chakra-core
crash in BackwardPass::ReverseCopyProp
the following poc will crash the latest build on ubuntu.
function opt() {
let v4 = 9;
for (let v5 = 0; v5 < v4; v5 = v5 / v4) {
v4 = v5;
}
const v6 = v4--;
}
for(i = 0;i < 1000; i++){
opt();
}
#0 0x0000555555e96e6d in BackwardPass::ReverseCopyProp(IR::Instr*) ()
#1 0x0000555555e90fb5 in BackwardPass::ProcessBlock(BasicBlock*) ()
#2 0x0000555555e8d66d in BackwardPass::OptBlock(BasicBlock*) ()
#3 0x0000555555e8cf1e in BackwardPass::Optimize() ()
#4 0x0000555555d485ca in GlobOpt::BackwardPass(Js::Phase) ()
#5 0x0000555555d488a8 in GlobOpt::Optimize() ()
#6 0x0000555555d4155f in Func::TryCodegen() ()
#7 0x0000555555d4125c in Func::Codegen(Memory::JitArenaAllocator*, JITTimeWorkItem*, ThreadContextInfo*, ScriptContextInfo*, JITOutputIDL*, Js::EntryPointInfo*, FunctionJITRuntimeInfo const*, JITTimePolymorphicInlineCacheInfo*, void*, Js::ScriptContextProfiler*, bool) ()
#8 0x0000555555cc0e29 in NativeCodeGenerator::CodeGen(Memory::PageAllocatorBase<Memory::VirtualAllocWrapper, Memory::SegmentBaseMemory::VirtualAllocWrapper, Memory::PageSegmentBaseMemory::VirtualAllocWrapper >, CodeGenWorkItemIDL, JITOutputIDL&, bool, Js::EntryPointInfo*) ()
#9 0x0000555555cc10cd in NativeCodeGenerator::CodeGen(Memory::PageAllocatorBase<Memory::VirtualAllocWrapper, Memory::SegmentBaseMemory::VirtualAllocWrapper, Memory::PageSegmentBaseMemory::VirtualAllocWrapper >, CodeGenWorkItem, bool) ()
#10 0x0000555555cc1953 in NativeCodeGenerator::Process(JsUtil::Job*, JsUtil::ParallelThreadData*) ()
#11 0x0000555555cd4a0e in JsUtil::BackgroundJobProcessor::Process(JsUtil::Job*, JsUtil::ParallelThreadData*) ()
#12 0x0000555555cd4b15 in JsUtil::BackgroundJobProcessor::Run(JsUtil::ParallelThreadData*) ()
#13 0x0000555555cd3a47 in JsUtil::BackgroundJobProcessor::StaticThreadProc(void*) ()
#14 0x000055555571f9fd in CorUnix::CPalThread::ThreadEntry(void*) ()
#15 0x00007ffff7aa2609 in start_thread (arg=
