Closed Bug 1188334 Opened 9 years ago Closed 9 years ago

Assertion failure: !si.initialFrame().callee()->isGenerator(), at js/src/vm/ScopeObject.cpp:2405

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla43
Tracking Flags:
Tracking Status
firefox42 --- affected
firefox43 --- fixed

People

(Reporter: decoder, Assigned: shu)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

Fix this one weird case with creating debug block scopes of 0-variable block scopes that come from deprecated let exprs inside generators.
2.39 KB, patch
jimb
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision d3228c82badd (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-extra-checks):

var evalInFrame = (function (global) {
  var dbgGlobal = newGlobal();
  var dbg = new dbgGlobal.Debugger();
  return function evalInFrame(upCount, code) {
    dbg.addDebuggee(global);
    var frame = dbg.getNewestFrame().older;
    var completion = frame.eval(code);
  };
})(this);
function f() {
    let ({} = "xxx") {
        yield evalInFrame(0, "x");
    }
}
var gen = f();
gen.next()



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000073fd18 in GetDebugScopeForMissing (si=..., cx=0x7ffff6907000) at js/src/vm/ScopeObject.cpp:2404
#0  0x000000000073fd18 in GetDebugScopeForMissing (si=..., cx=0x7ffff6907000) at js/src/vm/ScopeObject.cpp:2404
#1  GetDebugScope (cx=0x7ffff6907000, si=...) at js/src/vm/ScopeObject.cpp:2459
#2  0x000000000073ff36 in js::GetDebugScopeForFrame (cx=cx@entry=0x7ffff6907000, frame=..., pc=pc@entry=0x7ffff69ebc88 ":") at js/src/vm/ScopeObject.cpp:2487
#3  0x00000000006c7c19 in DebuggerGenericEval (cx=cx@entry=0x7ffff6907000, fullMethodName=fullMethodName@entry=0xe040e2 "Debugger.Frame.prototype.eval", code=..., evalWithBindings=evalWithBindings@entry=EvalWithDefaultBindings, bindings=..., options=..., vp=..., dbg=dbg@entry=0x7ffff695c000, scope=scope@entry=..., iter=iter@entry=0x7fffffffba38) at js/src/vm/Debugger.cpp:6517
#4  0x00000000006c8922 in DebuggerFrame_eval (cx=0x7ffff6907000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:6584
#5  0x00000000006ccc22 in js::CallJSNative (cx=0x7ffff6907000, native=0x6c8690 <DebuggerFrame_eval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#6  0x00000000006bc122 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:720
#7  0x00000000006bddc6 in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=<optimized out>, argv=0x7ffff47f52a8, rval=...) at js/src/vm/Interpreter.cpp:775
#8  0x0000000000bcd184 in js::DirectProxyHandler::call (this=this@entry=0x1b21a40 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff6907000, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77
#9  0x0000000000bd3a32 in js::CrossCompartmentWrapper::call (this=0x1b21a40 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff6907000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289
#10 0x0000000000be048a in js::Proxy::call (cx=cx@entry=0x7ffff6907000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:391
#11 0x0000000000be056e in js::proxy_Call (cx=0x7ffff6907000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:697
#12 0x00000000006ccc22 in js::CallJSNative (cx=0x7ffff6907000, native=0xbe04d0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#13 0x00000000006bc3c5 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:708
#14 0x00000000006ae262 in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:2972
#15 0x00000000006bbb23 in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:661
#16 0x00000000006bc234 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:738
#17 0x00000000006ae262 in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:2972
#18 0x00000000006bbb23 in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:661
#19 0x00000000006c6836 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907000, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:902
#20 0x00000000006c8b23 in js::Execute (cx=cx@entry=0x7ffff6907000, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:936
#21 0x0000000000ac6e26 in ExecuteScript (cx=cx@entry=0x7ffff6907000, scope=..., script=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4334
#22 0x0000000000ac6f9b in JS_ExecuteScript (cx=cx@entry=0x7ffff6907000, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4365
#23 0x00000000004284fd in RunFile (compileOnly=false, file=0x7ffff6998c00, filename=0x7fffffffe09d "min.js", cx=0x7ffff6907000) at js/src/shell/js.cpp:458
#24 Process (cx=cx@entry=0x7ffff6907000, filename=0x7fffffffe09d "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:576
#25 0x0000000000477718 in ProcessArgs (op=0x7fffffffdb10, cx=0x7ffff6907000) at js/src/shell/js.cpp:5771
#26 Shell (envp=<optimized out>, op=0x7fffffffdb10, cx=0x7ffff6907000) at js/src/shell/js.cpp:6040
#27 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6384
rax	0x0	0
rbx	0x7ffff6907000	140737330049024
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffb450	140737488335952
rsp	0x7fffffffb290	140737488335504
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffb050	140737488334928
r11	0x7ffff6c27960	140737333328224
r12	0x7fffffffb480	140737488336000
r13	0x7fffffffb3c0	140737488335808
r14	0x7fffffffb360	140737488335712
r15	0x0	0
rip	0x73fd18 <GetDebugScope(JSContext*, js::ScopeIter const&)+3160>
=> 0x73fd18 <GetDebugScope(JSContext*, js::ScopeIter const&)+3160>:	movl   $0x965,0x0
   0x73fd23 <GetDebugScope(JSContext*, js::ScopeIter const&)+3171>:	callq  0x498fe0 <abort()>
Assignee: nobody → shu
Comment on attachment 8644626 [details] [diff] [review]
Fix this one weird case with creating debug block scopes of 0-variable block scopes that come from deprecated let exprs inside generators.

Review of attachment 8644626 [details] [diff] [review]:
-----------------------------------------------------------------

This patch is missing the test case. r=me with that fixed.
Attachment #8644626 - Flags: review?(jimb) → review+
https://hg.mozilla.org/mozilla-central/rev/49b1b7e0a649
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox43: --- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: