Created attachment 221175 [details] Test case The test fails on x86_64, Ubuntu 12.10: const var_0 = (null < !), var_0 = 1 + { }; Backtrace: ASSERTION FAILED: !hasError() /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.h(782) : JSC::Parser<LexerType>::SavePoint JSC::Parser<LexerType>::createSavePoint() [with LexerType = JSC::Lexer<unsigned char>] 1 0x7ffff74a3e44 WTFCrash 2 0x7ffff72a554e JSC::Parser<JSC::Lexer<unsigned char> >::createSavePoint() 3 0x7ffff72fae78 JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseObjectLiteral<JSC::ASTBuilder>(JSC::ASTBuilder&) 4 0x7ffff72f26f5 JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parsePrimaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) 5 0x7ffff72eba4f JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseMemberExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) 6 0x7ffff72dd6fe JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) 7 0x7ffff72db55d JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) 8 0x7ffff72d57c7 JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) 9 0x7ffff72ca55c JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) 10 0x7ffff72bd2d2 JSC::ASTBuilder::ConstDeclList JSC::Parser<JSC::Lexer<unsigned char> >::parseConstDeclarationList<JSC::ASTBuilder>(JSC::ASTBuilder&) 11 0x7ffff72af8f3 JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseConstDeclaration<JSC::ASTBuilder>(JSC::ASTBuilder&) 12 0x7ffff72ace7b JSC::ASTBuilder::Statement JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::Identifier const*&, unsigned int*) 13 0x7ffff72aa45b JSC::ASTBuilder::SourceElements JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::ASTBuilder>(JSC::ASTBuilder&, JSC::SourceElementsMode) 14 0x7ffff72a4012 JSC::Parser<JSC::Lexer<unsigned char> >::parseInner() 15 0x7ffff6f90a37 WTF::PassRefPtr<JSC::ProgramNode> JSC::Parser<JSC::Lexer<unsigned char> >::parse<JSC::ProgramNode>(JSC::ParserError&) 16 0x7ffff6f90641 WTF::PassRefPtr<JSC::ProgramNode> JSC::parse<JSC::ProgramNode>(JSC::VM*, JSC::SourceCode const&, JSC::FunctionParameters*, JSC::Identifier const&, JSC::JSParserStrictness, JSC::JSParserMode, JSC::ParserError&, JSC::JSTextPosition*) 17 0x7ffff733be82 JSC::UnlinkedProgramCodeBlock* JSC::CodeCache::getGlobalCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictness, JSC::DebuggerMode, JSC::ProfilerMode, JSC::ParserError&) 18 0x7ffff733a55f JSC::CodeCache::getProgramCodeBlock(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserStrictness, JSC::DebuggerMode, JSC::ProfilerMode, JSC::ParserError&) 19 0x7ffff7382c49 JSC::JSGlobalObject::createProgramCodeBlock(JSC::ExecState*, JSC::ProgramExecutable*, JSC::JSObject**) 20 0x7ffff7354d87 JSC::ProgramExecutable::initializeGlobalProperties(JSC::VM&, JSC::ExecState*, JSC::JSScope*) 21 0x7ffff722f1dd JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) 22 0x7ffff73480bc JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) 23 0x41747c 24 0x41824b jscmain(int, char**) 25 0x417268 main 26 0x7ffff5a4d76d __libc_start_main 27 0x415a79 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff74a3e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 333 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff74a3e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 #1 0x00007ffff72a554e in JSC::Parser<JSC::Lexer<unsigned char> >::createSavePoint (this=0x7fffffffac20) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.h:782 #2 0x00007ffff72fae78 in JSC::Parser<JSC::Lexer<unsigned char> >::parseObjectLiteral<JSC::ASTBuilder> (this=0x7fffffffac20, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1760 #3 0x00007ffff72f26f5 in JSC::Parser<JSC::Lexer<unsigned char> >::parsePrimaryExpression<JSC::ASTBuilder> (this=0x7fffffffac20, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1936 #4 0x00007ffff72eba4f in JSC::Parser<JSC::Lexer<unsigned char> >::parseMemberExpression<JSC::ASTBuilder> (this=0x7fffffffac20, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:2082 #5 0x00007ffff72dd6fe in JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder> (this=0x7fffffffac20, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:2206 #6 0x00007ffff72db55d in JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::ASTBuilder> (this=0x7fffffffac20, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1640 #7 0x00007ffff72d57c7 in JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::ASTBuilder> (this=0x7fffffffac20, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1600 #8 0x00007ffff72ca55c in JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder> (this=0x7fffffffac20, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1534 #9 0x00007ffff72bd2d2 in JSC::Parser<JSC::Lexer<unsigned char> >::parseConstDeclarationList<JSC::ASTBuilder> (this=0x7fffffffac20, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:662 #10 0x00007ffff72af8f3 in JSC::Parser<JSC::Lexer<unsigned char> >::parseConstDeclaration<JSC::ASTBuilder> (this=0x7fffffffac20, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:360 #11 0x00007ffff72ace7b in JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::ASTBuilder> (this=0x7fffffffac20, context=..., directive=@0x7fffffffa2f8: 0x0, directiveLiteralLength=0x7fffffffa314) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:1089 #12 0x00007ffff72aa45b in JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<JSC::ASTBuilder> (this=0x7fffffffac20, context=..., mode=JSC::CheckForStrictMode) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:301 #13 0x00007ffff72a4012 in JSC::Parser<JSC::Lexer<unsigned char> >::parseInner (this=0x7fffffffac20) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.cpp:248 #14 0x00007ffff6f90a37 in JSC::Parser<JSC::Lexer<unsigned char> >::parse<JSC::ProgramNode> (this=0x7fffffffac20, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.h:887 #15 0x00007ffff6f90641 in JSC::parse<JSC::ProgramNode> (vm=0x6472c0, source=..., parameters=0x0, name=..., strictness=JSC::JSParseNormal, parserMode=JSC::JSParseProgramCode, error=..., positionBeforeLastNewline=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/parser/Parser.h:957 #16 0x00007ffff733be82 in JSC::CodeCache::getGlobalCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable> (this=0x659100, vm=..., executable=0x7fffa97ffef0, source=..., strictness=JSC::JSParseNormal, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/CodeCache.cpp:95 #17 0x00007ffff733a55f in JSC::CodeCache::getProgramCodeBlock (this=0x659100, vm=..., executable=0x7fffa97ffef0, source=..., strictness=JSC::JSParseNormal, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/CodeCache.cpp:129 #18 0x00007ffff7382c49 in JSC::JSGlobalObject::createProgramCodeBlock (this=0x7fffa98af970, callFrame=0x7fffa98af9b0, executable=0x7fffa97ffef0, exception=0x7fffffffc4c0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/JSGlobalObject.cpp:723 #19 0x00007ffff7354d87 in JSC::ProgramExecutable::initializeGlobalProperties (this=0x7fffa97ffef0, vm=..., callFrame=0x7fffa98af9b0, scope=0x7fffa98af970) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.cpp:466 #20 0x00007ffff722f1dd in JSC::Interpreter::execute (this=0x6591c0, program=0x7fffa97ffef0, callFrame=0x7fffa98af9b0, thisObj=0x7fffa986fb90) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/interpreter/Interpreter.cpp:879 #21 0x00007ffff73480bc in JSC::evaluate (exec=0x7fffa98af9b0, source=..., thisValue=..., returnedException=0x7fffffffdac0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Completion.cpp:82 #22 0x000000000041747c in runWithScripts (globalObject=0x7fffa98af970, scripts=..., dump=false) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:660 #23 0x000000000041824b in jscmain (argc=2, argv=0x7fffffffdd68) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:877 #24 0x0000000000417268 in main (argc=2, argv=0x7fffffffdd68) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jsc.cpp:618
I've reproduced this assertion failure on Mac running the jsc shell on the provided test script. Still investigating.
Created attachment 221191 [details] the patch.
Comment on attachment 221191 [details] the patch. r=me
Thanks. Landed in r162006: <http://trac.webkit.org/r162006>.