Skip to content

[Bug]: Illegal instruction during debugger attach for generator #7055

New issue
New issue
Open
Open
[Bug]: Illegal instruction during debugger attach for generator#7055
Labels
Bug
@bendrissou

Description

@bendrissou
bendrissou
opened on Jan 6, 2026

ChakraCore Version

622c745

Steps to reproduce

Build ChakraCore with the default configuration:

./build.sh -d

Run ChakraCore with the provided input:

./out/Debug/ch test.js

Proof of concept

function empty() { }
WScript.Attach(empty)

function * basicGenerator(a, b) {
    print("Beginning test of " + arguments.callee.name);
}

Exception or Error

ASSERTION 2767936: (/home/chakracore/lib/Runtime/Debug/DebugContext.cpp, line 359) pFuncBody->GetYieldRegister() == oldYieldRegister
 Failure: (pFuncBody->GetYieldRegister() == oldYieldRegister)
Illegal instruction (core dumped)

(gdb) run
Starting program: /home/chakracore/out/Debug/ch test.js
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7f8078f1f700 (LWP 2767966)]
[New Thread 0x7f8073fff700 (LWP 2767967)]
[New Thread 0x7f80737fe700 (LWP 2767968)]
ASSERTION 2767962: (/home/chakracore/lib/Runtime/Debug/DebugContext.cpp, line 359) pFuncBody->GetYieldRegister() == oldYieldRegister
 Failure: (pFuncBody->GetYieldRegister() == oldYieldRegister)

