search

chakra-core / ChakraCore

ChakraCore is an open source Javascript engine with a C API.
MIT License
9.1k stars 1.19k forks source link

Assertion error: bad type object in conversion ToInteger #6964

Open anbu1024 opened 10 months ago

anbu1024 commented 10 months ago

ChakraCore version: commit c3ead3f

Build cmd:

./build.sh --debug --static

Test case:

function test(){
    async function foo(a1,a2) {

        for (let i = a2; i < a1; i = i ** foo) {
            const x = await i;
        }

        function bar () {
        }

        const u = new Uint8Array(bar);
        const p = new Proxy(u,Reflect);
        const o = Object.seal(p);
    }

    const r = foo();
    return r;
}

for(let i=0; i<1024; i++){
    test();
}

Execute

./ch ./test.js

Error msg:

ASSERTION 2791936: (ChakraCore/lib/Runtime/Language/JavascriptConversion.cpp, line 938) bad type object in conversion ToInteger
 Failure: (JavascriptOperators::IsObject(aValue))
Illegal instruction
rhuanjl commented 5 months ago

This is one of a number of bugs in the jitting of generator functions.

See #6293 #6533 #6662 #6684 #6700 and #6706 for progress on this area - I think currently we are planning to disable it by default before making any released version; it's a shame but I fear its implementation is just too fragile.