Last Comment Bug 714650 - Assertion failure: !inDictionaryMode(), at jsscope.cpp:612
: Assertion failure: !inDictionaryMode(), at jsscope.cpp:612
Status: VERIFIED FIXED
[sg:critical]
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All Linux
: -- critical (vote)
: mozilla12
Assigned To: Luke Wagner [:luke]
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz 692274
  Show dependency treegraph
 
Reported: 2012-01-02 09:42 PST by Christian Holler (:decoder)
Modified: 2013-01-14 08:28 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
fixed
fixed
unaffected


Attachments
fix and test (4.92 KB, patch)
2012-01-02 10:58 PST, Luke Wagner [:luke]
jorendorff: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2012-01-02 09:42:27 PST
The following test asserts on mozilla-central revision d98fbf3cbd71 (no options required):


if (typeof evalInFrame === 'function') {
let x00, x01, x02, x03, x04, x05, x06, x07, x08, x09, x0a, x0b, x0c, x0d, x0e, x0f, 
  x10, x11, x12, x13, x14, x15, x16, x17, x18, x19, x1a, x1b, x1c, x1d, x1e, x1f, 
  x20, x21, x22, x23, x24, x25, x26, x27, x28, x29, x2a, x2b, x2c, x2d, x2e, x2f, 
  x30, x31, x32, x33, x34, x35, x36, x37, x38, x39, x3a, x3b, x3c, x3d, x3e, x3f, 
  x40, x41, x42, x43, x44, x45, x46, x47, x48, x49, x4a, x4b, x4c, x4d, x4e, x4f, 
  x50, x51, x52, x53, x54, x55, x56, x57, x58, x59, x5a, x5b, x5c, x5d, x5e, x5f, 
  x60, x61, x62, x63, x64, x65, x66, x67, x68, x69, x6a, x6b, x6c, x6d, x6e, x6f, 
  x70, x71, x72, x73, f = new Function(), x75, x76, x77, x78, x79, x7a, x7b, x7c, x7d, x7e, x7f, 
  xe0, xe1, xe2, xe3, xe4, xe5, xe6, xe7, [] = resultsX.del =  this, xe9, xea, xeb, xec, xed, xee, xef,


This seems to be a parser assertion about an inconsistency is dictionary mode is allowed at this point or not. I'm marking this s-s as I don't know what impact this inconsistency could have.
Comment 1 Luke Wagner [:luke] 2012-01-02 10:04:55 PST
This is caused by bug 692274
Comment 2 Luke Wagner [:luke] 2012-01-02 10:25:16 PST
Ah, "of course", bug 692274 allowed empty destructuring block chain dummies to be added at any time (not just when the block object was empty) which means that the DefineNativeProperty (which passes allowDictionary = true) can turn the block object into a dictionary.
Comment 3 Luke Wagner [:luke] 2012-01-02 10:58:28 PST
Created attachment 585311 [details] [diff] [review]
fix and test

Simple fix; the code should have been written this way in the first place.  I traced through DefineNativeProperty and this should produce the same exact call to nativeSearch+addPropertyInternal (modulo allowDictionary, of course).
Comment 5 Luke Wagner [:luke] 2012-01-04 09:12:07 PST
https://hg.mozilla.org/mozilla-central/rev/8455cd44e1f4
Comment 6 Christian Holler (:decoder) 2013-01-14 08:28:51 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug714650.js.

Note You need to log in before you can comment on or make changes to this bug.