Split from bug 350417 comment 5. js> for(a in (let (b=1) 2).c(3)) { }; Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xdc5c2508 0x900030e8 in strlen () (gdb) bt #0 0x900030e8 in strlen () #1 0x00029378 in cvt_s (ss=0xbfffd4cc, s=0xdc5c250a <Address 0xdc5c250a out of bounds>, width=0, prec=-1, flags=0) at jsprf.c:390 #2 0x0002abfc in dosprintf (ss=0xbfffd4cc, fmt=0x1230ec " = %s", ap=0xbfffd588 "\001\201J71") at jsprf.c:1008 #3 0x0002b22c in JS_vsmprintf (fmt=0x1230e8 "%s%s = %s", ap=0xbfffd580 "") at jsprf.c:1156 #4 0x0002f808 in Sprint (sp=0xbfffd8fc, format=0x1230e8 "%s%s = %s") at jsopcode.c:421 #5 0x00036a14 in Decompile (ss=0xbfffd8fc, pc=0x603315 "?", nb=18) at jsopcode.c:2357 #6 0x0003b5a4 in js_DecompileCode (jp=0x603150, script=0x6032e0, pc=0x603311 "?", len=18) at jsopcode.c:3479 #7 0x0003c554 in js_DecompileValueGenerator (cx=0x600180, spindex=-8, v=-2147483647, fallback=0x1804c08) at jsopcode.c:3775 #8 0x00053f10 in js_ReportIsNotFunction (cx=0x600180, vp=0x181622c, flags=0) at jsfun.c:2251

With "prep patch for plan A" in bug 346642, the crash is gone, and the error message is both informative and correct! js> for(a in (let (b=1) 2).c(3)) { }; typein:8: TypeError: (let (b = 1) 2).c is not a function js> for(a in (let (b=1,d=2) 2).c(3)) { }; typein:9: TypeError: (let (b = 1, d = 2) 2).c is not a function js> for(a in (let (e) 2).c(3)) { }; typein:10: TypeError: (let (e) 2).c is not a function

Fixed on trunk because "prep patch for plan A, v9d" in bug 346642 was checked in.

I am not sure the test is adequate as the test passes on 1.8. Was this a trunk only regression? verified fixed 1.9 20060919 windows/mac*/linux.

fixed1.8.1 because bug 346642 landed there.

verified fixed 1.8.1, 1.9.0 2007-01-23 win/mac*/linux

/cvsroot/mozilla/js/tests/js1_7/block/regress-352616.js,v <-- regress-352616.js initial revision: 1.1