Closed Bug 590064 Opened 14 years ago Closed 14 years ago

JM: Crash [@ JSContext::generatorFor] or "Assertion failure: !fp->hasFunction() || !(fp->getFunction()->flags & JSFUN_HEAVYWEIGHT) || fp->hasCallObj(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 588362

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords)

Crash Data

for (a = 0; a < 5; a++) { (function n() { with({}) { yield } } ()) } crashes js opt shell on JM changeset e42b505b43f3 with -m and -j at JSContext::generatorFor and asserts js debug shell at Assertion failure: !fp->hasFunction() || !(fp->getFunction()->flags & JSFUN_HEAVYWEIGHT) || fp->hasCallObj(), at ../jsinterp.cpp:117 (gdb) bt #0 0x001695c8 in JS_Assert (s=0x281d5c "!fp->hasFunction() || !(fp->getFunction()->flags & JSFUN_HEAVYWEIGHT) || fp->hasCallObj()", file=0x2817f0 "../jsinterp.cpp", ln=117) at ../jsutil.cpp:80 #1 0x000beba5 in js_GetScopeChain (cx=0x60ab00, fp=0x1000110) at jsinterp.cpp:115 #2 0x000bf012 in js_EnterWith (cx=0x60ab00, stackIndex=-1) at jsinterp.cpp:1296 #3 0x00094e73 in js::Interpret (cx=0x60ab00, entryFrame=0x1000110, inlineCallCount=0) at ../jsinterp.cpp:2673 #4 0x0024b955 in PartialInterpret (f=@0xbffff3c0) at ../methodjit/InvokeHelpers.cpp:737 #5 0x0024db93 in RemoveExcessFrames (f=@0xbffff3c0, entryFrame=0x10000a8) at ../methodjit/InvokeHelpers.cpp:778 #6 0x0024de25 in RunTracer (f=@0xbffff3c0, mic=@0x60d260) at ../methodjit/InvokeHelpers.cpp:901 #7 0x0024e0ef in js::mjit::stubs::InvokeTracer (f=@0xbffff3c0, index=3) at ../methodjit/InvokeHelpers.cpp:960 #8 0x005ca32b in ?? () #9 0x001fdf66 in EnterMethodJIT (cx=0x60ab00, fp=0x10000a8, code=0x5ca05c, safePoint=0x0) at ../methodjit/MethodJIT.cpp:757 #10 0x001fe12d in js::mjit::JaegerShot (cx=0x60ab00) at ../methodjit/MethodJIT.cpp:785 #11 0x000bc10b in js::RunScript (cx=0x60ab00, script=0x60ce20, fun=0x0, scopeChain=0x1402000) at jsinterp.cpp:465 #12 0x000bdaee in js::Execute (cx=0x60ab00, chain=0x1402000, script=0x60ce20, down=0x0, flags=0, result=0x0) at jsinterp.cpp:945 #13 0x00016f43 in JS_ExecuteScript (cx=0x60ab00, obj=0x1402000, script=0x60ce20, rval=0x0) at ../jsapi.cpp:4762 #14 0x0000c4d0 in Process (cx=0x60ab00, obj=0x1402000, filename=0xbffff942 "w2040-reduced.js", forceTTY=0) at ../../shell/js.cpp:442 #15 0x0000d243 in ProcessArgs (cx=0x60ab00, obj=0x1402000, argv=0xbffff81c, argc=3) at ../../shell/js.cpp:862 #16 0x0000d35c in shell (cx=0x60ab00, argc=3, argv=0xbffff81c, envp=0xbffff82c) at ../../shell/js.cpp:5151 #17 0x0000d480 in main (argc=3, argv=0xbffff81c, envp=0xbffff82c) at ../../shell/js.cpp:5247
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Crash Signature: [@ JSContext::generatorFor]
A testcase for this bug was already added in the original bug (bug 588362).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.