Closed Bug 1788180 Opened 2 years ago Closed 2 years ago

Assertion failure: !subpattern->isKind(ParseNodeKind::AssignExpr), at frontend/BytecodeEmitter.cpp:3594

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
106 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox104 --- unaffected
firefox105 --- unaffected
firefox106 --- verified

People

(Reporter: decoder, Assigned: anba)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect])

Attachments

(3 files)

Detailed Crash Information
(deleted), text/plain
Details
Testcase
(deleted), text/plain
Details
Bug 1788180: Fix assertion for MutateProto in emitDestructuringOpsObject. r=arai!
(deleted), text/x-phabricator-request
Details

The following testcase crashes on mozilla-central revision 20220830-ecb328de1aaf (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

for ({ __proto__: a = 0 } of []);

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x00005555574ac009 in js::frontend::BytecodeEmitter::emitDestructuringOpsObject(js::frontend::ListNode*, js::frontend::DestructuringFlavor) ()
#0  0x00005555574ac009 in js::frontend::BytecodeEmitter::emitDestructuringOpsObject(js::frontend::ListNode*, js::frontend::DestructuringFlavor) ()
#1  0x00005555574addfc in js::frontend::BytecodeEmitter::emitAssignmentOrInit(js::frontend::ParseNodeKind, js::frontend::ParseNode*, js::frontend::ParseNode*) ()
#2  0x00005555574b12ef in js::frontend::BytecodeEmitter::emitInitializeForInOrOfTarget(js::frontend::TernaryNode*) ()
#3  0x00005555574b1b49 in js::frontend::BytecodeEmitter::emitForOf(js::frontend::ForNode*, js::frontend::EmitterScope const*) ()
#4  0x00005555574a2fea in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#5  0x00005555574b57af in js::frontend::BytecodeEmitter::emitStatementList(js::frontend::ListNode*) ()
#6  0x00005555574a2f46 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#7  0x00005555574a65c1 in js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) ()
#8  0x00005555574cbcf6 in ScriptCompiler<mozilla::Utf8Unit>::compile(JSContext*, js::frontend::SharedContext*) ()
[...]
#16 0x0000555556b9d304 in main ()
rax	0x55555585bec5	93824995409605
rbx	0x7ffff60ad060	140737321291872
rcx	0x5555582ccb40	93825039911744
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffaa90	140737488333456
rsp	0x7fffffffa9d0	140737488333264
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99800	140737353717760
r10	0x0	0
r11	0x0	0
r12	0x7ffff60ad170	140737321292144
r13	0x7ffff60ad138	140737321292088
r14	0x1	1
r15	0x7fffffffb170	140737488335216
rip	0x5555574ac009 <js::frontend::BytecodeEmitter::emitDestructuringOpsObject(js::frontend::ListNode*, js::frontend::DestructuringFlavor)+2009>
=> 0x5555574ac009 <_ZN2js8frontend15BytecodeEmitter26emitDestructuringOpsObjectEPNS0_8ListNodeENS0_19DestructuringFlavorE+2009>:	movl   $0xe0a,0x0
   0x5555574ac014 <_ZN2js8frontend15BytecodeEmitter26emitDestructuringOpsObjectEPNS0_8ListNodeENS0_19DestructuringFlavorE+2020>:	callq  0x555556c33ac4 <abort>
Attached file Detailed Crash Information (deleted) — 

    
    

    
  

      
      
      
      

        Attached file
          
        Testcase (deleted)
        — 
      

    


  

    
  
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED

    
    

    
  


  
Also add exhaustive tests for __proto__ in destructuring contexts.



    
    

    
  
Pushed by andre.bargull@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/c672daf41a1b
Fix assertion for MutateProto in emitDestructuringOpsObject. r=arai

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/c672daf41a1b


Status: ASSIGNED → RESOLVED
Closed: 2 years ago

          status-firefox106:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch

    
    

    
  
Bugmon Analysis

Verified bug as fixed on rev mozilla-central 20220901154531-99c5de523ab3.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox106:
          fixedverified
Keywords: bugmon

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: