crash in BackwardPass::ReverseCopyProp

[zhunki]

the following poc will crash the latest build on ubuntu.

function opt() {
    let v4 = 9;
    for (let v5 = 0; v5 < v4; v5 = v5 / v4) {
        v4 = v5;
    }
    const v6 = v4--;
}
for(i = 0;i < 1000; i++){
    opt();
}

0 0x0000555555e96e6d in BackwardPass::ReverseCopyProp(IR::Instr*) ()

1 0x0000555555e90fb5 in BackwardPass::ProcessBlock(BasicBlock*) ()

2 0x0000555555e8d66d in BackwardPass::OptBlock(BasicBlock*) ()

3 0x0000555555e8cf1e in BackwardPass::Optimize() ()

4 0x0000555555d485ca in GlobOpt::BackwardPass(Js::Phase) ()

5 0x0000555555d488a8 in GlobOpt::Optimize() ()

6 0x0000555555d4155f in Func::TryCodegen() ()

7 0x0000555555d4125c in Func::Codegen(Memory::JitArenaAllocator, JITTimeWorkItem, ThreadContextInfo, ScriptContextInfo, JITOutputIDL, Js::EntryPointInfo, FunctionJITRuntimeInfo const, JITTimePolymorphicInlineCacheInfo, void, Js::ScriptContextProfiler, bool) ()

8 0x0000555555cc0e29 in NativeCodeGenerator::CodeGen(Memory::PageAllocatorBase<Memory::VirtualAllocWrapper, Memory::SegmentBase, Memory::PageSegmentBase >, CodeGenWorkItemIDL, JITOutputIDL&, bool, Js::EntryPointInfo*) ()

9 0x0000555555cc10cd in NativeCodeGenerator::CodeGen(Memory::PageAllocatorBase<Memory::VirtualAllocWrapper, Memory::SegmentBase, Memory::PageSegmentBase >, CodeGenWorkItem, bool) ()

10 0x0000555555cc1953 in NativeCodeGenerator::Process(JsUtil::Job, JsUtil::ParallelThreadData) ()

11 0x0000555555cd4a0e in JsUtil::BackgroundJobProcessor::Process(JsUtil::Job, JsUtil::ParallelThreadData) ()

12 0x0000555555cd4b15 in JsUtil::BackgroundJobProcessor::Run(JsUtil::ParallelThreadData*) ()

13 0x0000555555cd3a47 in JsUtil::BackgroundJobProcessor::StaticThreadProc(void*) ()

14 0x000055555571f9fd in CorUnix::CPalThread::ThreadEntry(void*) ()

15 0x00007ffff7aa2609 in start_thread (arg=) at pthread_create.c:477

16 0x00007ffff7857293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

[ppenzin]

Can confirm this is happening.