Closed
Bug 1501725
Opened 6 years ago
Closed 6 years ago
Assertion failure: hasInitialEnvironment(), at js/src/jit/BaselineFrame-inl.h:90
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1501722
| Tracking | Status | |
|---|---|---|
| firefox65 | --- | fix-optional |
People
(Reporter: gkw, Unassigned)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
The following testcase crashes on mozilla-central revision c29f681979ee (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):
// jsfunfuzz-generated
Function(`
// Adapted from randomly chosen test: js/src/jit-test/tests/wasm/regress/debug-clone-segment.js
g = newGlobal();
g.parent = this;
g.eval("(" + function() {
var dbg = Debugger(parent);
dbg.onEnterFrame = function() {}
} + ")")
\`\`;
// jsfunfuzz-generated
oomTest(async function() {});
`)();
Backtrace:
#0 0x000056534753a01f in js::jit::BaselineFrame::callObj (this=0x7ffff3077378) at js/src/jit/BaselineFrame-inl.h:90
#1 0x0000565347621604 in js::GetGeneratorObjectForFrame (cx=0x7fbd95118000, frame=...) at js/src/vm/GeneratorObject.cpp:121
#2 0x000056534756e565 in js::Debugger::slowPathOnLeaveFrame (cx=0x7fbd9623f680 <_IO_2_1_stderr_>, frame=..., pc=0x7fbd95197b60 "ԉ", frameOk=false) at js/src/vm/Debugger.cpp:1109
#3 0x0000565346ec48a4 in js::Debugger::onLeaveFrame (cx=0x7fbd95118000, frame=..., pc=0x7fbd95197b60 "ԉ", ok=false) at js/src/vm/Debugger-inl.h:25
#4 0x0000565347256b34 in js::jit::HandleExceptionBaseline (cx=<optimized out>, frame=..., pc=0x0, rfe=<optimized out>) at js/src/jit/JitFrames.cpp:585
/snip
For detailed crash information, see attachment.
|
||
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
|
||
Comment 2•6 years ago
|
||
Marking fix-optional to remove this from triage, because we are tracking this in bug 1501722.
You need to log in
before you can comment on or make changes to this bug.
Description
•