Closed
Bug 580684
Opened 14 years ago
Closed 14 years ago
JM: "Assertion failure: uintN(gen->savedRegs.sp - fp->slots()) <= fp->script->nslots,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 583124
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase)
f = function () { if (false) yield } for (a in f()) {} asserts js debug shell on JM changeset 7c6f62fcbd91 at Assertion failure: uintN(gen->savedRegs.sp - fp->slots()) <= fp->script->nslots, at ../jsiter.cpp:1270
Reporter | ||
Comment 1•14 years ago
|
||
This occurs without -m nor -j on JM, and doesn't occur on TM.
Reporter | ||
Comment 2•14 years ago
|
||
$ valgrind ./js-opt-32-jm-linux uintN.js ==29648== Memcheck, a memory error detector ==29648== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al. ==29648== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info ==29648== Command: ./js-opt-32-jm-linux uintN.js ==29648== ==29648== Invalid write of size 1 ==29648== at 0x47FB974: memcpy (mc_replace_strmem.c:497) ==29648== by 0x80B3B4F: SendToGenerator(JSContext*, JSGeneratorOp, JSObject*, JSGenerator*, js::Value const&) (in /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-49143-7c6f62fcbd91/js-opt-32-jm-linux) ==29648== Address 0x73c27b8 is 0 bytes after a block of size 144 alloc'd ==29648== at 0x47F9F20: malloc (vg_replace_malloc.c:236) ==29648== by 0x80AF604: js_NewGenerator(JSContext*) (in /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-49143-7c6f62fcbd91/js-opt-32-jm-linux) ==29648== ==29648== Invalid write of size 1 ==29648== at 0x47FB97C: memcpy (mc_replace_strmem.c:497) ==29648== by 0x80B3B4F: SendToGenerator(JSContext*, JSGeneratorOp, JSObject*, JSGenerator*, js::Value const&) (in /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-49143-7c6f62fcbd91/js-opt-32-jm-linux) ==29648== Address 0x73c27b9 is 1 bytes after a block of size 144 alloc'd ==29648== at 0x47F9F20: malloc (vg_replace_malloc.c:236) ==29648== by 0x80AF604: js_NewGenerator(JSContext*) (in /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-49143-7c6f62fcbd91/js-opt-32-jm-linux) ==29648== ==29648== Invalid write of size 1 ==29648== at 0x47FB985: memcpy (mc_replace_strmem.c:497) ==29648== by 0x80B3B4F: SendToGenerator(JSContext*, JSGeneratorOp, JSObject*, JSGenerator*, js::Value const&) (in /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-49143-7c6f62fcbd91/js-opt-32-jm-linux) ==29648== Address 0x73c27ba is 2 bytes after a block of size 144 alloc'd ==29648== at 0x47F9F20: malloc (vg_replace_malloc.c:236) ==29648== by 0x80AF604: js_NewGenerator(JSContext*) (in /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-49143-7c6f62fcbd91/js-opt-32-jm-linux) ==29648== ==29648== Invalid write of size 1 ==29648== at 0x47FB98E: memcpy (mc_replace_strmem.c:497) ==29648== by 0x80B3B4F: SendToGenerator(JSContext*, JSGeneratorOp, JSObject*, JSGenerator*, js::Value const&) (in /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-49143-7c6f62fcbd91/js-opt-32-jm-linux) ==29648== Address 0x73c27bb is 3 bytes after a block of size 144 alloc'd ==29648== at 0x47F9F20: malloc (vg_replace_malloc.c:236) ==29648== by 0x80AF604: js_NewGenerator(JSContext*) (in /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-49143-7c6f62fcbd91/js-opt-32-jm-linux) ==29648== ==29648== ==29648== HEAP SUMMARY: ==29648== in use at exit: 0 bytes in 0 blocks ==29648== total heap usage: 859 allocs, 859 frees, 1,379,582 bytes allocated ==29648== ==29648== All heap blocks were freed -- no leaks are possible ==29648== ==29648== For counts of detected and suppressed errors, rerun with: -v ==29648== ERROR SUMMARY: 8 errors from 4 contexts (suppressed: 23 from 8)
Comment 3•14 years ago
|
||
This no longer reproduces since JSOP_GENERATOR is not implemented.
Reporter | ||
Comment 4•14 years ago
|
||
With 32-bit debug JM shell on Linux, comment #0 still asserts on changeset e0988eae6c08 with -m and -j.
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•