Closed Bug 714650 Opened 10 years ago Closed 10 years ago

Assertion failure: !inDictionaryMode(), at jsscope.cpp:612

Categories

(Core :: JavaScript Engine, defect)

All
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla12
Tracking Status
firefox11 --- unaffected
firefox12 --- fixed
firefox13 --- fixed
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: luke)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical])

Attachments

(1 file)

The following test asserts on mozilla-central revision d98fbf3cbd71 (no options required):


if (typeof evalInFrame === 'function') {
let x00, x01, x02, x03, x04, x05, x06, x07, x08, x09, x0a, x0b, x0c, x0d, x0e, x0f, 
  x10, x11, x12, x13, x14, x15, x16, x17, x18, x19, x1a, x1b, x1c, x1d, x1e, x1f, 
  x20, x21, x22, x23, x24, x25, x26, x27, x28, x29, x2a, x2b, x2c, x2d, x2e, x2f, 
  x30, x31, x32, x33, x34, x35, x36, x37, x38, x39, x3a, x3b, x3c, x3d, x3e, x3f, 
  x40, x41, x42, x43, x44, x45, x46, x47, x48, x49, x4a, x4b, x4c, x4d, x4e, x4f, 
  x50, x51, x52, x53, x54, x55, x56, x57, x58, x59, x5a, x5b, x5c, x5d, x5e, x5f, 
  x60, x61, x62, x63, x64, x65, x66, x67, x68, x69, x6a, x6b, x6c, x6d, x6e, x6f, 
  x70, x71, x72, x73, f = new Function(), x75, x76, x77, x78, x79, x7a, x7b, x7c, x7d, x7e, x7f, 
  xe0, xe1, xe2, xe3, xe4, xe5, xe6, xe7, [] = resultsX.del =  this, xe9, xea, xeb, xec, xed, xee, xef,


This seems to be a parser assertion about an inconsistency is dictionary mode is allowed at this point or not. I'm marking this s-s as I don't know what impact this inconsistency could have.
This is caused by bug 692274
Ah, "of course", bug 692274 allowed empty destructuring block chain dummies to be added at any time (not just when the block object was empty) which means that the DefineNativeProperty (which passes allowDictionary = true) can turn the block object into a dictionary.
Attached patch fix and testSplinter Review
Simple fix; the code should have been written this way in the first place.  I traced through DefineNativeProperty and this should produce the same exact call to nativeSearch+addPropertyInternal (modulo allowDictionary, of course).
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #585311 - Flags: review?(jorendorff)
Whiteboard: js-triage-needed → js-triage-done
Attachment #585311 - Flags: review?(jorendorff) → review+
Whiteboard: js-triage-done → sg:critical
Whiteboard: sg:critical → [sg:critical]
https://hg.mozilla.org/mozilla-central/rev/8455cd44e1f4
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Blocks: 692274
Group: core-security
Keywords: regression
Status: RESOLVED → VERIFIED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug714650.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.