Closed Bug 1250192 Opened 8 years ago Closed 8 years ago

Assertion failure: frame.script()->nfixed() == 0, at js/src/vm/GeneratorObject.cpp:21 with ES6 Generator

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox47 --- wontfix
firefox48 --- fixed

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision e1cf617a1f28 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads --disable-oom-functions):

(function * YearFromTime(x, ... get)  {
  try {} catch (x) {
    for (var x;;);
  }
})();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000a1d44a in js::GeneratorObject::create (cx=cx@entry=0x7ffff6907800, frame=...) at js/src/vm/GeneratorObject.cpp:21
#0  0x0000000000a1d44a in js::GeneratorObject::create (cx=cx@entry=0x7ffff6907800, frame=...) at js/src/vm/GeneratorObject.cpp:21
#1  0x0000000000aacac4 in Interpret (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:3696
[...]
#14 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7120
rax	0x0	0
rbx	0x7fffffffc2d0	140737488339664
rcx	0x7ffff6ca5870	140737333844080
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffc3e0	140737488339936
rsp	0x7fffffffc2b0	140737488339632
r8	0x7ffff7fe07c0	140737354008512
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffc070	140737488339056
r11	0x7ffff6c27ee0	140737333329632
r12	0x7ffff517c0c0	140737305362624
r13	0x7ffff6907800	140737330051072
r14	0x7ffff6907830	140737330051120
r15	0x1bd35a0	29177248
rip	0xa1d44a <js::GeneratorObject::create(JSContext*, js::AbstractFramePtr)+2570>
=> 0xa1d44a <js::GeneratorObject::create(JSContext*, js::AbstractFramePtr)+2570>:	movl   $0x15,0x0
   0xa1d455 <js::GeneratorObject::create(JSContext*, js::AbstractFramePtr)+2581>:	callq  0x4a60b0 <abort()>
Is JSBugMon not working?

When I see these fuzz bugs I usually wait for the autoBisect results, but if the bot doesn't work it's easy for bugs to get lost..
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160205134855" and the hash "140603de6df9cdd8ae6d2671ffc07379500fd719".
The "bad" changeset has the timestamp "20160205150953" and the hash "aa076a770ac03eff1d1f2ba4b0758f22f87acfaf".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=140603de6df9cdd8ae6d2671ffc07379500fd719&tochange=aa076a770ac03eff1d1f2ba4b0758f22f87acfaf
Needinfo from shu based on comment 2.
Flags: needinfo?(shu)
Guessing related to bug 1225041 based on the regression window.
Blocks: 1225041
The bug was that we were superfluously synthesizing a name even if there was an
arg binding, which ended up confusing the aliased-ness code when generating
script Bindings into thinking there was an unaliased binding when there was
none.
Attachment #8727650 - Flags: review?(jorendorff)
Flags: needinfo?(shu)
Comment on attachment 8727650 [details] [diff] [review]
Do not synthesize a var binding for Annex B.3.5 if there is an arg binding of the same name.

Review of attachment 8727650 [details] [diff] [review]:
-----------------------------------------------------------------

Argh.
Attachment #8727650 - Flags: review?(jorendorff) → review+
https://hg.mozilla.org/mozilla-central/rev/8aed0bcad388
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Shu reports that we needn't uplift. WONTFIX 47.
You need to log in before you can comment on or make changes to this bug.