fix assert when constructors have more than UINT16_MAX fields

lib/Runtime/Language/JavascriptOperators.cpp

@@ -6624,7 +6624,25 @@ SetElementIHelper_INDEX_TYPE_IS_NUMBER:
 
             if (constructorBody->GetHasOnlyThisStmts())
             {
-                if (typeHandler->IsSharable())
+                if (!typeHandler->IsSharable())
+                {
+                    // Dynamic type created is not sharable.
+                    // So in future don't try to check for "this assignment optimization".
+                    constructorBody->SetHasOnlyThisStmts(false);
+#if DBG_DUMP
+                    TraceUpdateConstructorCache(constructorCache, constructorBody, false, _u("because final type is not shareable"));
+#endif
+                }
+                else if (typeHandler->GetPropertyCount() >= Js::PropertyIndexRanges<PropertyIndex>::MaxValue)
+                {
+                    // Dynamic type created has too many properties.
+                    // So in future don't try to check for "this assignment optimization".
+                    constructorBody->SetHasOnlyThisStmts(false);
+#if DBG_DUMP
+                    TraceUpdateConstructorCache(constructorCache, constructorBody, false, _u("because final type has too many properties"));
+#endif
+                }
+                else
                 {
 #if DBG
                     bool cachedProtoCanBeCached = false;
@@ -6643,7 +6661,6 @@ SetElementIHelper_INDEX_TYPE_IS_NUMBER:
                     if ((profileInfo != nullptr && profileInfo->GetImplicitCallFlags() <= ImplicitCall_None) ||
                         CheckIfPrototypeChainHasOnlyWritableDataProperties(type->GetPrototype()))
                     {
-                        Assert(typeHandler->GetPropertyCount() < Js::PropertyIndexRanges<PropertyIndex>::MaxValue);
 
                         for (PropertyIndex pi = 0; pi < typeHandler->GetPropertyCount(); pi++)
                         {
@@ -6682,15 +6699,6 @@ SetElementIHelper_INDEX_TYPE_IS_NUMBER:
                         }
                     }
 #endif
-#endif
-                }
-                else
-                {
-                    // Dynamic type created is not sharable.
-                    // So in future don't try to check for "this assignment optimization".
-                    constructorBody->SetHasOnlyThisStmts(false);
-#if DBG_DUMP
-                    TraceUpdateConstructorCache(constructorCache, constructorBody, false, _u("because final type is not shareable"));
 #endif
                 }
             }

test/Object/bigconstructorbug.js

@@ -0,0 +1,17 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+var var_0 = '';
+for (var var_1 = 0; var_1 < 100000; var_1++) {
+    var_0 += `this.a${ var_1 } = 0;\n`;
+}
+var var_2 = new Function(var_0);
+function func_0() {}
+func_0.prototype = new var_2();
+
+function func_1() {}
+func_1.prototype = new var_2();
+
+print("Pass")

test/Object/rlexe.xml

@@ -42,6 +42,11 @@
       <baseline>isPrototypeOf_v3.baseline</baseline>
     </default>
   </test>
+  <test>
+    <default>
+      <files>bigconstructorbug.js</files>
+    </default>
+  </test>
   <test>
     <default>
       <files>Object.js</files>