Crash [@ js_ValueToString] or "Assertion failure: !(pnu->pn_dflags & PND_BOUND), at ../jsemit.cpp"

RESOLVED DUPLICATE of bug 488690

Status

()

Core
JavaScript Engine
P1
critical
RESOLVED DUPLICATE of bug 488690
9 years ago
6 years ago

People

(Reporter: gkw, Assigned: brendan)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla1.9.1b4
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.1 +
wanted1.9.0.x -
wanted1.8.1.x -
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe of 488690?], crash signature)

(Reporter)

Description

9 years ago
(function(){})();
eval("\
  if(x :: false){\
    let (x = (x for (functional in 0))){} \
  }\
");

(to see the opt js shell crash, save testcase in a file and input as a parameter, e.g. ./js testcase.js)

crashes opt js shell without -j at js_ValueToString at 0xc3510224 (setting security-sensitive because of scary address) and asserts debug js shell without -j at Assertion failure: !(pnu->pn_dflags & PND_BOUND), at ../jsemit.cpp:1818

Related to bug 488848 (identical assert message) and/or bug 488690 ?

autoBisect shows this is also probably related to bug 488015 :

The first bad revision is:
changeset:   27205:78a21b8efe1b
user:        Brendan Eich
date:        Wed Apr 15 01:57:13 2009 -0700
summary:     Bug 488015 - Crash [@ js_GetUpvar ] (also bogus JS errors, also probably Crash [@js_Interpret]) (future r=mrbkap, see bug).
Flags: blocking1.9.1?
(Assignee)

Comment 1

9 years ago
Likely a dup -- generator expression using a variable bound by an outer let. See bug 488690. Will work on the patch there to leave this one hidden.

/be
(Assignee)

Updated

9 years ago
Assignee: general → brendan
Status: NEW → ASSIGNED
OS: Mac OS X → All
Priority: -- → P1
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.1b4

Updated

9 years ago
Flags: blocking1.9.1? → blocking1.9.1+
Whiteboard: [dupe of 488690?]
(Assignee)

Comment 2

9 years ago
Fixed by patch for bug 488690. I could just dup this... thoughts on bug protocol?

/be
(Assignee)

Comment 3

9 years ago
This is a dup.

/be
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 488690
Group: core-security
Flags: wanted1.9.0.x-
Flags: wanted1.8.1.x-
Whiteboard: [dupe of 488690?] → [sg:dupe of 488690?]
(Reporter)

Updated

9 years ago
Flags: in-testsuite?
Crash Signature: [@ js_ValueToString]
You need to log in before you can comment on or make changes to this bug.