Closed
Bug 490568
Opened 16 years ago
Closed 15 years ago
"Assertion failure: !(pnu->pn_dflags & PND_BOUND), at ../jsemit.cpp"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 491806
People
(Reporter: gkw, Assigned: brendan)
References
Details
(Keywords: assertion, regression, testcase)
$ cat 5a.js
(({
w: (([]
for each(z in []))({
y setter: function() {
x = #1=[]
}
}))
}) for each(functional in []))
{ (function() {})
x
for each(let x in [])([])
}
$ ./js-dbg-tm-intelmac 5a.js
Assertion failure: !(pnu->pn_dflags & PND_BOUND), at ../jsemit.cpp:1818
Trace/BPT trap
Save this testcase in a file and parse into the js debug shell without -j (i.e. ./js testcase.js ) and it asserts at Assertion failure: !(pnu->pn_dflags & PND_BOUND), at ../jsemit.cpp:1818
autoBisect shows this is probably related to the upvar2 bug :
The first bad revision is:
changeset: 26784:2cf0bbe3772a
user: Brendan Eich
date: Sun Apr 05 21:17:22 2009 -0700
summary: upvar2, aka the big one take 2 (452598, r=mrbkap).
This seems debug only as the assert is happening within #ifdef DEBUG code: (could be wrong though)
(gdb) bt
#0 JS_Assert (s=0x1a53f9 "!(pnu->pn_dflags & PND_BOUND)", file=0x1a4fd3 "../jsemit.cpp", ln=1818) at ../jsutil.cpp:69
#1 0x00047ab5 in EmitEnterBlock (cx=0x30bc50, pn=0x814610, cg=0xbffff404) at ../jsemit.cpp:1818
#2 0x00053274 in js_EmitTree (cx=0x30bc50, cg=0xbffff404, pn=0x814610) at ../jsemit.cpp:6268
#3 0x00050353 in js_EmitTree (cx=0x30bc50, cg=0xbffff404, pn=0x813700) at ../jsemit.cpp:5437
#4 0x000e0cb8 in JSCompiler::compileScript (cx=0x30bc50, scopeChain=0x2aa000, callerFrame=0x0, principals=0x0, tcflags=24576, chars=0x0, length=0, file=0xa08a54c0, filename=0xbffffa2a "5a.js", lineno=1, source=0x0) at ../jsparse.cpp:882
#5 0x0001d503 in JS_CompileFileHandleForPrincipals (cx=0x30bc50, obj=0x2aa000, filename=0xbffffa2a "5a.js", file=0xa08a54c0, principals=0x0) at ../jsapi.cpp:4819
#6 0x0001d57e in JS_CompileFileHandle (cx=0x30bc50, obj=0x2aa000, filename=0xbffffa2a "5a.js", file=0xa08a54c0) at ../jsapi.cpp:4805
#7 0x00007eb7 in Process (cx=0x30bc50, obj=0x2aa000, filename=0xbffffa2a "5a.js", forceTTY=0) at ../../shell/js.cpp:408
#8 0x00009732 in ProcessArgs (cx=0x30bc50, obj=0x2aa000, argv=0xbffff960, argc=1) at ../../shell/js.cpp:806
#9 0x0000abdc in main (argc=1, argv=0xbffff960, envp=0xbffff968) at ../../shell/js.cpp:4728
(gdb) frame 1
#1 0x00047ab5 in EmitEnterBlock (cx=0x30bc50, pn=0x814610, cg=0xbffff404) at ../jsemit.cpp:1818
1818 JS_ASSERT(!(pnu->pn_dflags & PND_BOUND));
(gdb) l
1813 JS_ASSERT(uintN(dn->frameSlot() + depth) < JS_BIT(16));
1814 dn->pn_cookie += depth;
1815 #ifdef DEBUG
1816 for (JSParseNode *pnu = dn->dn_uses; pnu; pnu = pnu->pn_link) {
1817 JS_ASSERT(pnu->pn_lexdef == dn);
1818 JS_ASSERT(!(pnu->pn_dflags & PND_BOUND));
1819 JS_ASSERT(pnu->pn_cookie == FREE_UPVAR_COOKIE);
1820 }
1821 #endif
1822 }
Flags: blocking1.9.1?
Updated•15 years ago
|
Assignee: general → brendan
Flags: blocking1.9.1? → blocking1.9.1+
Assignee | ||
Comment 1•15 years ago
|
||
Same underlying cause as bug 491806, fixed by that bug's patch. Dup'ing
forward, setting in-testsuite? to get this bug's fuzzer-generated test captured
under js/tests.
Rob, please make bug 491806 block. Thanks.
Bob, if making bug 491806 block this bug is better please feel free to reopen
and set the dependency. I'm happy to be schooled, but at this point it's clear
this bug and bug 491806 are due to the same flaw in comprehension expression
blockid adjustment, described in bug 491806 comment 1. Thanks for any tips.
/be
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Updated•15 years ago
|
Flags: in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•