Assertion failure: !inDictionaryMode(), at jsscope.cpp:612

VERIFIED FIXED in Firefox 12

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: decoder, Assigned: luke)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla12
All
Linux
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox11 unaffected, firefox12 fixed, firefox13 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [sg:critical])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following test asserts on mozilla-central revision d98fbf3cbd71 (no options required):


if (typeof evalInFrame === 'function') {
let x00, x01, x02, x03, x04, x05, x06, x07, x08, x09, x0a, x0b, x0c, x0d, x0e, x0f, 
  x10, x11, x12, x13, x14, x15, x16, x17, x18, x19, x1a, x1b, x1c, x1d, x1e, x1f, 
  x20, x21, x22, x23, x24, x25, x26, x27, x28, x29, x2a, x2b, x2c, x2d, x2e, x2f, 
  x30, x31, x32, x33, x34, x35, x36, x37, x38, x39, x3a, x3b, x3c, x3d, x3e, x3f, 
  x40, x41, x42, x43, x44, x45, x46, x47, x48, x49, x4a, x4b, x4c, x4d, x4e, x4f, 
  x50, x51, x52, x53, x54, x55, x56, x57, x58, x59, x5a, x5b, x5c, x5d, x5e, x5f, 
  x60, x61, x62, x63, x64, x65, x66, x67, x68, x69, x6a, x6b, x6c, x6d, x6e, x6f, 
  x70, x71, x72, x73, f = new Function(), x75, x76, x77, x78, x79, x7a, x7b, x7c, x7d, x7e, x7f, 
  xe0, xe1, xe2, xe3, xe4, xe5, xe6, xe7, [] = resultsX.del =  this, xe9, xea, xeb, xec, xed, xee, xef,


This seems to be a parser assertion about an inconsistency is dictionary mode is allowed at this point or not. I'm marking this s-s as I don't know what impact this inconsistency could have.
(Assignee)

Comment 1

5 years ago
This is caused by bug 692274
(Assignee)

Comment 2

5 years ago
Ah, "of course", bug 692274 allowed empty destructuring block chain dummies to be added at any time (not just when the block object was empty) which means that the DefineNativeProperty (which passes allowDictionary = true) can turn the block object into a dictionary.
(Assignee)

Comment 3

5 years ago
Created attachment 585311 [details] [diff] [review]
fix and test

Simple fix; the code should have been written this way in the first place.  I traced through DefineNativeProperty and this should produce the same exact call to nativeSearch+addPropertyInternal (modulo allowDictionary, of course).
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #585311 - Flags: review?(jorendorff)
(Assignee)

Updated

5 years ago
Whiteboard: js-triage-needed → js-triage-done
Attachment #585311 - Flags: review?(jorendorff) → review+
Whiteboard: js-triage-done → sg:critical
Whiteboard: sg:critical → [sg:critical]
(Assignee)

Comment 4

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/8455cd44e1f4
Target Milestone: --- → mozilla12
(Assignee)

Comment 5

5 years ago
https://hg.mozilla.org/mozilla-central/rev/8455cd44e1f4
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Blocks: 692274
Group: core-security
status-firefox-esr10: --- → unaffected
status-firefox11: --- → unaffected
status-firefox12: --- → fixed
status-firefox13: --- → fixed
Keywords: regression
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
(Reporter)

Comment 6

4 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug714650.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.