Closed
Bug 1788180
Opened 2 years ago
Closed 2 years ago
Assertion failure: !subpattern->isKind(ParseNodeKind::AssignExpr), at frontend/BytecodeEmitter.cpp:3594
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
106 Branch
Tracking | Status | |
---|---|---|
firefox-esr91 | --- | unaffected |
firefox-esr102 | --- | unaffected |
firefox104 | --- | unaffected |
firefox105 | --- | unaffected |
firefox106 | --- | verified |
People
(Reporter: decoder, Assigned: anba)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20220830-ecb328de1aaf (debug build, run with --fuzzing-safe --ion-offthread-compile=off):
for ({ __proto__: a = 0 } of []);
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x00005555574ac009 in js::frontend::BytecodeEmitter::emitDestructuringOpsObject(js::frontend::ListNode*, js::frontend::DestructuringFlavor) ()
#0 0x00005555574ac009 in js::frontend::BytecodeEmitter::emitDestructuringOpsObject(js::frontend::ListNode*, js::frontend::DestructuringFlavor) ()
#1 0x00005555574addfc in js::frontend::BytecodeEmitter::emitAssignmentOrInit(js::frontend::ParseNodeKind, js::frontend::ParseNode*, js::frontend::ParseNode*) ()
#2 0x00005555574b12ef in js::frontend::BytecodeEmitter::emitInitializeForInOrOfTarget(js::frontend::TernaryNode*) ()
#3 0x00005555574b1b49 in js::frontend::BytecodeEmitter::emitForOf(js::frontend::ForNode*, js::frontend::EmitterScope const*) ()
#4 0x00005555574a2fea in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#5 0x00005555574b57af in js::frontend::BytecodeEmitter::emitStatementList(js::frontend::ListNode*) ()
#6 0x00005555574a2f46 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#7 0x00005555574a65c1 in js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) ()
#8 0x00005555574cbcf6 in ScriptCompiler<mozilla::Utf8Unit>::compile(JSContext*, js::frontend::SharedContext*) ()
[...]
#16 0x0000555556b9d304 in main ()
rax 0x55555585bec5 93824995409605
rbx 0x7ffff60ad060 140737321291872
rcx 0x5555582ccb40 93825039911744
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffaa90 140737488333456
rsp 0x7fffffffa9d0 140737488333264
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99800 140737353717760
r10 0x0 0
r11 0x0 0
r12 0x7ffff60ad170 140737321292144
r13 0x7ffff60ad138 140737321292088
r14 0x1 1
r15 0x7fffffffb170 140737488335216
rip 0x5555574ac009 <js::frontend::BytecodeEmitter::emitDestructuringOpsObject(js::frontend::ListNode*, js::frontend::DestructuringFlavor)+2009>
=> 0x5555574ac009 <_ZN2js8frontend15BytecodeEmitter26emitDestructuringOpsObjectEPNS0_8ListNodeENS0_19DestructuringFlavorE+2009>: movl $0xe0a,0x0
0x5555574ac014 <_ZN2js8frontend15BytecodeEmitter26emitDestructuringOpsObjectEPNS0_8ListNodeENS0_19DestructuringFlavorE+2020>: callq 0x555556c33ac4 <abort>
Reporter | ||
Comment 1•2 years ago
|
||
Reporter | ||
Comment 2•2 years ago
|
||
Assignee | ||
Updated•2 years ago
|
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Assignee | ||
Comment 3•2 years ago
|
||
Also add exhaustive tests for __proto__
in destructuring contexts.
Pushed by andre.bargull@gmail.com: https://hg.mozilla.org/integration/autoland/rev/c672daf41a1b Fix assertion for MutateProto in emitDestructuringOpsObject. r=arai
Comment 5•2 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch
Updated•2 years ago
|
status-firefox104:
--- → unaffected
status-firefox105:
--- → unaffected
status-firefox-esr102:
--- → unaffected
status-firefox-esr91:
--- → unaffected
Flags: in-testsuite+
Regressed by: 1787794
Comment 6•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220901154531-99c5de523ab3.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•