Thread 1 "ch" received signal SIGILL, Illegal instruction.
0x00007f8879bd4aaa in Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}::operator()(Js::FunctionBody*) const (this=0x7fff038b8570, pFuncBody=0x7f80786c73e0)
    at /home/chakracore/lib/Runtime/Debug/DebugContext.cpp:359
359                               AssertOrFailFast(pFuncBody->GetYieldRegister() == oldYieldRegister);
(gdb) bt
#0  0x00007f8879bd4aaa in Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}::operator()(Js::FunctionBody*) const (this=0x7fff038b8570, pFuncBody=0x7f80786c73e0)
    at /home/chakracore/lib/Runtime/Debug/DebugContext.cpp:359
#1  0x00007f8879bd49c0 in Js::Utf8SourceInfo::MapFunction<Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const::{lambda(unsigned int, Js::FunctionBody*)#1}::operator()(unsigned int, Js::FunctionBody*) const (this=0x7fff038b8570, functionBody=0x7f80786c73e0)
    at /home/chakracore/lib/Runtime/./Base/Utf8SourceInfo.h:164
#2  0x00007f8879bd490a in JsUtil::BaseDictionary<unsigned int, Js::FunctionBody*, Memory::RecyclerLeafAllocator, DictionarySizePolicy<PowerOf2Policy, 2u, 2u, 1u, 4u>, DefaultComparer, JsUtil::SimpleDictionaryEntry, JsUtil::NoResizeLock>::Map<Js::Utf8SourceInfo::MapFunction<Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const::{lambda(unsigned int, Js::FunctionBody*)#1}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const::{lambda(unsigned int const&, Js::FunctionBody* const&)#1}::operator()(Js::Utf8SourceInfo::MapFunction<Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const::{lambda(unsigned int, Js::FunctionBody*)#1}, unsigned int const&) const (
    this=0x7fff038b8570, key=@0x7f8078f5405c: 2, value=@0x7f8078f54050: 0x7f80786c73e0)
    at /home/chakracore/lib/Common/DataStructures/BaseDictionary.h:580
#3  0x00007f8879bd48cc in JsUtil::BaseDictionary<unsigned int, Js::FunctionBody*, Memory::RecyclerLeafAllocator, DictionarySizePolicy<PowerOf2Policy, 2u, 2u, 1u, 4u>, DefaultComparer, JsUtil::SimpleDictionaryEntry, JsUtil::NoResizeLock>::MapUntil<JsUtil::BaseDictionary<unsigned int, Js::FunctionBody*, Memory::RecyclerLeafAllocator, DictionarySizePolicy<PowerOf2Policy, 2u, 2u, 1u, 4u>, DefaultComparer, JsUtil::SimpleDictionaryEntry, JsUtil::NoResizeLock>::Map<Js::Utf8SourceInfo::MapFunction<Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const::{lambda(unsigned int, Js::FunctionBody*)#1}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const::{lambda(unsigned int const&, Js::FunctionBody* const&)#1}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const::{lambda(JsUtil::SimpleDictionaryEntry<unsigned int, Memory::WriteBarrierPtr<Js::FunctionBody> > const&)#1}::operator()(Memory::WriteBarrierPtr<Js::FunctionBody>) const (
    this=0x7fff038b8570, entry=...) at /home/chakracore/lib/Common/DataStructures/BaseDictionary.h:590
#4  0x00007f8879bd4824 in JsUtil::BaseDictionary<unsigned int, Js::FunctionBody*, Memory::RecyclerLeafAllocator, DictionarySizePolicy<PowerOf2Policy, 2u, 2u, 1u, 4u>, DefaultComparer, JsUtil::SimpleDictionaryEntry, JsUtil::NoResizeLock>::MapEntryUntil<JsUtil::BaseDictionary<unsigned int, Js::FunctionBody*, Memory::RecyclerLeafAllocator, DictionarySizePolicy<PowerOf2Policy, 2u, 2u, 1u, 4u>, DefaultComparer, JsUtil::SimpleDictionaryEntry, JsUtil::NoResizeLock>::MapUntil<JsUtil::BaseDictionary<unsigned int, Js::FunctionBody*, Memory::RecyclerLeafAllocator, DictionarySizePolicy<PowerOf2Policy, 2u, 2u, 1u, 4u>, DefaultComparer, JsUtil::SimpleDictionaryEntry, JsUtil::NoRes--Type <RET> for more, q to quit, c to continue without paging--
