Summary: ASSERT_NOT_REACHED when using spread inside an array literal with Function.prototype.apply Steps to Reproduce: 1. jsc> (function() {}).apply(null, [1, ...[]]) => CRASH - should not be reached Assertion: >>> function f() {}; f.apply(null, [1, ...[]]) SHOULD NEVER BE REACHED Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp(3981) : virtual JSC::RegisterID *JSC::SpreadExpressionNode::emitBytecode(JSC::BytecodeGenerator &, JSC::RegisterID *) 1 0x1134f9bed WTFCrash 2 0x11314c265 JSC::SpreadExpressionNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 3 0x1126be293 JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::ExpressionNode*) 4 0x11269cd2e JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::ExpressionNode*) 5 0x113131339 JSC::ArgumentListNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 6 0x1126be293 JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::ExpressionNode*) 7 0x11269cd2e JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::ExpressionNode*) 8 0x1126a7367 JSC::BytecodeGenerator::emitCall(JSC::OpcodeID, JSC::RegisterID*, JSC::RegisterID*, JSC::ExpectedFunction, JSC::CallArguments&, JSC::JSTextPosition const&, JSC::JSTextPosition const&, JSC::JSTextPosition const&) 9 0x1126a77d5 JSC::BytecodeGenerator::emitCallInTailPosition(JSC::RegisterID*, JSC::RegisterID*, JSC::ExpectedFunction, JSC::CallArguments&, JSC::JSTextPosition const&, JSC::JSTextPosition const&, JSC::JSTextPosition const&) 10 0x113137356 JSC::ApplyFunctionCallDotNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 11 0x1126be293 JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::ExpressionNode*) 12 0x11269cd2e JSC::BytecodeGenerator::emitNode(JSC::RegisterID*, JSC::ExpressionNode*) 13 0x1131405ac JSC::ExprStatementNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 14 0x1126c6433 JSC::BytecodeGenerator::emitNodeInTailPosition(JSC::RegisterID*, JSC::StatementNode*) 15 0x1131403db JSC::SourceElements::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 16 0x1131468f7 JSC::ScopeNode::emitStatementsBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 17 0x113146635 JSC::emitProgramNodeBytecode(JSC::BytecodeGenerator&, JSC::ScopeNode&) 18 0x113146544 JSC::ProgramNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) 19 0x11268e7f1 JSC::BytecodeGenerator::generate() 20 0x11276e105 JSC::ParserError JSC::BytecodeGenerator::generate<JSC::ProgramNode*, JSC::UnlinkedProgramCodeBlock*&, JSC::DebuggerMode&, JSC::VariableEnvironment const*&>(JSC::VM&, JSC::ProgramNode*&&, JSC::UnlinkedProgramCodeBlock*&&&, JSC::DebuggerMode&&&, JSC::VariableEnvironment const*&&&) 21 0x112766fc1 JSC::UnlinkedProgramCodeBlock* JSC::CodeCache::getGlobalCodeBlock<JSC::UnlinkedProgramCodeBlock, JSC::ProgramExecutable>(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::JSParserCommentMode, JSC::DebuggerMode, JSC::ParserError&, JSC::EvalContextType, JSC::VariableEnvironment const*) 22 0x112766580 JSC::CodeCache::getProgramCodeBlock(JSC::VM&, JSC::ProgramExecutable*, JSC::SourceCode const&, JSC::JSParserBuiltinMode, JSC::JSParserStrictMode, JSC::DebuggerMode, JSC::ParserError&) 23 0x112f9b86a JSC::JSGlobalObject::createProgramCodeBlock(JSC::ExecState*, JSC::ProgramExecutable*, JSC::JSObject**) 24 0x112c60987 JSC::ProgramExecutable::initializeGlobalProperties(JSC::VM&, JSC::ExecState*, JSC::JSScope*) 25 0x112e6191d JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) 26 0x1127bbc3d JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 27 0x10f752078 runInteractive(GlobalObject*) 28 0x10f74942b runJSC(JSC::VM*, CommandLine) 29 0x10f74811f jscmain(int, char**) 30 0x10f747fa6 main 31 0x7fff994f6255 start Notes: - Covered by a bunch of test262 tests, including: test262/test/language/expressions/array/spread-mult-empty.js
Created attachment 288902 [details] [PATCH] Proposed Fix
Comment on attachment 288902 [details] [PATCH] Proposed Fix cq- a few more test262 tests now pass that I missed.
Created attachment 288904 [details] [PATCH] Proposed Fix
Comment on attachment 288904 [details] [PATCH] Proposed Fix Clearing flags on attachment: 288904 Committed r205944: <http://trac.webkit.org/changeset/205944>
All reviewed patches have been landed. Closing bug.
<rdar://problem/27404839>