説明
Hi, I running following code in ch(v1.11.22, debug) , an assertion will be thrown.
indent_363 = 'a';
let x = 1;
this.x = [];
for (let i = 0; i < 65536; i++) {
this['a' + i] = 1;
}
indent_363 = 'b';
output:
ASSERTION 17328: (c:\users\sunlili\documents\workspace\jsenginesfordebug\chakracore-1.11.22\lib\runtime\language\inlinecache.inl, line 232) !isRoot || RootObjectBase::FromVar(object)->GetRootPropertyIndex(propertyId) == DynamicObject::FromVar(object)->GetTypeHandler()->InlineOrAuxSlotIndexToPropertyIndex(u.local.slotIndex, false)
Failure: (!isRoot || RootObjectBase::FromVar(object)->GetRootPropertyIndex(propertyId) == DynamicObject::FromVar(object)->GetTypeHandler()->InlineOrAuxSlotIndexToPropertyIndex(u.local.slotIndex, false))
FATAL ERROR: ch.exe failed due to exception code c0000420
crash point: https://github.com/microsoft/ChakraCore/blob/861a276c346746f3b87347bb094988563d7ee0a7/lib/Runtime/Language/InlineCache.inl#L232 In crash point, the left GetRootPropertyIndex(propertyId) will call following method, then return 0xffff which is not equal to right value, and trigger the assertion. https://github.com/microsoft/ChakraCore/blob/861a276c346746f3b87347bb094988563d7ee0a7/lib/Runtime/Types/DictionaryTypeHandler.cpp#L361-L364
I think the realization of DictionaryTypeHandlerBase<BigPropertyIndex>::GetRootPropertyIndex() is inappropriate, may be it should call DictionaryTypeHandlerBase<BigPropertyIndex>::GetPropertyIndex_Internal(PropertyRecord const* propertyRecord) just like another similar method SimpleDictionaryTypeHandlerBase<TPropertyIndex, TMapKey, IsNotExtensibleSupported>::GetRootPropertyIndex do.
ISec Lab 2020.9.25