Segmentation fault in Js::RecyclableObject::GetType

[anbu1024]

ChakraCore version:
commit c3ead3f

Build cmd:

./build.sh --debug --static

Test case:

function test(){
	async function foo(a1,a2) {

		for (let i = a2; i < a1; i = i + foo) {
		    const ret = await i;
		}
		
		function E() {
		}
		
		const p = new Proxy(Proxy,Reflect);
		const d = {};
		const v16 = new p(E,d);
	}
	
	foo();

	const s = new String();
	const z = Object.defineProperty(s,Proxy,Proxy);
	const r = foo(Proxy,z,String,s);
	return r;
}

for(let i=0; i<1024; i++)
{
	test();
}

Execute

./ch ./test.js

Error msg:

Segmentation fault in Js::RecyclableObject::GetType
lib/Runtime/Types/RecyclableObject.h

backtrace

Thread 1 "ch" received signal SIGSEGV, Segmentation fault.
0x00005555557b37ee in Js::RecyclableObject::GetType (this=0x1b57ebcd48)
    at ChakraCore/bin/ch/../../lib/Runtime/Types/RecyclableObject.h:275
275	        inline Type * GetType() const { return type; }
(gdb) bt
#0  0x00005555557b37ee in Js::RecyclableObject::GetType (this=0x1b57ebcd48)
    at ChakraCore/bin/ch/../../lib/Runtime/Types/RecyclableObject.h:275
#1  0x00005555557b3785 in Js::RecyclableObject::GetLibrary (this=0x1b57ebcd48)
    at ChakraCore/bin/ch/../../lib/Runtime/Types/RecyclableObject.inl:18
#2  0x00005555557b3735 in Js::RecyclableObject::GetScriptContext (
    this=0x1b57ebcd48)
    at ChakraCore/bin/ch/../../lib/Runtime/Types/RecyclableObject.inl:23
#3  0x0000555555a7f778 in Js::CrossSite::NeedMarshalVar (
    instance=0x1b57ebcd48, requestContext=0x555557eeeca8)
    at ChakraCore/lib/Runtime/Base/CrossSite.cpp:32
#4  0x00005555558d453c in Js::JavascriptArray::VerifyNotNeedMarshal<void*> (
    this=0x7ff7f435bc40, value=0x1b57ebcd48)
    at ChakraCore/lib/Jsrt/../Runtime/Library/JavascriptArray.h:201
#5  0x00005555558d27f2 in Js::JavascriptArray::DirectSetItemInLastUsedSegmentAt<void*> (this=0x7ff7f435bc40, offset=0, newValue=0x1b57ebcd48)
    at ChakraCore/lib/Jsrt/../Runtime/Library/JavascriptArray.inl:502
#6  0x00005555558d251e in Js::JavascriptArray::DirectSetItemAt<void*> (
--Type <RET> for more, q to quit, c to continue without paging--
    f7f435bc40, itemIndex=0, newValue=0x1b57ebcd48)
    at ChakraCore/lib/Jsrt/../Runtime/Library/JavascriptArray.inl:460
#7  0x00005555563ad40b in Js::JavascriptProxy::FunctionCallTrap (function=0x7ff7f4357de0, callInfo=...)
    at ChakraCore/lib/Runtime/Library/JavascriptProxy.cpp:2262

[rhuanjl]

This is one of a number of bugs in the jitting of generator functions.

See #6293 #6533 #6662 #6684 #6700 and #6706 for progress on this area - I think currently we are planning to disable it by default before making any released version; it's a shame but I fear its implementation is just too fragile.