[Webkit-unassigned] [Bug 279863] New: Bug caused by destructuring assignment

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Sep 17 20:59:23 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=279863

            Bug ID: 279863
           Summary: Bug caused by destructuring assignment
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: 3022001754 at tju.edu.cn

###### Webkit
0da0eedeaa3f18bfd0bb2f1f4831f4fe3eaa4893

###### Build platform
Ubuntu 22.04.4

###### Build steps
```sh
./Tools/Scripts/build-jsc --jsc-only --debug --build-dir="0422_debug" --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt'"
```

###### Test case
```sh
var {[false] : b} = {};
```

###### Execution steps
```sh
./jsc poc.js
```

###### Output
```sh
ASSERTION FAILED: !reg.isConstant()
/JSC/Source/JavaScriptCore/interpreter/CallFrameInlines.h(43) : JSC::Register &JSC::CallFrame::uncheckedR(JSC::VirtualRegister)
1 0x1dc4cf9 /JSC/release/JSCOnly/Debug/bin/jsc() [0x1dc4cf9]
2 0x2dcb126 /JSC/release/JSCOnly/Debug/bin/jsc() [0x2dcb126]
3 0x3aac989 /JSC/release/JSCOnly/Debug/bin/jsc() [0x3aac989]

Thread 1 "jsc" received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=140737313263680) at ./nptl/pthread_kill.c:44
44 ./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737313263680) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=140737313263680) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=140737313263680, signo=signo at entry=6) at ./nptl/pthread_kill.c:89
#3 0x00007ffff5948476 in __GI_raise (sig=sig at entry=6) at ../sysdeps/posix/raise.c:26
#4 0x00007ffff592e7f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x000000000155dd4b in WTFCrashWithInfo () at /JSC/release/JSCOnly/Debug/WTF/Headers/wtf/Assertions.h:879
#6 0x0000000001dc4d25 in JSC::CallFrame::uncheckedR (this=0x7fffffffd340, reg=...) at /JSC/Source/JavaScriptCore/interpreter/CallFrameInlines.h:43
#7 0x0000000002dcb126 in slow_path_to_property_key_or_number (callFrame=0x7fffffffd340, pc=0x7fffec096e2e) at /JSC/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:922
#8 0x0000000003aac989 in llint_op_to_property_key_or_number ()
#9 0x0000000000000000 in ?? ()
(gdb) f 6
#6 0x0000000001dc4d25 in JSC::CallFrame::uncheckedR (this=0x7fffffffd340, reg=...) at /JSC/Source/JavaScriptCore/interpreter/CallFrameInlines.h:43
43 ASSERT(!reg.isConstant());
(gdb) f 7
#7 0x0000000002dcb126 in slow_path_to_property_key_or_number (callFrame=0x7fffffffd340, pc=0x7fffec096e2e) at /JSC/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:922
922 RETURN(srcValue.isNumber() ? srcValue : srcValue.toPropertyKeyValue(globalObject));


```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240918/965ac649/attachment.htm>

More information about the webkit-unassigned mailing list