izeLock>::Map<Js::Utf8SourceInfo::MapFunction<Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const::{lambda(unsigned int, Js::FunctionBody*)#1}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const::{lambda(unsigned int const&, Js::FunctionBody* const&)#1}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const::{lambda(JsUtil::SimpleDictionaryEntry<unsigned int, Memory::WriteBarrierPtr<Js::FunctionBody> > const&)#1}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const (this=0x7f80786c2340, fn=...)
    at /home/chakracore/lib/Common/DataStructures/BaseDictionary.h:756
#5  0x00007f8879bd4755 in JsUtil::BaseDictionary<unsigned int, Js::FunctionBody*, Memory::RecyclerLeafAllocator, DictionarySizePolicy<PowerOf2Policy, 2u, 2u, 1u, 4u>, DefaultComparer, JsUtil::SimpleDictionaryEntry, JsUtil::NoResizeLock>::MapUntil<JsUtil::BaseDictionary<unsigned int, Js::FunctionBody*, Memory::RecyclerLeafAllocator, DictionarySizePolicy<PowerOf2Policy, 2u, 2u, 1u, 4u>, DefaultComparer, JsUtil::SimpleDictionaryEntry, JsUtil::NoResizeLock>::Map<Js::Utf8SourceInfo::MapFunction<Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const::{lambda(unsigned int, Js::FunctionBody*)#1}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const::{lambda(unsigned int const&, Js::FunctionBody* const&)#1}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const (this=0x7f80786c2340, fn=...)
    at /home/chakracore/lib/Common/DataStructures/BaseDictionary.h:588
#6  0x00007f8879bd4725 in JsUtil::BaseDictionary<unsigned int, Js::FunctionBody*, Memory::RecyclerLeafAllocator, DictionarySizePolicy<PowerOf2Policy, 2u, 2u, 1u, 4u>, DefaultComparer, JsUtil::SimpleDictionaryEntry, JsUtil::NoResizeLock>::Map<Js::Utf8SourceInfo::MapFunction<Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const::{lambda(unsigned int, Js::FunctionBody*)#1}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const (this=0x7f80786c2340, fn=...)
    at /home/chakracore/lib/Common/DataStructures/BaseDictionary.h:578
#7  0x00007f8879bd46f6 in JsUtil::SynchronizedDictionary<unsigned int, Js::FunctionBody*, Memory::RecyclerLeafAllocator, DictionarySizePolicy<PowerOf2Policy, 2u, 2u, 1u, 4u>, DefaultComparer, JsUtil::SimpleDictionaryEntry, Js::DefaultContainerLockPolicy, CriticalSection>::Map<Js::Utf8SourceInfo::MapFunction<Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const::{lambda(unsigned int, Js::FunctionBody*)#1}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const (this=0x7f80786c2340, fn=...)
    at /home/chakracore/lib/Common/DataStructures/BaseDictionary.h:1841
#8  0x00007f8879bd3daa in Js::Utf8SourceInfo::MapFunction<Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int,--Type <RET> for more, q to quit, c to continue without paging--
 Js::Utf8SourceInfo*) const::{lambda(Js::FunctionBody*)#3}) const (this=0x7f80786c6000, mapper=...)
    at /home/chakracore/lib/Runtime/./Base/Utf8SourceInfo.h:162
#9  0x00007f8879bd3c66 in Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1::operator()(int, Js::Utf8SourceInfo*) const (
    this=0x7fff038b88d0, index=0, sourceInfo=0x7f80786c6000)
    at /home/chakracore/lib/Runtime/Debug/DebugContext.cpp:352
#10 0x00007f8879bd306f in JsUtil::List<Js::Utf8SourceInfo*, Memory::Recycler, false, Js::CopyRemovePolicy, RecyclerPointerComparer>::MapUntilFrom<Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1>(int, Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1) const (this=0x7f80785e39f0, start=0, map=...) at /home/chakracore/lib/Common/DataStructures/List.h:531
#11 0x00007f8879bd2a59 in JsUtil::List<Js::Utf8SourceInfo*, Memory::Recycler, false, Js::CopyRemovePolicy, RecyclerPointerComparer>::MapUntil<Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1>(Js::DebugContext::RundownSourcesAndReparse(bool, bool)::$_1) const
    (this=0x7f80785e39f0, map=...) at /home/chakracore/lib/Common/DataStructures/List.h:521
