ChakraCore
ChakraCore copied to clipboard
chakra-core
Assertion failure in FuncInfo.cpp
the following poc cause a assertion failure in "debug" build on ubuntu.
function main() {
const v4 = `
const v214 = async (v215,...v216) => {
const v219 = {"construct":v215,"defineProperty":v215,"deleteProperty":v205,"get":v215,"getOwnPropertyDescriptor":v215,"getPrototypeOf":v214,"isExtensible":Number,"ownKeys":undefined,"preventExtensions":Array,"setPrototypeOf":v215};
const v221 = \`
with (3820293751n) {
const v223 = v214(null,5978n,4294967297,-12075807n);
constructor = -536870912n;
}
\`;
};
const v225 = \`
function v226(v227,v228,v229) {
return -1005802608n;
return -1046319162n;
}
\`;
const v231 = \`
const v233 = [-3290630866,-3290630866,1479576250n,6,-3290630866];
\`;
const v235 = \`
function v236(v237,v238,v239) {
return -1005802608n;
}
\`;
const v246 = \`
with (v41) {
switch (Uint8ClampedArray) {
default:
break;
case -3214534038n:
break;
case -2147483648n:
break;
case 6:
break;
case v246:
}
constructor = -536870912n;
const v247 = Proxy && 256n;
}
\`;
const v252 = \`
function v253(v254,v255,v256) {
return -1005802608n;
return -268435456n;
}
\`;
const v258 = \`
function* v259(v260,v261) {
yield* 8n;
}
const v263 = [-3290630866,-3290630866,1479576250n,2419694973n,-3290630866];
\`;
const v265 = \`
function v266(v267,v268,v269) {
return -1005802608n;
return 256n;
}
\`;
const v272 = \`
const v273 = -1005802608n >= -1683432796;
\`;
const v295 = {};
const v296 = \`
const v297 = v296(...v295,...9007199254740993,-1005802608n);
\`;
const v301 = {};
const v302 = [v301];
const v303 = {};
const v304 = [{}];
const v308 = [150050.77584817936];
const v309 = /\d(N*)?/gm;
const v310 = /(H\W)/sium;
async function v314(v315,v316,v317) {
const v318 = {};
v318[0] = BigInt;
}
const v320 = \`
function v321(v322,v323,v324) {
return 797151056n;
return -9007199254740993n;
return -4256153502n;
}
\`;
function v669(v670,v671) {
const v672 = \`
function v673(v674,v675,v676) {
return 65537n;
return -1918956861n;
}
\`;
const v678 = \`
function v679(v680,v681,v682) {
return -4139769482n;
}
\`;
const v685 = (-3290630866).a;
const v687 = \`
const v689 = v685("entries",...v687,3961059690n);
\`;
const v690 = \`
Symbol.toPrimitive = -1315759576n;
\`;
const v693 = \`
switch (-9007199254740991n) {
default:
break;
case 2147483649n:
case -65536:
}
\`;
for (let v700 = v672; v700 < -3679967650; v700 = v700 || 4) {
const v701 = \`
const v702 = 536870912n === v700;
\`;
}
const v709 = \`
const v710 = {}.join(Number,...-4294967295n);
\`;
const v711 = \`
function v712(v713,v714,v715) {
return -2851821453n;
return -2457772485n;
return 512n;
return 65536n;
return -128n;
return 9007199254740991n;
}
\`;
const v716 = v669();
}
const v718 = new Promise(v669);
const v728 = \`
with ([NaN,NaN]) {
switch (isFinite) {
default:
valueOf = -2591578432n;
break;
case -3214534038n:
break;
case -3214534038n:
break;
case 6:
break;
case v728:
}
constructor = -536870912n;
}
\`;
`;
let v1212 = eval();
v1212 = eval;
const v1213 = v1212(v4);
}
main();
