Assertion failure in interpreterstackframe.cpp when handling eval()

[sunlili]

Hello, executing following code in ch 1.11.22(debug), an assertion will be thrown.

function opt() {
    var eval = WScript.LoadScript('', 'samethread').eval;
    eval('function foo() { return {x:1}; }; [...foo()[\'x\']] = [10];');
}

opt();

output:

ASSERTION 2196: (c:\users\sunlili\documents\workspace\jsenginesfordebug\chakracore-1.11.22\lib\runtime\language\interpreterstackframe.cpp, line 7724) !CrossSite::NeedMarshalVar(value, GetScriptContext())
 Failure: (!CrossSite::NeedMarshalVar(value, GetScriptContext()))
FATAL ERROR: ch.exe failed due to exception code c0000420

When executing SetReg(playout->Value2, thisVar) in line 7746, the value of thisVar is undefined.
https://github.com/microsoft/ChakraCore/blob/861a276c346746f3b87347bb094988563d7ee0a7/lib/Runtime/Language/InterpreterStackFrame.cpp#L7738-L7747
ValidateRegValue(value) is called in SetReg(),
https://github.com/microsoft/ChakraCore/blob/861a276c346746f3b87347bb094988563d7ee0a7/lib/Runtime/Language/InterpreterStackFrame.cpp#L7963-L7969
and assert the value does not NeedMarshal, but the NeedMarshalVar() return true.
https://github.com/microsoft/ChakraCore/blob/861a276c346746f3b87347bb094988563d7ee0a7/lib/Runtime/Language/InterpreterStackFrame.cpp#L7940-L7951

ISec Lab
2020.10.7

[ppenzin]

Confirmed on Linux and Windows (master branch, debug). Since this requires WScript, it would not be available in non-debug mode.

[rhuanjl]

Having a quick look at this, it's to do with moving values between contexts unsure at the moment if there is an error in the context switching code in ch OR if this is an actual CC error.

I may try and reproduce with a small C test programme.

(Assigning myself)