Closed Bug 1308745 Opened 8 years ago Closed 8 years ago

Assertion failure: !IsUninitializedLexical((activation.regs()).fp()->unaliasedLocal(i)), at js/src/vm/Interpreter.cpp:3402

Tracking

()

Status:

RESOLVED FIXED

Tracking Flags:

Tracking

Status

firefox52

---

fixed

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update,ignore])

Attachments

(1 file)

Detailed Crash Information 8 years ago Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) 29.59 KB, text/plain		Details

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Description

•

8 years ago

The following testcase crashes on mozilla-central revision 313a2d049350 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

for (let x, y = [y] = [,]; x < 4; ++x) {}


Backtrace:

0   js-dbg-64-dm-clang-darwin-313a2d049350	0x00000001106b0d68 Interpret(JSContext*, js::RunState&) + 48056 (Interpreter.cpp:3402)
1   js-dbg-64-dm-clang-darwin-313a2d049350	0x00000001106a4fb4 js::RunScript(JSContext*, js::RunState&) + 452 (Interpreter.cpp:404)
2   js-dbg-64-dm-clang-darwin-313a2d049350	0x00000001106b758f js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) + 511 (Interpreter.cpp:685)
3   js-dbg-64-dm-clang-darwin-313a2d049350	0x00000001106b79f6 js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 438 (RootingAPI.h:802)
/snip

For detailed crash information, see attachment.

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 1

•

8 years ago

Attached file Detailed Crash Information — Details

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 2

•

8 years ago

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/9716bcfed35d
user:        Tooru Fujisawa
date:        Tue Sep 27 13:57:00 2016 +0900
summary:     Bug 1184922 - Part 1: Do not call iter.next() if the previous iter.next().done was true in array destructuring. r=shu

Arai-san, is bug 1184922 a likely regressor?

Blocks: 1184922

Flags: needinfo?(arai.unmht)

Tooru Fujisawa [:arai]

Comment 3

•

8 years ago

Yes, thanks.
This means we cannot emit lexical binding pattern twice with current approach.
I'll backout bug 1184922 patches.

Flags: needinfo?(arai.unmht)

Tooru Fujisawa [:arai]

Comment 4

•

8 years ago

patch is almost ready.
will fix in bug 1184922.

Fuzzing Team

Updated

•

8 years ago

Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]

Fuzzing Team

Comment 5

•

8 years ago

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 90d8afaddf91).

Tooru Fujisawa [:arai]

Comment 6

•

8 years ago

fixed in bug 1184922

Status: NEW → RESOLVED

Closed: 8 years ago

status-firefox52: affected → fixed

Resolution: --- → FIXED

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Assertion failure: !IsUninitializedLexical((activation.regs()).fp()->unaliasedLocal(i)), at js/src/vm/Interpreter.cpp:3402

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Updated

Comment 5

Comment 6

Attachment

General

Description

File Name

Content Type