Closed Bug 550210 Opened 15 years ago Closed 15 years ago

JM: Crash [@ args_or_call_trace] or [@ js_CallGCMarker] or "Assertion failure: isGenerator(), at ../jsinterp.h"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: luke)

References

Details

(4 keywords)

Crash Data

function g(e) { return ("" + e) } rv = (function () { do { yield } while ({}(p = arguments)) })() try { for (a in rv) function () {} } catch (e) { print("" + g(e)) } gc() crashes JM opt shell on JM tip without -j or -m at args_or_call_trace or at js_CallGCMarker and asserts JM dbg shell on JM tip without -j or -m at Assertion failure: isGenerator(), at ../jsinterp.h:211 This occurs in Linux 64-bit shells and also on Mac OS X, both 32-bit and 64-bit shells. JM rev 4c2029c3e4b8 - this testcase seems to work as expected (no crash / assert) on TM tip.
Any chance your autobisect script can tell us when this started?
(In reply to comment #1) > Any chance your autobisect script can tell us when this started? Seems to work in changeset http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/e62a3bcea964 Seems to crash in changeset http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/4c2029c3e4b8 So it's probably bug 547851.
Blocks: 547851
Keywords: regression
I get the error on TM tip with the bug 547851 applied; will debug. The test case is truly a gem, thanks!
Ah, simple mistake; over-reliance on symmetry. Although it does require a big coincidence, I'm surprised this made it through js/xpcshell/mochi tests. Although it only repros for bug 547851, it is actually a bug in the bug 540706 patch. Pushed with a few cleanups http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/e9c3d9bcc344 and then I remembered to add the test case http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/024479e57d25
Assignee: general → lw
Blocks: 540706
No longer blocks: 547851
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Crash Signature: [@ args_or_call_trace] [@ js_CallGCMarker]
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug550210.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.