279863 2024-09-17 20:59:23 -0700 ASSERTION FAILED: !reg.isConstant() caused by destructuring assignment 2024-09-24 11:10:04 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build All All RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=221668 InRadar P2 Normal --- 1 3022001754 ashvayka ashvayka mark.lam sosuke webkit-bug-importer ysuzuki oldest_to_newest 2060940 0 3022001754 2024-09-17 20:59:23 -0700 ###### Webkit 0da0eedeaa3f18bfd0bb2f1f4831f4fe3eaa4893 ###### Build platform Ubuntu 22.04.4 ###### Build steps ```sh ./Tools/Scripts/build-jsc --jsc-only --debug --build-dir="0422_debug" --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt'" ``` ###### Test case ```sh var {[false] : b} = {}; ``` ###### Execution steps ```sh ./jsc poc.js ``` ###### Output ```sh ASSERTION FAILED: !reg.isConstant() /JSC/Source/JavaScriptCore/interpreter/CallFrameInlines.h(43) : JSC::Register &amp;JSC::CallFrame::uncheckedR(JSC::VirtualRegister) 1 0x1dc4cf9 /JSC/release/JSCOnly/Debug/bin/jsc() [0x1dc4cf9] 2 0x2dcb126 /JSC/release/JSCOnly/Debug/bin/jsc() [0x2dcb126] 3 0x3aac989 /JSC/release/JSCOnly/Debug/bin/jsc() [0x3aac989] Thread 1 "jsc" received signal SIGABRT, Aborted. __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737313263680) at ./nptl/pthread_kill.c:44 44 ./nptl/pthread_kill.c: No such file or directory. (gdb) bt #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737313263680) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737313263680) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737313263680, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff5948476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff592e7f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x000000000155dd4b in WTFCrashWithInfo () at /JSC/release/JSCOnly/Debug/WTF/Headers/wtf/Assertions.h:879 #6 0x0000000001dc4d25 in JSC::CallFrame::uncheckedR (this=0x7fffffffd340, reg=...) at /JSC/Source/JavaScriptCore/interpreter/CallFrameInlines.h:43 #7 0x0000000002dcb126 in slow_path_to_property_key_or_number (callFrame=0x7fffffffd340, pc=0x7fffec096e2e) at /JSC/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:922 #8 0x0000000003aac989 in llint_op_to_property_key_or_number () #9 0x0000000000000000 in ?? () (gdb) f 6 #6 0x0000000001dc4d25 in JSC::CallFrame::uncheckedR (this=0x7fffffffd340, reg=...) at /JSC/Source/JavaScriptCore/interpreter/CallFrameInlines.h:43 43 ASSERT(!reg.isConstant()); (gdb) f 7 #7 0x0000000002dcb126 in slow_path_to_property_key_or_number (callFrame=0x7fffffffd340, pc=0x7fffec096e2e) at /JSC/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:922 922 RETURN(srcValue.isNumber() ? srcValue : srcValue.toPropertyKeyValue(globalObject)); ``` 2061122 1 webkit-bug-importer 2024-09-18 10:21:42 -0700 <rdar://problem/136233004> 2061178 2 ashvayka 2024-09-18 12:37:16 -0700 Pull request: https://github.com/WebKit/WebKit/pull/33848 2061493 3 ews-feeder 2024-09-19 09:31:01 -0700 Committed 283922@main (c4e162760b3e): <https://commits.webkit.org/283922@main> Reviewed commits have been landed. Closing PR #33848 and removing active labels. 2062779 4 ews-feeder 2024-09-24 11:10:04 -0700 Committed 283286.117@safari-7620-branch (85bfbed8fd47): <https://commits.webkit.org/283286.117@safari-7620-branch> Reviewed commits have been landed. Closing PR #1887 and removing active labels.