Closed Bug 550210 Opened 14 years ago Closed 14 years ago

JM: Crash [@ args_or_call_trace] or [@ js_CallGCMarker] or "Assertion failure: isGenerator(), at ../jsinterp.h"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: luke)

References

Details

(4 keywords)

Crash Data

function g(e) {
    return ("" + e)
}
rv = (function () {
    do {
        yield
    } while ({}(p = arguments))
})()
try {
    for (a in rv) function () {}
} catch (e) {
    print("" + g(e))
}
gc()


crashes JM opt shell on JM tip without -j or -m at args_or_call_trace or at js_CallGCMarker and asserts JM dbg shell on JM tip without -j or -m at Assertion failure: isGenerator(), at ../jsinterp.h:211

This occurs in Linux 64-bit shells and also on Mac OS X, both 32-bit and 64-bit shells.

JM rev 4c2029c3e4b8 - this testcase seems to work as expected (no crash / assert) on TM tip.
Any chance your autobisect script can tell us when this started?
(In reply to comment #1)
> Any chance your autobisect script can tell us when this started?

Seems to work in changeset http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/e62a3bcea964

Seems to crash in changeset http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/4c2029c3e4b8

So it's probably bug 547851.
Blocks: 547851
Keywords: regression
I get the error on TM tip with the bug 547851 applied; will debug.  The test case is truly a gem, thanks!
Ah, simple mistake; over-reliance on symmetry.  Although it does require a big coincidence, I'm surprised this made it through js/xpcshell/mochi tests.  Although it only repros for bug 547851, it is actually a bug in the bug 540706 patch.

Pushed with a few cleanups
http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/e9c3d9bcc344
and then I remembered to add the test case
http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/024479e57d25
Assignee: general → lw
Blocks: 540706
No longer blocks: 547851
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@ args_or_call_trace] [@ js_CallGCMarker]
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug550210.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.