Closed
Bug 704351
Opened 13 years ago
Closed 13 years ago
JS Shell-only crash with dis() [@ JSGenerator::floatingFrame]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla11
People
(Reporter: decoder, Assigned: luke)
Details
(Keywords: crash, testcase, Whiteboard: js-triage-done)
Attachments
(1 file)
1.25 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
The following test crashes on mozilla-central revision 5ebeef1eabcb (no options required):
dis(((function() { yield 3; })().__proto__));
Backtrace:
==50635== Invalid read of size 8
==50635== at 0x413B7E: JSGenerator::floatingFrame() (jsiter.h:182)
==50635== by 0x407CF0: ValueToScript(JSContext*, JS::Value, JSFunction**) (js.cpp:1567)
==50635== by 0x409DA0: Disassemble(JSContext*, unsigned int, JS::Value*) (js.cpp:2170)
==50635== by 0x50A95C: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) (jscntxtinlines.h:297)
==50635== by 0x4E9FD8: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jsinterp.cpp:629)
==50635== by 0x4FB1F4: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode)
==50635== Address 0x38 is not stack'd, malloc'd or (recently) free'd
Assignee | ||
Comment 1•13 years ago
|
||
Wow, this goes back to upvar2.
Assignee | ||
Updated•13 years ago
|
Whiteboard: js-triage-needed → js-triage-done
Comment 2•13 years ago
|
||
Comment on attachment 576031 [details] [diff] [review]
fix
Review of attachment 576031 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/jit-test/tests/basic/testBug704351.js
@@ +1,2 @@
> +// |jit-test| error: TypeError
> +dis(((function() { yield 3; })().__proto__));
Add a temporary here, generatorPrototype or something, to make it more clear what's being dis'd. I was confused about what exactly was the problematic action, with respect to the code change, until I stared at it a little longer to figure out object was being dis'd.
Attachment #576031 -
Flags: review?(jwalden+bmo) → review+
Assignee | ||
Comment 3•13 years ago
|
||
Target Milestone: --- → mozilla11
Comment 4•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•