Bug 279863

Summary:	ASSERTION FAILED: !reg.isConstant() caused by destructuring assignment
Product:	WebKit	Reporter:	3022001754
Component:	JavaScriptCore	Assignee:	Alexey Shvayka <ashvayka>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	aosukeke, ashvayka, mark.lam, webkit-bug-importer, ysuzuki
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	All
OS:	All
See Also:	https://bugs.webkit.org/show_bug.cgi?id=221668

3022001754

Reported 2024-09-17 20:59:23 PDT

###### Webkit 0da0eedeaa3f18bfd0bb2f1f4831f4fe3eaa4893 ###### Build platform Ubuntu 22.04.4 ###### Build steps ```sh ./Tools/Scripts/build-jsc --jsc-only --debug --build-dir="0422_debug" --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt'" ``` ###### Test case ```sh var {[false] : b} = {}; ``` ###### Execution steps ```sh ./jsc poc.js ``` ###### Output ```sh ASSERTION FAILED: !reg.isConstant() /JSC/Source/JavaScriptCore/interpreter/CallFrameInlines.h(43) : JSC::Register &JSC::CallFrame::uncheckedR(JSC::VirtualRegister) 1 0x1dc4cf9 /JSC/release/JSCOnly/Debug/bin/jsc() [0x1dc4cf9] 2 0x2dcb126 /JSC/release/JSCOnly/Debug/bin/jsc() [0x2dcb126] 3 0x3aac989 /JSC/release/JSCOnly/Debug/bin/jsc() [0x3aac989] Thread 1 "jsc" received signal SIGABRT, Aborted. __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737313263680) at ./nptl/pthread_kill.c:44 44 ./nptl/pthread_kill.c: No such file or directory. (gdb) bt #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737313263680) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737313263680) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737313263680, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff5948476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff592e7f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x000000000155dd4b in WTFCrashWithInfo () at /JSC/release/JSCOnly/Debug/WTF/Headers/wtf/Assertions.h:879 #6 0x0000000001dc4d25 in JSC::CallFrame::uncheckedR (this=0x7fffffffd340, reg=...) at /JSC/Source/JavaScriptCore/interpreter/CallFrameInlines.h:43 #7 0x0000000002dcb126 in slow_path_to_property_key_or_number (callFrame=0x7fffffffd340, pc=0x7fffec096e2e) at /JSC/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:922 #8 0x0000000003aac989 in llint_op_to_property_key_or_number () #9 0x0000000000000000 in ?? () (gdb) f 6 #6 0x0000000001dc4d25 in JSC::CallFrame::uncheckedR (this=0x7fffffffd340, reg=...) at /JSC/Source/JavaScriptCore/interpreter/CallFrameInlines.h:43 43 ASSERT(!reg.isConstant()); (gdb) f 7 #7 0x0000000002dcb126 in slow_path_to_property_key_or_number (callFrame=0x7fffffffd340, pc=0x7fffec096e2e) at /JSC/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:922 922 RETURN(srcValue.isNumber() ? srcValue : srcValue.toPropertyKeyValue(globalObject)); ```

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2024-09-18 10:21:42 PDT

<rdar://problem/136233004>

Alexey Shvayka

Comment 2 2024-09-18 12:37:16 PDT

Pull request: https://github.com/WebKit/WebKit/pull/33848

EWS

Comment 3 2024-09-19 09:31:01 PDT

Committed 283922@main (c4e162760b3e): <https://commits.webkit.org/283922@main> Reviewed commits have been landed. Closing PR #33848 and removing active labels.

EWS

Comment 4 2024-09-24 11:10:04 PDT

Committed 283286.117@safari-7620-branch (85bfbed8fd47): <https://commits.webkit.org/283286.117@safari-7620-branch> Reviewed commits have been landed. Closing PR #1887 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.