search

chakra-core / ChakraCore

ChakraCore is an open source Javascript engine with a C API.
MIT License
9.13k stars 1.2k forks source link

Illegal instruction (core dumped) ASSERTION 1541158: (ChakraCore/lib/Backend/GlobOpt.cpp, line 12838) !isJsArray #6934

Open anbu1024 opened 1 year ago

anbu1024 commented 1 year ago

ChakraCore version: commit c3ead3f8a6e0bb8e32e043adc091c68cba5935e9

Build cmd:

./build.sh --debug --static

Test case:

function foo() {
  let x = new Number(Number,Number,Number);
  const y = [];

  do {
      const z = y.length;
  } while (5 < 5);

  const t = y.length;
  t[4294967295] = t;

  for (let i = -9223372036854775807; i >= y; i = i ** x) {
      ;
  }
}

for(let i=0;i<0x300;i++){
    foo();
}

Error msg:

ASSERTION 1541158: (ChakraCore/lib/Backend/GlobOpt.cpp, line 12838) !isJsArray || DoArrayCheckHoist(valueInfo->Type(), implicitCallsLoop) || ( ignoreKnownImplicitCalls && !(implicitCallsLoop ? ImplicitCallFlagsAllowOpts(implicitCallsLoop) : ImplicitCallFlagsAllowOpts(func)) )
 Failure: (!isJsArray || DoArrayCheckHoist(valueInfo->Type(), implicitCallsLoop) || ( ignoreKnownImplicitCalls && !(implicitCallsLoop ? ImplicitCallFlagsAllowOpts(implicitCallsLoop) : ImplicitCallFlagsAllowOpts(func)) ))
Illegal instruction (core dumped)