assertion failure in Js::SimpleTypeHandler<3ul>::DeleteProperty

[zhunki]

the following poc will cause a assertion failure in "debug" build on ubuntu.

 function opt() {
        const v3 = delete opt.length;
        for (const v4 in opt) {
        }
    }
opt();
opt();

0 0x00005555565cd77c in Js::SimpleTypeHandler<3ul>::DeleteProperty (this=0x7ff7f43f6780,

instance=0x7ff7f43f6730, propertyId=209, propertyOperationFlags=Js::PropertyOperation_None)
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Types/SimpleTypeHandler.cpp:664

1 0x00005555564da2f3 in Js::DynamicObject::DeleteProperty (this=0x7ff7f43f6730, propertyId=209,

flags=Js::PropertyOperation_None)
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Types/DynamicType.cpp:336

2 0x00005555561d7c5e in Js::JavascriptFunction::DeleteProperty (this=0x7ff7f43f6730,

propertyId=209, flags=Js::PropertyOperation_None)
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Library/JavascriptFunction.cpp:3055

3 0x0000555556053098 in Js::JavascriptOperators::DeleteProperty_Impl (instance=

0x7ff7f43f6730, propertyId=209, propertyOperationFlags=Js::PropertyOperation_None)
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Language/JavascriptOperators.cpp:3130

4 0x00005555560323b1 in Js::JavascriptOperators::DeleteProperty (instance=0x7ff7f43f6730,

propertyId=209, propertyOperationFlags=Js::PropertyOperation_None)
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Language/JavascriptOperators.cpp:3074

5 0x0000555556032571 in Js::JavascriptOperators::OP_DeleteProperty (instance=0x7ff7f43f6730,

propertyId=209, scriptContext=0x555557ef0c68, propertyOperationFlags=Js::PropertyOperation_None)
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Language/JavascriptOperators.cpp:3149

6 0x0000555555fb9421 in Js::InterpreterStackFrame::OP_DeleteFld<Js::OpLayoutT_ElementC<Js::LayoutSizePolicy<(Js::LayoutSize)0> > __unaligned>(Js::OpLayoutT_ElementC<Js::LayoutSizePolicy<(Js::LayoutSize)0> > unaligned const unaligned*) (this=0x7fffffffae30, playout=0x7ff7f4c540cb)

at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Language/InterpreterStackFrame.cpp:7674

7 0x0000555555eb2b3d in Js::InterpreterStackFrame::ProcessProfiled (this=0x7fffffffae30)

at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Language/InterpreterHandler.inl:191

8 0x0000555555e53ee2 in Js::InterpreterStackFrame::Process (this=0x7fffffffae30)

at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Language/InterpreterStackFrame.cpp:3472

9 0x0000555555e52ba3 in Js::InterpreterStackFrame::InterpreterHelper (function=0x7ff7f43f6730,

args=..., returnAddress=0x7ff7f4350f9a, addressOfReturnAddress=0x7fffffffb3c8, asmJsReturn=0x0)
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Language/InterpreterStackFrame.cpp:2153

10 0x0000555555e51c80 in Js::InterpreterStackFrame::InterpreterThunk (layout=0x7fffffffb3e0)

at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Language/InterpreterStackFrame.cpp:1833

11 0x00007ff7f4350f9a in ?? ()

12 0x00007fffffffb400 in ?? ()

13 0x00005555564a755e in amd64_CallFunction ()

at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100

Backtrace stopped: frame did not save the PC

[ppenzin]

Deleting second call to opt() makes the failure go away.