Closed
Bug 496682
Opened 15 years ago
Closed 15 years ago
Crash [@ FindPropertyValue] or "Assertion failure: right->pn_arity != PN_LIST || !(right->pn_xflags & PNX_DESTRUCT), at ../jsparse.cpp"
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
status1.9.2 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(1 obsolete file)
const{0:[]}=
crashes both opt and debug js shell on TM without -j at FindPropertyValue.
Probably because pn in pn->pn_type is null, so it's probably a null-dereference.
js> const{0:[]}=
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x000daab6 in FindPropertyValue (pn=0x0, pnid=0x811b20, data=0xbffff2bc) at ../jsparse.cpp:3560
3560 if (pn->pn_type != TOK_RC)
(gdb) bt
#0 0x000daab6 in FindPropertyValue (pn=0x0, pnid=0x811b20, data=0xbffff2bc) at ../jsparse.cpp:3560
#1 0x000db748 in UndominateInitializers (left=0x811af0, right=0x0) at ../jsparse.cpp:3844
#2 0x000ea947 in Variables (cx=0x30bc40, ts=0xbffff60c, tc=0xbffff548, inLetHead=false) at ../jsparse.cpp:5591
#3 0x000e5ab3 in Statement (cx=0x30bc40, ts=0xbffff60c, tc=0xbffff548) at ../jsparse.cpp:5222
#4 0x000e6832 in Statements (cx=0x30bc40, ts=0xbffff60c, tc=0xbffff548) at ../jsparse.cpp:2903
#5 0x000ec565 in JSCompiler::parse (this=0xbffff5ec, chain=0x2c0000) at ../jsparse.cpp:740
#6 0x00024547 in JS_BufferIsCompilableUnit (cx=0x30bc40, obj=0x2c0000, bytes=0x30d390 "const{0:[]}=", length=12) at ../jsapi.cpp:4742
#7 0x00008c91 in Process (cx=0x30bc40, obj=0x2c0000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:436
#8 0x0000a202 in ProcessArgs (cx=0x30bc40, obj=0x2c0000, argv=0xbffff958, argc=0) at ../../shell/js.cpp:806
#9 0x0000b6ac in main (argc=0, argv=0xbffff958, envp=0xbffff95c) at ../../shell/js.cpp:4750
(gdb) frame 0
#0 0x000daab6 in FindPropertyValue (pn=0x0, pnid=0x811b20, data=0xbffff2bc) at ../jsparse.cpp:3560
3560 if (pn->pn_type != TOK_RC)
(gdb) l
3555 JS_DHashTableOperate(&data->table, pnid, JS_DHASH_LOOKUP);
3556 return JS_DHASH_ENTRY_IS_BUSY(&entry->hdr) ? entry->pnval : NULL;
3557 }
3558
3559 /* If pn is not an object initialiser node, we can't do anything here. */
3560 if (pn->pn_type != TOK_RC)
3561 return NULL;
3562
3563 /*
3564 * We must search all the way through pn's list, to handle the case of an
(gdb) p pn
$1 = (JSParseNode *) 0x0
(gdb)
Flags: blocking1.9.2?
Comment 1•15 years ago
|
||
Bisect sez this was introduced on t-m by changeset 2e6025415fb3:
Fix destructuring binding to follow the cheezy dominance relation rules of the
upvar analysis (496134, r=mrbkap).
Reporter | ||
Comment 2•15 years ago
|
||
(Hurray to mid-airs)
autoBisect shows this is probably related to bug 496134 :
The first bad revision is:
changeset: 28945:2e6025415fb3
user: Brendan Eich
date: Fri Jun 05 16:14:00 2009 -0700
summary: Fix destructuring binding to follow the cheezy dominance relation rules of the upvar analysis (496134, r=mrbkap).
Comment 3•15 years ago
|
||
Going to land this on t-m right now so Gary can fuzz more.
The curlies are there to make it clear that we do want to call UndominateInitializers(pn, rhs); even if !right. I could add a comment to that effect instead of preferred.
Attachment #381903 -
Flags: review?(brendan)
Reporter | ||
Comment 4•15 years ago
|
||
let {}={y:[],0}
This same bug _might_ also have caused this assertion:
Assertion failure: right->pn_arity != PN_LIST || !(right->pn_xflags & PNX_DESTRUCT), at ../jsparse.cpp:3811
(debug TM js shell without -j)
Though I haven't checked to be sure...
Reporter | ||
Comment 5•15 years ago
|
||
(In reply to comment #4)
> let {}={y:[],0}
>
> This same bug _might_ also have caused this assertion:
>
> Assertion failure: right->pn_arity != PN_LIST || !(right->pn_xflags &
> PNX_DESTRUCT), at ../jsparse.cpp:3811
>
> (debug TM js shell without -j)
>
> Though I haven't checked to be sure...
Just checked, and this assertion is indeed the same cause.
Reporter | ||
Updated•15 years ago
|
Summary: Crash [@ FindPropertyValue] with const → Crash [@ FindPropertyValue] or "Assertion failure: right->pn_arity != PN_LIST || !(right->pn_xflags & PNX_DESTRUCT), at ../jsparse.cpp"
Reporter | ||
Updated•15 years ago
|
Flags: in-testsuite?
Reporter | ||
Comment 6•15 years ago
|
||
This bug has been fixed by the backout in bug 496134.
Updated•15 years ago
|
Attachment #381903 -
Attachment is obsolete: true
Attachment #381903 -
Flags: review?(brendan)
Comment 7•15 years ago
|
||
Comment on attachment 381903 [details] [diff] [review]
Proposed fix
Fixed by back-out, real fix is in bug 496134.
/be
Comment 8•15 years ago
|
||
See comment 6.
/be
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Updated•15 years ago
|
Priority: -- → P1
Updated•15 years ago
|
status1.9.2:
--- → unaffected
Flags: blocking1.9.2+ → blocking1.9.2-
Updated•13 years ago
|
Crash Signature: [@ FindPropertyValue]
You need to log in
before you can comment on or make changes to this bug.
Description
•