"Assertion failure: strcmp(rval, forelem_cookie) == 0" with trap, destructuring, decompilation for warning

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
x86_64
Mac OS X
assertion, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-needed)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 532121 [details]
stack trace

options('strict');
function f() { ([NaN] = []); }
dis(f);
trap(f, 0, '');
f();


Assertion failure: strcmp(rval, forelem_cookie) == 0, at /var/folders/Ru/RuL9UUUZGv85umnat33ZKU+++TM/-Tmp-/abc-3d65474edc0e-urLuCe/compilePath/js/src/jsopcode.cpp:3505


flags: NULL_CLOSURE
main:
00000:  newarray 0         <---- trap goes here
00004:  endinit
00005:  dup
00006:  zero
00007:  getelem
00008:  bindname "NaN"
00011:  qnamepart "NaN"
00014:  enumelem
00015:  pop
00016:  stop

Source notes:
 ofs  line    pc  delta desc     args
---- ---- ----- ------ -------- ------
  0:    2     5 [   5] decl     offset 3
  2:    2    14 [   9] xdelta  
  3:    2    14 [   0] pcbase   offset 6
(Reporter)

Comment 1

6 years ago
Also happens with hash-destructuring, and is harder to exclude in that case.

function f() { 'use strict'; ({a:NaN})=3; }
dis(f);
trap(f, 0, '');
f();

flags: NULL_CLOSURE
off     op
-----   --
main:
00000:  int8 3             <-- trap goes here
00002:  dup
00003:  getprop "a"
00006:  bindname "NaN"
00009:  qnamepart "NaN"
00012:  enumelem
00013:  pop
00014:  stop
Whiteboard: js-triage-needed
Fixed by bug 690645.

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   78132:76f63c5d3b76
user:        Luke Wagner
date:        Tue Oct 04 10:48:35 2011 -0700
summary:     Bug 690645 - Make AutoScriptUntrapper not massively break invariants; tidy up decompiler a bit (r=waldo)
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.