search

chakra-core / ChakraCore

ChakraCore is an open source Javascript engine with a C API.
MIT License
9.06k stars 1.19k forks source link

ASSERTION Failure: (instr->m_func->GetJITFunctionBody()->IsCoroutine() || !instr->dstIsTempObject) #6959

Open anbu1024 opened 7 months ago

anbu1024 commented 7 months ago

ChakraCore version: commit c3ead3f

Build cmd:

./build.sh --debug --static

Test case:

function opt() {

    let v1 = 1000000000.0;

    const v2 = [];
    let v3 = 0;

    while (v3 < 1) {
        let v5 = {};
        v1 = v2;
        ({"__proto__":v3,"e":v5,"valueOf":v1,...v5} = v5);
    }

    const v8 = new Uint16Array(65489);

    v1[6] = 65489;

    v8[255] = 1;
}

for(let i=0;i<1024;i++)
{
    opt();
}

Execute

./ch ./test.js

Error msg:

ASSERTION 2773824: (ChakraCore/lib/Backend/TempTracker.cpp, line 1437) instr->m_func->GetJITFunctionBody()->IsCoroutine() || !instr->dstIsTempObject
 Failure: (instr->m_func->GetJITFunctionBody()->IsCoroutine() || !instr->dstIsTempObject)
Illegal instruction