489130 - Crash [@ js_ValueToString] or "Assertion failure: !(pnu->pn_dflags & PND_BOUND), at ../jsemit.cpp"

Status: RESOLVED DUPLICATE of bug 488690

(Core :: JavaScript Engine, defect, P1)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(function(){})();
eval("\
  if(x :: false){\
    let (x = (x for (functional in 0))){} \
  }\
");

(to see the opt js shell crash, save testcase in a file and input as a parameter, e.g. ./js testcase.js)

crashes opt js shell without -j at js_ValueToString at 0xc3510224 (setting security-sensitive because of scary address) and asserts debug js shell without -j at Assertion failure: !(pnu->pn_dflags & PND_BOUND), at ../jsemit.cpp:1818

Related to bug 488848 (identical assert message) and/or bug 488690 ?

autoBisect shows this is also probably related to bug 488015 :

The first bad revision is:
changeset:   27205:78a21b8efe1b
user:        Brendan Eich
date:        Wed Apr 15 01:57:13 2009 -0700
summary:     Bug 488015 - Crash [@ js_GetUpvar ] (also bogus JS errors, also probably Crash [@js_Interpret]) (future r=mrbkap, see bug).

Comment 1

[Brendan Eich [:brendan]]

Likely a dup -- generator expression using a variable bound by an outer let. See bug 488690. Will work on the patch there to leave this one hidden.

/be

Comment 2

[Brendan Eich [:brendan]]

Fixed by patch for bug 488690. I could just dup this... thoughts on bug protocol?

/be

Comment 3

[Brendan Eich [:brendan]]

This is a dup.

/be