ASSERTION (!VarIs<RecyclableObject>(instance) ? 1 : ((RecyclableObject*)instance)->GetScriptContext()->GetLibrary() == library) failed in Js::JavascriptOperators::IsUndefinedObject

[renatahodovan]

ChakraCore version:

Checked revision: a247f4f3c
Build command: ./build.sh --debug

OS:

Linux-4.15.0-43-generic-x86_64-with-Ubuntu-18.04-bionic

Test case:

function MyRepl($) {
    $.substring($, WScript.LoadScript(0, "samethread"))
}
var str = String("asdfasdfGg");
WScript(str.replace(/d/g, MyRepl));

Backtrace:

ASSERTION 9928: (ChakraCore/lib/Runtime/Language/JavascriptOperators.cpp, line 10952) !VarIs<RecyclableObject>(instance) ? TRUE : ((RecyclableObject*)instance)->GetScriptContext()->GetLibrary() == library
 Failure: (!VarIs<RecyclableObject>(instance) ? 1 : ((RecyclableObject*)instance)->GetScriptContext()->GetLibrary() == library)

Thread 1 "ch" received signal SIGILL, Illegal instruction.
0x00007ffff35dc30f in Js::JavascriptOperators::IsUndefinedObject (instance=0x7ffff7f04420, library=0x7ffff7f18000)
    at ChakraCore/lib/Runtime/Language/JavascriptOperators.cpp:10952
10952           Assert(!VarIs<RecyclableObject>(instance) ? TRUE : ((RecyclableObject*)instance)->GetScriptContext()->GetLibrary() == library );
(gdb) bt
#0  0x00007ffff35dc30f in Js::JavascriptOperators::IsUndefinedObject (instance=0x7ffff7f04420, library=0x7ffff7f18000)
    at ChakraCore/lib/Runtime/Language/JavascriptOperators.cpp:10952
#1  0x00007ffff35dc950 in Js::JavascriptOperators::IsUndefinedObject (instance=0x7ffff7f04420, scriptContext=0x5555561b2a88)
    at ChakraCore/lib/Runtime/Language/JavascriptOperators.cpp:10947
#2  0x00007ffff39d9185 in Js::JavascriptString::EntrySubstring (function=0x7ffff7eaf440, callInfo=...)
    at ChakraCore/lib/Runtime/Library/JavascriptString.cpp:1949
#3  0x00007ffff3ab445e in amd64_CallFunction ()
    at ChakraCore/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100
#4  0x00007ffff37c06ee in Js::JavascriptFunction::CallFunction<true> (function=0x7ffff7eaf440, 
    entryPoint=0x7ffff39d8e80 <Js::JavascriptString::EntrySubstring(Js::RecyclableObject*, Js::CallInfo, ...)>, args=..., 
    useLargeArgCount=false) at ChakraCore/lib/Runtime/Library/JavascriptFunction.cpp:1342
#5  0x00007ffff3583d4c in Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) (
    this=0x7fffffff81c0, playout=0x7ffff7f4d44c, function=0x7ffff7eaf440, flags=16, spreadIndices=0x0)
    at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:3858
#6  0x00007ffff35838ae in Js::InterpreterStackFrame::OP_ProfileCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) (this=0x7fffffff81c0, playout=0x7ffff7f4d44c, function=0x7ffff7eaf440, flags=0, profileId=0, 
    inlineCacheIndex=0, spreadIndices=0x0) at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:3902
#7  0x00007ffff354be58 in Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > >(Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > const __unaligned*) (this=0x7fffffff81c0, playout=0x7ffff7f4d44c)
    at ChakraCore/lib/Runtime/./Language/InterpreterStackFrame.h:503
#8  0x00007ffff33fbed6 in Js::InterpreterStackFrame::ProcessProfiled (this=0x7fffffff81c0)
    at ChakraCore/lib/Runtime/Language/InterpreterHandler.inl:87
#9  0x00007ffff338d59d in Js::InterpreterStackFrame::Process (this=0x7fffffff81c0)
    at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:3357
#10 0x00007ffff338c307 in Js::InterpreterStackFrame::InterpreterHelper (function=0x7ffff7f066e0, args=..., 
    returnAddress=0x7ffff7e60f9a, addressOfReturnAddress=0x7fffffff8728, asmJsReturn=0x0)
    at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:2051
#11 0x00007ffff338b4d8 in Js::InterpreterStackFrame::InterpreterThunk (layout=0x7fffffff8740)
    at ChakraCore/lib/Runtime/Language/InterpreterStackFrame.cpp:1763
#12 0x00007ffff7e60f9a in ?? ()
#13 0x00007fffffff8770 in ?? ()
#14 0x00007ffff3ab445e in amd64_CallFunction ()
    at ChakraCore/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100

^{Found by Fuzzinator with grammarinator.}

[akroshg]

This

is a wrong and harmless assert.
This will fire for any cross-site object (other than undefined itself). This assert should be removed.

[akroshg]

Assert(!VarIs(instance) ? TRUE : ((RecyclableObject*)instance)->GetScriptContext()->GetLibrary() == library );