Crash [@ JSContext::generatorFor] or "Assertion failure: fp->isGeneratorFrame(),"

VERIFIED FIXED in Firefox 15

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: gkw, Assigned: Benjamin)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla15
x86
Mac OS X
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox14 unaffected, firefox15 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: js-triage-done)

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 628484 [details]
stack

function a(b = (function() {})) {
    yield
}
a()

asserts js debug shell on m-c changeset f28d1ec8bd33 without any CLI arguments at Assertion failure: fp->isGeneratorFrame(), and crashes js opt shell at JSContext::generatorFor

Seems to be a null crash, so feel free to open up if not s-s.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   95044:699a613bf616
user:        Benjamin Peterson
date:        Sat May 26 09:33:53 2012 -0400
summary:     Bug 757676 - Implement JS default parameters. r=jorendorff
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x000000010008af36 in JSContext::generatorFor (this=0x100c154f0, fp=0x1018000b8) at /Users/jorendorff/dev/mi/js/src/jscntxt.cpp:1087
1087	    JS_ASSERT(fp->isGeneratorFrame());
(gdb) call js_DumpPC(this)
loc   line  op
----- ----  --
main:
    00000:   2  actualsfilled 0
    00003:   2  tableswitch defaultOffset 26 low 0 high 0
	0: 17
    00020:   2  lambda (function () {})
    00025:   2  setarg 0
    00028:   2  pop
    00029:   3  undefined
--> 00030:   3  yield
    00031:   3  pop
    00032:   3  stop
$1 = 1

There ought to be a JSOP_GENERATOR opcode in the prologue.
(Assignee)

Comment 2

5 years ago
Created attachment 628489 [details] [diff] [review]
fix

I forgot to call endBody on GenexpGuard.
Assignee: general → bpeterson
Attachment #628489 - Flags: review?(jorendorff)
Attachment #628489 - Flags: review?(jorendorff) → review+
(Assignee)

Updated

5 years ago
Keywords: checkin-needed
(Reporter)

Comment 3

5 years ago
http://hg.mozilla.org/integration/mozilla-inbound/rev/71e016e251a7
Keywords: checkin-needed
Whiteboard: js-triage-needed → js-triage-done
Target Milestone: --- → mozilla15

Updated

5 years ago
Duplicate of this bug: 760401

Comment 5

5 years ago
https://hg.mozilla.org/mozilla-central/rev/71e016e251a7
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox15: --- → fixed
Resolution: --- → FIXED
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
status-firefox-esr10: --- → unaffected
status-firefox14: --- → unaffected
Group: core-security
(Reporter)

Updated

5 years ago
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.