JM: "Assertion failure: uintN(gen->savedRegs.sp - fp->slots()) <= fp->script->nslots,"

RESOLVED DUPLICATE of bug 583124

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 583124
8 years ago
8 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
x86
Linux
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 years ago
f = function () {
    if (false) yield
}
for (a in f()) {}

asserts js debug shell on JM changeset 7c6f62fcbd91 at Assertion failure: uintN(gen->savedRegs.sp - fp->slots()) <= fp->script->nslots, at ../jsiter.cpp:1270
(Reporter)

Comment 1

8 years ago
This occurs without -m nor -j on JM, and doesn't occur on TM.
(Reporter)

Comment 2

8 years ago
$ valgrind ./js-opt-32-jm-linux uintN.js 
==29648== Memcheck, a memory error detector
==29648== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==29648== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==29648== Command: ./js-opt-32-jm-linux uintN.js
==29648== 
==29648== Invalid write of size 1
==29648==    at 0x47FB974: memcpy (mc_replace_strmem.c:497)
==29648==    by 0x80B3B4F: SendToGenerator(JSContext*, JSGeneratorOp, JSObject*, JSGenerator*, js::Value const&) (in /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-49143-7c6f62fcbd91/js-opt-32-jm-linux)
==29648==  Address 0x73c27b8 is 0 bytes after a block of size 144 alloc'd
==29648==    at 0x47F9F20: malloc (vg_replace_malloc.c:236)
==29648==    by 0x80AF604: js_NewGenerator(JSContext*) (in /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-49143-7c6f62fcbd91/js-opt-32-jm-linux)
==29648== 
==29648== Invalid write of size 1
==29648==    at 0x47FB97C: memcpy (mc_replace_strmem.c:497)
==29648==    by 0x80B3B4F: SendToGenerator(JSContext*, JSGeneratorOp, JSObject*, JSGenerator*, js::Value const&) (in /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-49143-7c6f62fcbd91/js-opt-32-jm-linux)
==29648==  Address 0x73c27b9 is 1 bytes after a block of size 144 alloc'd
==29648==    at 0x47F9F20: malloc (vg_replace_malloc.c:236)
==29648==    by 0x80AF604: js_NewGenerator(JSContext*) (in /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-49143-7c6f62fcbd91/js-opt-32-jm-linux)
==29648== 
==29648== Invalid write of size 1
==29648==    at 0x47FB985: memcpy (mc_replace_strmem.c:497)
==29648==    by 0x80B3B4F: SendToGenerator(JSContext*, JSGeneratorOp, JSObject*, JSGenerator*, js::Value const&) (in /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-49143-7c6f62fcbd91/js-opt-32-jm-linux)
==29648==  Address 0x73c27ba is 2 bytes after a block of size 144 alloc'd
==29648==    at 0x47F9F20: malloc (vg_replace_malloc.c:236)
==29648==    by 0x80AF604: js_NewGenerator(JSContext*) (in /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-49143-7c6f62fcbd91/js-opt-32-jm-linux)
==29648== 
==29648== Invalid write of size 1
==29648==    at 0x47FB98E: memcpy (mc_replace_strmem.c:497)
==29648==    by 0x80B3B4F: SendToGenerator(JSContext*, JSGeneratorOp, JSObject*, JSGenerator*, js::Value const&) (in /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-49143-7c6f62fcbd91/js-opt-32-jm-linux)
==29648==  Address 0x73c27bb is 3 bytes after a block of size 144 alloc'd
==29648==    at 0x47F9F20: malloc (vg_replace_malloc.c:236)
==29648==    by 0x80AF604: js_NewGenerator(JSContext*) (in /home/fuzz1/Desktop/jsfunfuzz-dbg-32-jm-49143-7c6f62fcbd91/js-opt-32-jm-linux)
==29648== 
==29648== 
==29648== HEAP SUMMARY:
==29648==     in use at exit: 0 bytes in 0 blocks
==29648==   total heap usage: 859 allocs, 859 frees, 1,379,582 bytes allocated
==29648== 
==29648== All heap blocks were freed -- no leaks are possible
==29648== 
==29648== For counts of detected and suppressed errors, rerun with: -v
==29648== ERROR SUMMARY: 8 errors from 4 contexts (suppressed: 23 from 8)
This no longer reproduces since JSOP_GENERATOR is not implemented.
(Reporter)

Comment 4

8 years ago
With 32-bit debug JM shell on Linux, comment #0 still asserts on changeset e0988eae6c08 with -m and -j.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 583124
You need to log in before you can comment on or make changes to this bug.