Closed
Bug 1250192
Opened 8 years ago
Closed 8 years ago
Assertion failure: frame.script()->nfixed() == 0, at js/src/vm/GeneratorObject.cpp:21 with ES6 Generator
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
1.81 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision e1cf617a1f28 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads --disable-oom-functions): (function * YearFromTime(x, ... get) { try {} catch (x) { for (var x;;); } })(); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000a1d44a in js::GeneratorObject::create (cx=cx@entry=0x7ffff6907800, frame=...) at js/src/vm/GeneratorObject.cpp:21 #0 0x0000000000a1d44a in js::GeneratorObject::create (cx=cx@entry=0x7ffff6907800, frame=...) at js/src/vm/GeneratorObject.cpp:21 #1 0x0000000000aacac4 in Interpret (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:3696 [...] #14 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7120 rax 0x0 0 rbx 0x7fffffffc2d0 140737488339664 rcx 0x7ffff6ca5870 140737333844080 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffc3e0 140737488339936 rsp 0x7fffffffc2b0 140737488339632 r8 0x7ffff7fe07c0 140737354008512 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffc070 140737488339056 r11 0x7ffff6c27ee0 140737333329632 r12 0x7ffff517c0c0 140737305362624 r13 0x7ffff6907800 140737330051072 r14 0x7ffff6907830 140737330051120 r15 0x1bd35a0 29177248 rip 0xa1d44a <js::GeneratorObject::create(JSContext*, js::AbstractFramePtr)+2570> => 0xa1d44a <js::GeneratorObject::create(JSContext*, js::AbstractFramePtr)+2570>: movl $0x15,0x0 0xa1d455 <js::GeneratorObject::create(JSContext*, js::AbstractFramePtr)+2581>: callq 0x4a60b0 <abort()>
Comment 1•8 years ago
|
||
Is JSBugMon not working? When I see these fuzz bugs I usually wait for the autoBisect results, but if the bot doesn't work it's easy for bugs to get lost..
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 2•8 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160205134855" and the hash "140603de6df9cdd8ae6d2671ffc07379500fd719". The "bad" changeset has the timestamp "20160205150953" and the hash "aa076a770ac03eff1d1f2ba4b0758f22f87acfaf". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=140603de6df9cdd8ae6d2671ffc07379500fd719&tochange=aa076a770ac03eff1d1f2ba4b0758f22f87acfaf
Guessing related to bug 1225041 based on the regression window.
Blocks: 1225041
Comment 5•8 years ago
|
||
The bug was that we were superfluously synthesizing a name even if there was an arg binding, which ended up confusing the aliased-ness code when generating script Bindings into thinking there was an unaliased binding when there was none.
Attachment #8727650 -
Flags: review?(jorendorff)
Updated•8 years ago
|
Flags: needinfo?(shu)
Comment 6•8 years ago
|
||
Comment on attachment 8727650 [details] [diff] [review] Do not synthesize a var binding for Annex B.3.5 if there is an arg binding of the same name. Review of attachment 8727650 [details] [diff] [review]: ----------------------------------------------------------------- Argh.
Attachment #8727650 -
Flags: review?(jorendorff) → review+
Comment 8•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/8aed0bcad388
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox48:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Comment 9•8 years ago
|
||
Shu reports that we needn't uplift. WONTFIX 47.
You need to log in
before you can comment on or make changes to this bug.
Description
•