the following poc will cause a assertion failure in "debug" build on ubuntu.
function opt() {
const v3 = delete opt.length;
for (const v4 in opt) {
}
}
opt();
opt();
#0 0x00005555565cd77c in Js::SimpleTypeHandler<3ul>::DeleteProperty (this=0x7ff7f43f6780,
instance=0x7ff7f43f6730, propertyId=209, propertyOperationFlags=Js::PropertyOperation_None)
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Types/SimpleTypeHandler.cpp:664
#1 0x00005555564da2f3 in Js::DynamicObject::DeleteProperty (this=0x7ff7f43f6730, propertyId=209,
flags=Js::PropertyOperation_None)
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Types/DynamicType.cpp:336
#2 0x00005555561d7c5e in Js::JavascriptFunction::DeleteProperty (this=0x7ff7f43f6730,
propertyId=209, flags=Js::PropertyOperation_None)
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Library/JavascriptFunction.cpp:3055
#3 0x0000555556053098 in Js::JavascriptOperators::DeleteProperty_Impl (instance=
0x7ff7f43f6730, propertyId=209, propertyOperationFlags=Js::PropertyOperation_None)
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Language/JavascriptOperators.cpp:3130
#4 0x00005555560323b1 in Js::JavascriptOperators::DeleteProperty (instance=0x7ff7f43f6730,
propertyId=209, propertyOperationFlags=Js::PropertyOperation_None)
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Language/JavascriptOperators.cpp:3074
#5 0x0000555556032571 in Js::JavascriptOperators::OP_DeleteProperty (instance=0x7ff7f43f6730,
propertyId=209, scriptContext=0x555557ef0c68, propertyOperationFlags=Js::PropertyOperation_None)
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Language/JavascriptOperators.cpp:3149
#6 0x0000555555fb9421 in Js::InterpreterStackFrame::OP_DeleteFld<Js::OpLayoutT_ElementC<Js::LayoutSizePolicy<(Js::LayoutSize)0> > __unaligned>(Js::OpLayoutT_ElementC<Js::LayoutSizePolicy<(Js::LayoutSize)0> > __unaligned const __unaligned*) (this=0x7fffffffae30, playout=0x7ff7f4c540cb)
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Language/InterpreterStackFrame.cpp:7674
#7 0x0000555555eb2b3d in Js::InterpreterStackFrame::ProcessProfiled (this=0x7fffffffae30)
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Language/InterpreterHandler.inl:191
#8 0x0000555555e53ee2 in Js::InterpreterStackFrame::Process (this=0x7fffffffae30)
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Language/InterpreterStackFrame.cpp:3472
#9 0x0000555555e52ba3 in Js::InterpreterStackFrame::InterpreterHelper (function=0x7ff7f43f6730,
args=..., returnAddress=0x7ff7f4350f9a, addressOfReturnAddress=0x7fffffffb3c8, asmJsReturn=0x0)
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Language/InterpreterStackFrame.cpp:2153
#10 0x0000555555e51c80 in Js::InterpreterStackFrame::InterpreterThunk (layout=0x7fffffffb3e0)
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Language/InterpreterStackFrame.cpp:1833
#11 0x00007ff7f4350f9a in ?? ()
#12 0x00007fffffffb400 in ?? ()
#13 0x00005555564a755e in amd64_CallFunction ()
at /home/zhunki/workspace/ChakraCore-master/lib/Runtime/Library/amd64/JavascriptFunctionA.S:100
Backtrace stopped: frame did not save the PC
Deleting second call to opt() makes the failure go away.
chakra-core
