1146644 - Assertion failure: node->pn_u.binary.left->isKind(PNK_LET), at frontend/FoldConstants.cpp

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

if (f) for (const x = u;;) {}

asserts js debug shell on m-c changeset cbd0efcd976c with --fuzzing-safe --no-threads --no-ion at Assertion failure: node->pn_u.binary.left->isKind(PNK_LET), at frontend/FoldConstants.cpp.

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r cbd0efcd976c

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/5a850bc4ea8f
user:        Jeff Walden
date:        Tue Feb 10 00:32:56 2015 -0800
summary:     Bug 1130811 - Examine nodes kind-wise when deciding whether a node contains a hoisted declaration.  r=shu

Waldo, is bug 1130811 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x5b19c, 0x00000001001bfdf4 js-dbg-64-dm-nsprBuild-darwin-cbd0efcd976c`ContainsHoistedDeclaration(cx=<unavailable>, node=<unavailable>, result=<unavailable>) + 3140 at FoldConstants.cpp:310, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001001bfdf4 js-dbg-64-dm-nsprBuild-darwin-cbd0efcd976c`ContainsHoistedDeclaration(cx=<unavailable>, node=<unavailable>, result=<unavailable>) + 3140 at FoldConstants.cpp:310
    frame #1: 0x000000010018cb1e js-dbg-64-dm-nsprBuild-darwin-cbd0efcd976c`Fold(cx=<unavailable>, pnp=<unavailable>, handler=<unavailable>, options=<unavailable>, inGenexpLambda=<unavailable>, sc=<unavailable>) + 2878 at FoldConstants.cpp:774
    frame #2: 0x000000010016ef7f js-dbg-64-dm-nsprBuild-darwin-cbd0efcd976c`js::frontend::FoldConstants(cx=<unavailable>, pnp=<unavailable>, parser=<unavailable>) + 159 at FoldConstants.cpp:1191
    frame #3: 0x000000010016da16 js-dbg-64-dm-nsprBuild-darwin-cbd0efcd976c`js::frontend::CompileScript(cx=0x0000000101f02590, alloc=<unavailable>, options=0x00007fff5fbff1b8, srcBuf=<unavailable>, source_=<unavailable>, staticLevel=<unavailable>, extraSct=<unavailable>, scopeChain=<unavailable>, evalCaller=<unavailable>, evalStaticScope=<unavailable>) + 3318 at BytecodeCompiler.cpp:388
    frame #4: 0x0000000100755528 js-dbg-64-dm-nsprBuild-darwin-cbd0efcd976c`JS::Compile(cx=0x0000000101f02590, options=0x00007fff5fbff1b8, srcBuf=0x00007fff5fbfefd0, obj=<unavailable>, script=<unavailable>) + 344 at jsapi.cpp:3762
(lldb)

Comment 2

[Jeff Walden [:Waldo]]

Attachment: Don't assert compiling a for-loop with a const loop-variable declaration

This loltastic parse tree is formed by the tail-ish end of Parser::forStatement, if you were sensibly unaware.

I may well be modifying this in the next week or so for for(;;) scoping, but for now this is what we have, and it seems sensible to return to sanity before those changes.

Comment 3

[Shu-yu Guo [:shu]]

Comment on attachment 8582588 [details] [diff] [review]
Don't assert compiling a for-loop with a const loop-variable declaration

Review of attachment 8582588 [details] [diff] [review]:
-----------------------------------------------------------------

Uh... sure.

Comment 4

[Ryan VanderMeulen [:RyanVM]]

Backed out for LexicalEnvironment/const-declaration-in-for-loop.js jsreftest failures.
https://hg.mozilla.org/integration/mozilla-inbound/rev/67f8d63b2cad

https://treeherder.mozilla.org/logviewer.html#?job_id=8150374&repo=mozilla-inbound

Comment 5

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/7a476e71ecfa