Closed Bug 1064391 Opened 11 years ago Closed 11 years ago

Assertion failure: next->isOp(JSOP_INITPROP), at jsreflect.cpp

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla35
Tracking Flags:
Tracking Status
firefox35 --- affected

People

(Reporter: gkw, Assigned: Waldo)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

stack
4.97 KB, text/plain
Details
Patch
3.02 KB, patch
shu
: review+
Details | Diff | Splinter Review
Reflect.parse(" [{__proto__:[]}] = 0") asserts js debug shell on m-c changeset 2255d7d187b2 with --no-threads --ion-eager at Assertion failure: next->isOp(JSOP_INITPROP), at jsreflect.cpp. Debug configure flags: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/8acb4009398c user: Jeff Walden date: Sat Aug 30 14:27:19 2014 -0700 summary: Bug 1061853 - Reintroduce PNK_MUTATEPROTO to distinguish ({ __proto__: v }) as mutating the [[Prototype]] from ({ __proto__() {} }) as not doing so. r=shu Waldo, is bug 1061853 a possible regressor?
Flags: needinfo?(jwalden+bmo)
Attached file stack
Reflect.parse("[{__proto__:[]}] = 0") Apparently the extra spaces were not necessary.
Attached patch PatchSplinter Review
Attachment #8485969 - Flags: review?(shu)
Assignee: nobody → jwalden+bmo
Status: NEW → ASSIGNED
Flags: needinfo?(jwalden+bmo)
Comment on attachment 8485969 [details] [diff] [review] Patch Review of attachment 8485969 [details] [diff] [review]: ----------------------------------------------------------------- The fix looks fine. I'd prefer __proto__ in patterns to not be parsed as MUTATEPROTO as it can never mutate [[Prototype]], but Waldo explained on IRC that doing that would require backtracking in the parser and is a pain. ::: js/src/jsreflect.cpp @@ +3136,4 @@ > } > > bool > +ASTSerializer::objectPattern(ParseNode *objPattern, VarDeclKind *pkind, MutableHandleValue dst) Nit: For the sake of conformity I wouldn't rename the parameter name. Everything else in ASTSerializer is named pn.
Attachment #8485969 - Flags: review?(shu) → review+
https://hg.mozilla.org/mozilla-central/rev/d9089681f200
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: