Closed
Bug 496682
Opened 15 years ago
Closed 15 years ago
Crash [@ FindPropertyValue] or "Assertion failure: right->pn_arity != PN_LIST || !(right->pn_xflags & PNX_DESTRUCT), at ../jsparse.cpp"
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(1 obsolete file)
const{0:[]}=
crashes both opt and debug js shell on TM without -j at FindPropertyValue.
Probably because pn in pn->pn_type is null, so it's probably a null-dereference.
js> const{0:[]}=
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x000daab6 in FindPropertyValue (pn=0x0, pnid=0x811b20, data=0xbffff2bc) at ../jsparse.cpp:3560
3560 if (pn->pn_type != TOK_RC)
(gdb) bt
#0 0x000daab6 in FindPropertyValue (pn=0x0, pnid=0x811b20, data=0xbffff2bc) at ../jsparse.cpp:3560
#1 0x000db748 in UndominateInitializers (left=0x811af0, right=0x0) at ../jsparse.cpp:3844
#2 0x000ea947 in Variables (cx=0x30bc40, ts=0xbffff60c, tc=0xbffff548, inLetHead=false) at ../jsparse.cpp:5591
#3 0x000e5ab3 in Statement (cx=0x30bc40, ts=0xbffff60c, tc=0xbffff548) at ../jsparse.cpp:5222
#4 0x000e6832 in Statements (cx=0x30bc40, ts=0xbffff60c, tc=0xbffff548) at ../jsparse.cpp:2903
#5 0x000ec565 in JSCompiler::parse (this=0xbffff5ec, chain=0x2c0000) at ../jsparse.cpp:740
#6 0x00024547 in JS_BufferIsCompilableUnit (cx=0x30bc40, obj=0x2c0000, bytes=0x30d390 "const{0:[]}=", length=12) at ../jsapi.cpp:4742
#7 0x00008c91 in Process (cx=0x30bc40, obj=0x2c0000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:436
#8 0x0000a202 in ProcessArgs (cx=0x30bc40, obj=0x2c0000, argv=0xbffff958, argc=0) at ../../shell/js.cpp:806
#9 0x0000b6ac in main (argc=0, argv=0xbffff958, envp=0xbffff95c) at ../../shell/js.cpp:4750
(gdb) frame 0
#0 0x000daab6 in FindPropertyValue (pn=0x0, pnid=0x811b20, data=0xbffff2bc) at ../jsparse.cpp:3560
3560 if (pn->pn_type != TOK_RC)
(gdb) l
3555 JS_DHashTableOperate(&data->table, pnid, JS_DHASH_LOOKUP);
3556 return JS_DHASH_ENTRY_IS_BUSY(&entry->hdr) ? entry->pnval : NULL;
3557 }
3558
3559 /* If pn is not an object initialiser node, we can't do anything here. */
3560 if (pn->pn_type != TOK_RC)
3561 return NULL;
3562
3563 /*
3564 * We must search all the way through pn's list, to handle the case of an
(gdb) p pn
$1 = (JSParseNode *) 0x0
(gdb)Flags: blocking1.9.2?
|
||
Comment 1•15 years ago
|
||
Bisect sez this was introduced on t-m by changeset 2e6025415fb3: Fix destructuring binding to follow the cheezy dominance relation rules of the upvar analysis (496134, r=mrbkap).
|
|
Reporter | |
Comment 2•15 years ago
|
||
(Hurray to mid-airs) autoBisect shows this is probably related to bug 496134 : The first bad revision is: changeset: 28945:2e6025415fb3 user: Brendan Eich date: Fri Jun 05 16:14:00 2009 -0700 summary: Fix destructuring binding to follow the cheezy dominance relation rules of the upvar analysis (496134, r=mrbkap).
|
|
||
Comment 3•15 years ago
|
||
Going to land this on t-m right now so Gary can fuzz more. The curlies are there to make it clear that we do want to call UndominateInitializers(pn, rhs); even if !right. I could add a comment to that effect instead of preferred.
Attachment #381903 -
Flags: review?(brendan)
|
|
Reporter | |
Comment 4•15 years ago
|
||
let {}={y:[],0}
This same bug _might_ also have caused this assertion:
Assertion failure: right->pn_arity != PN_LIST || !(right->pn_xflags & PNX_DESTRUCT), at ../jsparse.cpp:3811
(debug TM js shell without -j)
Though I haven't checked to be sure...|
|
Reporter | |
Comment 5•15 years ago
|
||
(In reply to comment #4) > let {}={y:[],0} > > This same bug _might_ also have caused this assertion: > > Assertion failure: right->pn_arity != PN_LIST || !(right->pn_xflags & > PNX_DESTRUCT), at ../jsparse.cpp:3811 > > (debug TM js shell without -j) > > Though I haven't checked to be sure... Just checked, and this assertion is indeed the same cause.
|
|
Reporter | |
Updated•15 years ago
|
Summary: Crash [@ FindPropertyValue] with const → Crash [@ FindPropertyValue] or "Assertion failure: right->pn_arity != PN_LIST || !(right->pn_xflags & PNX_DESTRUCT), at ../jsparse.cpp"
|
|
Reporter | |
Updated•15 years ago
|
Flags: in-testsuite?
|
|
Reporter | |
Comment 6•15 years ago
|
||
This bug has been fixed by the backout in bug 496134.
|
||
Updated•15 years ago
|
Attachment #381903 -
Attachment is obsolete: true
Attachment #381903 -
Flags: review?(brendan)
|
|
||
Comment 7•15 years ago
|
||
Comment on attachment 381903 [details] [diff] [review] Proposed fix Fixed by back-out, real fix is in bug 496134. /be
|
|
||
Comment 8•15 years ago
|
||
See comment 6. /be
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
|
|
||
Updated•15 years ago
|
Priority: -- → P1
|
|
||
Updated•15 years ago
|
status1.9.2:
--- → unaffected
Flags: blocking1.9.2+ → blocking1.9.2-
|
||
Updated•13 years ago
|
Crash Signature: [@ FindPropertyValue]
You need to log in
before you can comment on or make changes to this bug.
Description
•