Closed Bug 1146644 Opened 5 years ago Closed 5 years ago

Assertion failure: node->pn_u.binary.left->isKind(PNK_LET), at frontend/FoldConstants.cpp

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla39
Tracking Status
firefox39 --- fixed

People

(Reporter: gkw, Assigned: Waldo)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

if (f) for (const x = u;;) {}

asserts js debug shell on m-c changeset cbd0efcd976c with --fuzzing-safe --no-threads --no-ion at Assertion failure: node->pn_u.binary.left->isKind(PNK_LET), at frontend/FoldConstants.cpp.

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r cbd0efcd976c

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/5a850bc4ea8f
user:        Jeff Walden
date:        Tue Feb 10 00:32:56 2015 -0800
summary:     Bug 1130811 - Examine nodes kind-wise when deciding whether a node contains a hoisted declaration.  r=shu

Waldo, is bug 1130811 a likely regressor?
Flags: needinfo?(jwalden+bmo)
Attached file stack
(lldb) bt 5
* thread #1: tid = 0x5b19c, 0x00000001001bfdf4 js-dbg-64-dm-nsprBuild-darwin-cbd0efcd976c`ContainsHoistedDeclaration(cx=<unavailable>, node=<unavailable>, result=<unavailable>) + 3140 at FoldConstants.cpp:310, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001001bfdf4 js-dbg-64-dm-nsprBuild-darwin-cbd0efcd976c`ContainsHoistedDeclaration(cx=<unavailable>, node=<unavailable>, result=<unavailable>) + 3140 at FoldConstants.cpp:310
    frame #1: 0x000000010018cb1e js-dbg-64-dm-nsprBuild-darwin-cbd0efcd976c`Fold(cx=<unavailable>, pnp=<unavailable>, handler=<unavailable>, options=<unavailable>, inGenexpLambda=<unavailable>, sc=<unavailable>) + 2878 at FoldConstants.cpp:774
    frame #2: 0x000000010016ef7f js-dbg-64-dm-nsprBuild-darwin-cbd0efcd976c`js::frontend::FoldConstants(cx=<unavailable>, pnp=<unavailable>, parser=<unavailable>) + 159 at FoldConstants.cpp:1191
    frame #3: 0x000000010016da16 js-dbg-64-dm-nsprBuild-darwin-cbd0efcd976c`js::frontend::CompileScript(cx=0x0000000101f02590, alloc=<unavailable>, options=0x00007fff5fbff1b8, srcBuf=<unavailable>, source_=<unavailable>, staticLevel=<unavailable>, extraSct=<unavailable>, scopeChain=<unavailable>, evalCaller=<unavailable>, evalStaticScope=<unavailable>) + 3318 at BytecodeCompiler.cpp:388
    frame #4: 0x0000000100755528 js-dbg-64-dm-nsprBuild-darwin-cbd0efcd976c`JS::Compile(cx=0x0000000101f02590, options=0x00007fff5fbff1b8, srcBuf=0x00007fff5fbfefd0, obj=<unavailable>, script=<unavailable>) + 344 at jsapi.cpp:3762
(lldb)
This loltastic parse tree is formed by the tail-ish end of Parser::forStatement, if you were sensibly unaware.

I may well be modifying this in the next week or so for for(;;) scoping, but for now this is what we have, and it seems sensible to return to sanity before those changes.
Attachment #8582588 - Flags: review?(shu)
Assignee: nobody → jwalden+bmo
Status: NEW → ASSIGNED
Comment on attachment 8582588 [details] [diff] [review]
Don't assert compiling a for-loop with a const loop-variable declaration

Review of attachment 8582588 [details] [diff] [review]:
-----------------------------------------------------------------

Uh... sure.
Attachment #8582588 - Flags: review?(shu) → review+
https://hg.mozilla.org/mozilla-central/rev/7a476e71ecfa
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
Flags: needinfo?(jwalden+bmo)
You need to log in before you can comment on or make changes to this bug.