Assertion Fail in inlinecache.inl

[sunlili]

Hi, I running following code in ch(v1.11.22, debug) , an assertion will be thrown.

indent_363 = 'a'; 
let x = 1;
this.x = []; 
for (let i = 0; i < 65536; i++) {
    this['a' + i] = 1;
}
indent_363 = 'b';

output:

ASSERTION 17328: (c:\users\sunlili\documents\workspace\jsenginesfordebug\chakracore-1.11.22\lib\runtime\language\inlinecache.inl, line 232) !isRoot || RootObjectBase::FromVar(object)->GetRootPropertyIndex(propertyId) == DynamicObject::FromVar(object)->GetTypeHandler()->InlineOrAuxSlotIndexToPropertyIndex(u.local.slotIndex, false)
 Failure: (!isRoot || RootObjectBase::FromVar(object)->GetRootPropertyIndex(propertyId) == DynamicObject::FromVar(object)->GetTypeHandler()->InlineOrAuxSlotIndexToPropertyIndex(u.local.slotIndex, false))
FATAL ERROR: ch.exe failed due to exception code c0000420

crash point:
https://github.com/microsoft/ChakraCore/blob/861a276c346746f3b87347bb094988563d7ee0a7/lib/Runtime/Language/InlineCache.inl#L232
In crash point, the left GetRootPropertyIndex(propertyId) will call following method, then return 0xffff which is not equal to right value, and trigger the assertion.
https://github.com/microsoft/ChakraCore/blob/861a276c346746f3b87347bb094988563d7ee0a7/lib/Runtime/Types/DictionaryTypeHandler.cpp#L361-L364

I think the realization of DictionaryTypeHandlerBase<BigPropertyIndex>::GetRootPropertyIndex() is inappropriate, may be it should call DictionaryTypeHandlerBase<BigPropertyIndex>::GetPropertyIndex_Internal(PropertyRecord const* propertyRecord) just like another similar method SimpleDictionaryTypeHandlerBase<TPropertyIndex, TMapKey, IsNotExtensibleSupported>::GetRootPropertyIndex do.

ISec Lab
2020.9.25

[ppenzin]

Verified on current master branch. One can suspect this can be triggered by the number of fields the test creates, though it should not crash.