExternalArrayBuffer), scriptSource=0x7fcf71be4000)
    at /home/chakracore/lib/Runtime/Base/ScriptContext.cpp:2560
#18 0x00007fd773ee8ece in Js::ScriptContext::LoadScript (this=0x5614e3114778, 
    script=0x5614e30e23a0 "a = \"./mymodule.js\"\nconst p = --import(a) + 1;\n", cb=47, pSrcInfo=0x7ffe2b805a38, pse=0x7ffe2b805d60, 
    ppSourceInfo=0x7ffe2b805a30, rootDisplayName=0x7fd774e20270 <Js::Constants::GlobalCode> u"Global code", 
    loadScriptFlag=(LoadScriptFlag_Utf8Source | LoadScriptFlag_ExternalArrayBuffer), scriptSource=0x7fcf71be4000)
    at /home/chakracore/lib/Runtime/Base/ScriptContext.cpp:2602
#19 0x00007fd77382c082 in RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_84::operator()(Js::ScriptContext*, TTD::TTDJsRTActionResultAutoRecorder&) const (
    this=0x7ffe2b805c50, scriptContext=0x5614e3114778, _actionEntryPopper=...)
    at /home/chakracore/lib/Jsrt/Jsrt.cpp:3612
#20 0x00007fd77382bd24 in ContextAPINoScriptWrapper<RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_84>(RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_84, bool, bool)::{lambda(Js::ScriptContext*)#1}::operator()(Js::ScriptContext*) const (this=0x7ffe2b805bd8, scriptContext=0x5614e3114778)
    at /home/chakracore/lib/Jsrt/JsrtInternal.h:316
#21 0x00007fd77382b661 in ContextAPINoScriptWrapper_Core<ContextAPINoScriptWrapper<RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_84>(RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_84, bool, bool)::{lambda(Js::ScriptContext*)#1}>(ContextAPINoScriptWrapper<RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_84>(RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_84, bool, bool)::{lambda(Js::ScriptContext*)#1}, bool, bool) (fn=..., allowInObjectBeforeCollectCallback=false, scriptExceptionAllowed=false)
    at /home/chakracore/lib/Jsrt/JsrtInternal.h:277
#22 0x00007fd7737f8ca6 in ContextAPINoScriptWrapper<RunScriptCore(void*, unsigned char const*, unsigned long, LoadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_84>(RunScriptCore(void*, unsigned char const*, unsigned long, L--Type <RET> for more, q to quit, c to continue without paging--
oadScriptFlag, unsigned long, char16_t const*, bool, _JsParseScriptAttributes, bool, void**)::$_84, bool, bool) (fn=..., 
    allowInObjectBeforeCollectCallback=false, scriptExceptionAllowed=false)
    at /home/chakracore/lib/Jsrt/JsrtInternal.h:314
#23 0x00007fd7737f8b3f in RunScriptCore (scriptSource=0x7fcf71be4000, 
    script=0x5614e30e23a0 "a = \"./mymodule.js\"\nconst p = --import(a) + 1;\n", cb=47, 
    loadScriptFlag=(LoadScriptFlag_Utf8Source | LoadScriptFlag_ExternalArrayBuffer), sourceContext=0, 
    sourceUrl=0x7fcf73483180 u"/home/test.js", parseOnly=false, parseAttributes=JsParseScriptAttributeNone, isSourceModule=false, 
    result=0x0) at /home/chakracore/lib/Jsrt/Jsrt.cpp:3556
#24 0x00007fd7737fb36e in CompileRun (scriptVal=0x7fcf71be4000, sourceContext=0, sourceUrl=0x7fcf72c21cf0, 
    parseAttributes=JsParseScriptAttributeNone, result=0x0, parseOnly=false)
    at /home/chakracore/lib/Jsrt/Jsrt.cpp:5020
#25 JsRun (scriptVal=0x7fcf71be4000, sourceContext=0, sourceUrl=0x7fcf72c21cf0, parseAttributes=JsParseScriptAttributeNone, 
    result=0x0) at /home/chakracore/lib/Jsrt/Jsrt.cpp:5042
#26 0x00005614e0d6a24e in ChakraRTInterface::JsRun (script=0x7fcf71be4000, sourceContext=0, sourceUrl=0x7fcf72c21cf0, 
    parseAttributes=JsParseScriptAttributeNone, result=0x0) at /home/chakracore/bin/ch/ChakraRtInterface.h:487
#27 0x00005614e0d67834 in RunScript (fileName=0x5614e30e1310 "test.js", 
    fileContents=0x5614e30e23a0 "a = \"./mymodule.js\"\nconst p = --import(a) + 1;\n", fileLength=47, fileContentsFinalizeCallback=
    0x5614e0d74bf0 <WScriptJsrt::FinalizeFree(void*)>, bufferValue=0x0, fullPath=0x7ffe2b806280 "/home/test.js", parserStateCache=0x0)
    at /home/chakracore/bin/ch/ch.cpp:451
#28 0x00005614e0d69300 in ExecuteTest (fileName=0x5614e30e1310 "test.js")
    at /home/chakracore/bin/ch/ch.cpp:917
#29 0x00005614e0d693bc in ExecuteTestWithMemoryCheck (fileName=0x5614e30e1310 "test.js")
    at /home/chakracore/bin/ch/ch.cpp:967
#30 0x00005614e0d69c87 in main (argc=2, c_argv=0x7ffe2b8066c8) at /home/chakracore/bin/ch/ch.cpp:1275

Additional Context

Expected behavior: a ReferenceError indicating that the left-hand side is invalid.

Actual behavior: engine aborts with SIGILL during bytecode generation.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions