Last Comment Bug 714650 - Assertion failure: !inDictionaryMode(), at jsscope.cpp:612
: Assertion failure: !inDictionaryMode(), at jsscope.cpp:612
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All Linux
-- critical (vote)
: mozilla12
Assigned To: Luke Wagner [:luke]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz 692274
  Show dependency treegraph
Reported: 2012-01-02 09:42 PST by Christian Holler (:decoder)
Modified: 2013-01-14 08:28 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

fix and test (4.92 KB, patch)
2012-01-02 10:58 PST, Luke Wagner [:luke]
jorendorff: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2012-01-02 09:42:27 PST
The following test asserts on mozilla-central revision d98fbf3cbd71 (no options required):

if (typeof evalInFrame === 'function') {
let x00, x01, x02, x03, x04, x05, x06, x07, x08, x09, x0a, x0b, x0c, x0d, x0e, x0f, 
  x10, x11, x12, x13, x14, x15, x16, x17, x18, x19, x1a, x1b, x1c, x1d, x1e, x1f, 
  x20, x21, x22, x23, x24, x25, x26, x27, x28, x29, x2a, x2b, x2c, x2d, x2e, x2f, 
  x30, x31, x32, x33, x34, x35, x36, x37, x38, x39, x3a, x3b, x3c, x3d, x3e, x3f, 
  x40, x41, x42, x43, x44, x45, x46, x47, x48, x49, x4a, x4b, x4c, x4d, x4e, x4f, 
  x50, x51, x52, x53, x54, x55, x56, x57, x58, x59, x5a, x5b, x5c, x5d, x5e, x5f, 
  x60, x61, x62, x63, x64, x65, x66, x67, x68, x69, x6a, x6b, x6c, x6d, x6e, x6f, 
  x70, x71, x72, x73, f = new Function(), x75, x76, x77, x78, x79, x7a, x7b, x7c, x7d, x7e, x7f, 
  xe0, xe1, xe2, xe3, xe4, xe5, xe6, xe7, [] = resultsX.del =  this, xe9, xea, xeb, xec, xed, xee, xef,

This seems to be a parser assertion about an inconsistency is dictionary mode is allowed at this point or not. I'm marking this s-s as I don't know what impact this inconsistency could have.
Comment 1 User image Luke Wagner [:luke] 2012-01-02 10:04:55 PST
This is caused by bug 692274
Comment 2 User image Luke Wagner [:luke] 2012-01-02 10:25:16 PST
Ah, "of course", bug 692274 allowed empty destructuring block chain dummies to be added at any time (not just when the block object was empty) which means that the DefineNativeProperty (which passes allowDictionary = true) can turn the block object into a dictionary.
Comment 3 User image Luke Wagner [:luke] 2012-01-02 10:58:28 PST
Created attachment 585311 [details] [diff] [review]
fix and test

Simple fix; the code should have been written this way in the first place.  I traced through DefineNativeProperty and this should produce the same exact call to nativeSearch+addPropertyInternal (modulo allowDictionary, of course).
Comment 5 User image Luke Wagner [:luke] 2012-01-04 09:12:07 PST
Comment 6 User image Christian Holler (:decoder) 2013-01-14 08:28:51 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug714650.js.

Note You need to log in before you can comment on or make changes to this bug.