Closed Bug 704351 Opened 13 years ago Closed 13 years ago

JS Shell-only crash with dis() [@ JSGenerator::floatingFrame]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla11

People

(Reporter: decoder, Assigned: luke)

Details

(Keywords: crash, testcase, Whiteboard: js-triage-done)

Attachments

(1 file)

The following test crashes on mozilla-central revision 5ebeef1eabcb (no options required): dis(((function() { yield 3; })().__proto__)); Backtrace: ==50635== Invalid read of size 8 ==50635== at 0x413B7E: JSGenerator::floatingFrame() (jsiter.h:182) ==50635== by 0x407CF0: ValueToScript(JSContext*, JS::Value, JSFunction**) (js.cpp:1567) ==50635== by 0x409DA0: Disassemble(JSContext*, unsigned int, JS::Value*) (js.cpp:2170) ==50635== by 0x50A95C: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) (jscntxtinlines.h:297) ==50635== by 0x4E9FD8: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jsinterp.cpp:629) ==50635== by 0x4FB1F4: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) ==50635== Address 0x38 is not stack'd, malloc'd or (recently) free'd
Attached patch fixSplinter Review
Wow, this goes back to upvar2.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #576031 - Flags: review?(jwalden+bmo)
Whiteboard: js-triage-needed → js-triage-done
Comment on attachment 576031 [details] [diff] [review] fix Review of attachment 576031 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit-test/tests/basic/testBug704351.js @@ +1,2 @@ > +// |jit-test| error: TypeError > +dis(((function() { yield 3; })().__proto__)); Add a temporary here, generatorPrototype or something, to make it more clear what's being dis'd. I was confused about what exactly was the problematic action, with respect to the code change, until I stared at it a little longer to figure out object was being dis'd.
Attachment #576031 - Flags: review?(jwalden+bmo) → review+
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: