Assertion failure: !vp.isMagic(), at jsobj.cpp:4600

RESOLVED FIXED in mozilla35

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: decoder, Assigned: jorendorff)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla35
x86
Linux
assertion, testcase
Points:
---

Firefox Tracking Flags

(firefox34 affected)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
The following testcase asserts on mozilla-central revision a9b43778f0c2 (run with --no-threads --fuzzing-safe --ion-eager):


function TestCase(n) {
  this.name = n;
}
function newFunc(x) { new Function(x)(); };
newFunc('new TestCase("x", TestCase("x") );');
function test() {
eval("var { [arguments] : y }  = name;");
} test();
(Reporter)

Updated

3 years ago
status-firefox34: --- → affected
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Comment 1

3 years ago
Created attachment 8470772 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Updated

3 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 2

3 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7079b7552946
user:        Guptha Rajagopal
date:        Fri Aug 08 09:15:00 2014 -0400
summary:     Bug 924688 - Implement ES6 computed property names. r=jorendorff

This iteration took 591.676 seconds to run.
(Reporter)

Comment 3

3 years ago
Needinfo from Jason based on comment 2. Jason, can you work with the patch contributor here to fix this? Thanks!
Flags: needinfo?(jorendorff)
(Assignee)

Comment 4

3 years ago
Simpler:

function test() {
    eval("var { [arguments] : y }  = {};");
}
test();

I'm not sure what this should do, honestly. Not crash.
Assignee: nobody → jorendorff
Flags: needinfo?(jorendorff)
(Assignee)

Comment 5

3 years ago
Created attachment 8488299 [details] [diff] [review]
Fix "Assertion failure: !vp.isMagic(), at jsobj.cpp:4600" with arguments, direct eval, and a destructuring declaration
Attachment #8488299 - Flags: review?(jwalden+bmo)
Attachment #8488299 - Flags: review?(jwalden+bmo) → review+
(Assignee)

Comment 6

3 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/de8214005a4a
https://hg.mozilla.org/mozilla-central/rev/de8214005a4a
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
You need to log in before you can comment on or make changes to this bug.