uneval(new Function("\ for(\ ((let (functional) x) for each ([] in [])); \ yield x; \ (let (x = true) x));\ ")) asserts debug js shell at Assertion failure: (uintN)i < ss->top, at ../jsopcode.cpp:2855 (gdb) bt #0 JS_Assert (s=0x81f0405 "(uintN)i < ss->top", file=0x81ef705 "../jsopcode.cpp", ln=2855) at ../jsutil.cpp:69 #1 0x080d8521 in Decompile (ss=0xbffa87f4, pc=0x8cafcc0 "V", nb=4, nextop=JSOP_NOP) at ../jsopcode.cpp:2855 #2 0x080d5c8f in Decompile (ss=0xbffa87f4, pc=0x8cafcad "\006", nb=35, nextop=JSOP_NOP) at ../jsopcode.cpp:2178 #3 0x080e172c in DecompileCode (jp=0x8cad348, script=0x8cafc60, pc=0x8cafca5 "\200", len=35, pcdepth=0) at ../jsopcode.cpp:4831 #4 0x080d4fef in js_DecompileFunction (jp=0x8cad348) at ../jsopcode.cpp:5000 #5 0x0805840b in JS_DecompileFunction (cx=0x8ca31b0, fun=0x8cb06c8, indent=32768) at ../jsapi.cpp:5006 #6 0x080a670e in fun_toStringHelper (cx=0x8ca31b0, indent=32768, argc=0, vp=0x8cad458) at ../jsfun.cpp:1614 #7 0x080a6766 in fun_toSource (cx=0x8ca31b0, argc=0, vp=0x8cad458) at ../jsfun.cpp:1631 #8 0x080b390d in js_Invoke (cx=0x8ca31b0, argc=0, vp=0x8cad458, flags=0) at ../jsinterp.cpp:1234 #9 0x080b459d in js_InternalInvoke (cx=0x8ca31b0, obj=0x8cb06c8, fval=147484784, flags=0, argc=0, argv=0x0, rval=0xbffa8b28) at ../jsinterp.cpp:1428 #10 0x080c49ed in js_TryMethod (cx=0x8ca31b0, obj=0x8cb06c8, atom=0x8ca4234, argc=0, argv=0x0, rval=0xbffa8b28) at ../jsobj.cpp:5556 #11 0x081200b4 in js_ValueToSource (cx=0x8ca31b0, v=147523272) at ../jsstr.cpp:3000 #12 0x08120165 in str_uneval (cx=0x8ca31b0, argc=1, vp=0x8cad430) at ../jsstr.cpp:506 #13 0x081cd0f8 in js_Interpret (cx=0x8ca31b0) at ../jsinterp.cpp:5116 #14 0x080b31a8 in js_Execute (cx=0x8ca31b0, chain=0x8ca6000, script=0x8cad3b8, down=0x0, flags=0, result=0x0) at ../jsinterp.cpp:1601 #15 0x080581a8 in JS_ExecuteScript (cx=0x8ca31b0, obj=0x8ca6000, script=0x8cad3b8, rval=0x0) at ../jsapi.cpp:5040 #16 0x08051a4f in Process (cx=0x8ca31b0, obj=0x8ca6000, filename=0xbffaa715 "37a.js", forceTTY=0) at ../../shell/js.cpp:412 #17 0x080525d1 in ProcessArgs (cx=0x8ca31b0, obj=0x8ca6000, argv=0xbffa9538, argc=1) at ../../shell/js.cpp:806 #18 0x08052998 in main (argc=1, argv=0xbffa9538, envp=0xbffa9540) at ../../shell/js.cpp:4728 (gdb) frame 1 #1 0x080d8521 in Decompile (ss=0xbffa87f4, pc=0x8cafcc0 "V", nb=4, nextop=JSOP_NOP) at ../jsopcode.cpp:2855 2855 LOCAL_ASSERT((uintN)i < ss->top); (gdb) l 2850 if (IsVarSlot(jp, pc, &i)) { 2851 atom = GetArgOrVarAtom(jp, i); 2852 LOCAL_ASSERT(atom); 2853 goto do_name; 2854 } 2855 LOCAL_ASSERT((uintN)i < ss->top); 2856 sn = js_GetSrcNote(jp->script, pc); 2857 2858 #if JS_HAS_DESTRUCTURING 2859 if (sn && SN_TYPE(sn) == SRC_GROUPASSIGN) { (gdb) autoBisect shows this is probably related to bug 452498 : The first bad revision is: changeset: 26784:2cf0bbe3772a user: Brendan Eich date: Sun Apr 05 21:17:22 2009 -0700 summary: upvar2, aka the big one take 2 (452498, r=mrbkap).

Transplanting a comprehension expression, whether in a generator expression or not, can adjust blockids to hit or exceed tc->blockidGen, so that counter must be advanced to one more than the maximum adjusted blockid. In a generator expression in a for loop head (or similar contexts), the failure to do this can lead to blockid replay, which confuses def/use chaining, as shown in the fuzzer-generated testcase for this bug. /be

Fixed: http://hg.mozilla.org/tracemonkey/rev/d50aaa0e1085 http://hg.mozilla.org/mozilla-central/rev/81080882c3b5 /be

Verified fixed with testcase in comment 0 with the following debug builds: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090522 Minefield/3.6a1pre ID:20090522133810 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090522 Shiretoko/3.5pre ID:20090522153422

Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929