#12 0x00007f8879bd287a in Js::DebugContext::RundownSourcesAndReparse (this=0x55e3d2a41ed8, shouldPerformSourceRundown=true, 
    shouldReparseFunctions=true) at /home/chakracore/lib/Runtime/Debug/DebugContext.cpp:224
#13 0x00007f88799b2ee5 in Js::ScriptContext::OnDebuggerAttached (this=0x55e3d2a40788)
    at /home/chakracore/lib/Runtime/Base/ScriptContext.cpp:3659
#14 0x00007f887934b864 in JsDiagStartDebugging::$_0::operator() (this=0x7fff038b8f10)
    at /home/chakracore/lib/Jsrt/JsrtDiag.cpp:96
#15 0x00007f887934b3e8 in GlobalAPIWrapper_NoRecord<JsDiagStartDebugging::$_0>(JsDiagStartDebugging::$_0)::{lambda()#1}::operator()() const (this=0x7fff038b8ed8) at /home/chakracore/lib/Jsrt/JsrtInternal.h:167
#16 0x00007f887934aff2 in GlobalAPIWrapper_Core<GlobalAPIWrapper_NoRecord<JsDiagStartDebugging::$_0>(JsDiagStartDebugging::$_0)::{lambda()#1}>(GlobalAPIWrapper_NoRecord<JsDiagStartDebugging::$_0>(JsDiagStartDebugging::$_0)::{lambda()#1}) (fn=...)
    at /home/chakracore/lib/Jsrt/JsrtInternal.h:127
#17 0x00007f887934a809 in GlobalAPIWrapper_NoRecord<JsDiagStartDebugging::$_0> (fn=...)
    at /home/chakracore/lib/Jsrt/JsrtInternal.h:165
#18 0x00007f887934a7de in JsDiagStartDebugging (runtimeHandle=0x55e3d2a0da58, 
    debugEventCallback=0x55e3ca759670 <Debugger::DebugEventHandler(_JsDiagDebugEvent, void*, void*)>, callbackState=0x55e3d2a4fe10)
    at /home/chakracore/lib/Jsrt/JsrtDiag.cpp:54
#19 0x000055e3ca75cf20 in ChakraRTInterface::JsDiagStartDebugging (runtimeHandle=0x55e3d2a0da58, 
    debugEventCallback=0x55e3ca759670 <Debugger::DebugEventHandler(_JsDiagDebugEvent, void*, void*)>, callbackState=0x55e3d2a4fe10)
    at /home/chakracore/bin/ch/ChakraRtInterface.h:444
#20 0x000055e3ca75be3e in Debugger::StartDebugging (this=0x55e3d2a4fe10, runtime=0x55e3d2a0da58)
    at /home/chakracore/bin/ch/Debugger.cpp:404
#21 0x000055e3ca7698b6 in WScriptJsrt::AttachCallback(void*, bool, void**, unsigned short, void*)::$_1::operator()(WScriptJsrt::CallbackMessage&) const (this=0x55e3d2a4fdc8, msg=warning: RTTI symbol not found for class 'CustomMessage<WScriptJsrt::AttachCallback(void*, bool, void**, unsigned short, void*)::$_1, WScriptJsrt::CallbackMessage>'
...) at /home/chakracore/bin/ch/WScriptJsrt.cpp:963
#22 0x000055e3ca769859 in CustomMessage<WScriptJsrt::AttachCallback(void*, bool, void**, unsigned short, void*)::$_1, WScriptJsrt::Call--Type <RET> for more, q to quit, c to continue without paging--
backMessage>::Call(char const*) (this=0x55e3d2a4fdb0, fileName=0x55e3d2a0d310 "test.js")
    at /home/chakracore/bin/ch/MessageQueue.h:281
#23 0x000055e3ca7572ce in MessageQueue::ProcessAll (this=0x55e3d2a4eb60, fileName=0x55e3d2a0d310 "test.js")
    at /home/chakracore/bin/ch/MessageQueue.h:256
#24 0x000055e3ca7548ac in RunScript (fileName=0x55e3d2a0d310 "test.js", 
    fileContents=0x55e3d2a0e3a0 "function empty() { }\nWScript.Attach(empty)\n\nfunction * basicGenerator(a, b) {\n    print(\"Beginning test of \" + arguments.callee.name);\n}\n", fileLength=137, 
    fileContentsFinalizeCallback=0x55e3ca761bf0 <WScriptJsrt::FinalizeFree(void*)>, bufferValue=0x0, 
    fullPath=0x7fff038b93b0 "/home/test.js", parserStateCache=0x0) at /home/chakracore/bin/ch/ch.cpp:480
#25 0x000055e3ca756300 in ExecuteTest (fileName=0x55e3d2a0d310 "test.js")
    at /home/chakracore/bin/ch/ch.cpp:917
#26 0x000055e3ca7563bc in ExecuteTestWithMemoryCheck (fileName=0x55e3d2a0d310 "test.js")
    at /home/chakracore/bin/ch/ch.cpp:967
#27 0x000055e3ca756c87 in main (argc=2, c_argv=0x7fff038b97f8) at /home/chakracore/bin/ch/ch.cpp:1275

Additional Context

Calling WScript.Attach in a script that defines a generator function using arguments.callee triggers a crash in ChakraCore. The crash occurs during the debugger attachment process.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions