[FatalInternalError] ReportFatalException6

[bird8693]

enviroment

ubuntu 18

poc

try {
    (function TestFunc() {
        var a;
        (function outer() {
            (function inner() {
                var WHYG = ijjkkk;
                a;  
            }());
            var obj = { 
                get 0() {
                    throw new Error('must not be gotten!');
                    var SRwE = Promise;
                },  
                length: a
            };  
            try {
                throw 'Exception';
            } catch (ex) {
                with ({}) {
                    outer();
                    var CiBz = s4();
                }   
                async function af() {
                    ;   
                }   
            }   
            function t7() {
                var asyncFunctionPrototype = s4(async function () {
                    ;   
                }); 
                var AsyncFunction = asyncFunctionPrototype.constructor;
                var af = new AsyncFunction('return await 1;');
                console.log(asyncFunctionPrototype, console.log(af));
                outer('anonymous', af.name);
                Math.pow('async function anonymous(\n) {return await 1;\n}', print());
                af = new AsyncFunction('a', '-0', '(new Boolean(true))', 'await a; await b; await c;');
                print('', Math.pow());
            }   
        }());
        var ijjkkk = 0;
        var i = 0;
    }());
    var ixtr = 4 >= 1073741825 * 5e-324;
} catch (ex) {
    if (a == 'Out of stack space') {
        print('PASSED');
    }   
}

callstack

[#0] 0x555555d59fac → DebugBreak()
[#1] 0x555555d59fac → ReportFatalException(context=<optimized out>, exceptionCode=<optimized out>, reasonCode=<optimized out>, scenario=<optimized out>)
[#2] 0x555555d5a709 → Js::Throw::FatalInternalError(hr=0x7d7f7de0)
[#3] 0x5555583d3357 → IRBuilder::DoClosureRegCheck(this=<optimized out>, reg=0xe)
[#4] 0x55555838058f → IRBuilder::BuildReg1<Js::LayoutSizePolicy<(Js::LayoutSize)0> >(this=<optimized out>, newOpcode=<optimized out>, offset=<optimized out>)
[#5] 0x55555838058f → IRBuilder::Build(this=0x7ff7ebffcfd0)
[#6] 0x55555814e818 → Func::TryCodegen(this=<optimized out>)
[#7] 0x55555814d944 → Func::Codegen(alloc=0x7ff7ebffe6c0, workItem=0x7ffff2141030, threadContextInfo=0x622000000140, scriptContextInfo=0x61a000000680, outputData=0x7ff7ebffe8e0, epInfo=0x7ffff2339120, runtimeInfo=<optimized out>, polymorphicInlineCacheInfo=<optimized out>, codeGenAllocators=<optimized out>, codeGenProfiler=<optimized out>, isBackgroundJIT=<optimized out>)
[#8] 0x555557e4d330 → NativeCodeGenerator::CodeGen(this=<optimized out>, pageAllocator=<optimized out>, workItemData=0xc2200000061, jitWriteData=@0x7ff7ebffe8e0, foreground=0x0, epInfo=0x7ffff2339120)
[#9] 0x555557e4e249 → NativeCodeGenerator::CodeGen(this=<optimized out>, pageAllocator=<optimized out>, workItem=<optimized out>, foreground=0x20)

[rhuanjl]

Here's a reduced repro:

(function outer()
{
  with ({})
  {
    outer();
  }   
  function notCalled()
  {
    outer();
  }
})();

Any further reductions remove the crash - somehow this crash is to do with having:

• 2 references to an outer function
• one of which is inside a with
• it doesn't require either of them to be called (inserting a return before the first call to outer does not stop the crash)
• the outer function must be in a closure - brackets around it as above