Closed
Bug 759904
Opened 13 years ago
Closed 13 years ago
Crash [@ JSContext::generatorFor] or "Assertion failure: fp->isGeneratorFrame(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla15
Tracking | Status | |
---|---|---|
firefox14 | --- | unaffected |
firefox15 | --- | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Assigned: Benjamin)
References
Details
(4 keywords, Whiteboard: js-triage-done)
Attachments
(2 files)
4.91 KB,
text/plain
|
Details | |
1014 bytes,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
function a(b = (function() {})) {
yield
}
a()
asserts js debug shell on m-c changeset f28d1ec8bd33 without any CLI arguments at Assertion failure: fp->isGeneratorFrame(), and crashes js opt shell at JSContext::generatorFor
Seems to be a null crash, so feel free to open up if not s-s.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 95044:699a613bf616
user: Benjamin Peterson
date: Sat May 26 09:33:53 2012 -0400
summary: Bug 757676 - Implement JS default parameters. r=jorendorff
Comment 1•13 years ago
|
||
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x000000010008af36 in JSContext::generatorFor (this=0x100c154f0, fp=0x1018000b8) at /Users/jorendorff/dev/mi/js/src/jscntxt.cpp:1087
1087 JS_ASSERT(fp->isGeneratorFrame());
(gdb) call js_DumpPC(this)
loc line op
----- ---- --
main:
00000: 2 actualsfilled 0
00003: 2 tableswitch defaultOffset 26 low 0 high 0
0: 17
00020: 2 lambda (function () {})
00025: 2 setarg 0
00028: 2 pop
00029: 3 undefined
--> 00030: 3 yield
00031: 3 pop
00032: 3 stop
$1 = 1
There ought to be a JSOP_GENERATOR opcode in the prologue.
Assignee | ||
Comment 2•13 years ago
|
||
I forgot to call endBody on GenexpGuard.
Assignee: general → bpeterson
Attachment #628489 -
Flags: review?(jorendorff)
Updated•13 years ago
|
Attachment #628489 -
Flags: review?(jorendorff) → review+
Assignee | ||
Updated•13 years ago
|
Keywords: checkin-needed
![]() |
Reporter | |
Comment 3•13 years ago
|
||
Keywords: checkin-needed
Whiteboard: js-triage-needed → js-triage-done
Target Milestone: --- → mozilla15
Comment 5•13 years ago
|
||
Comment 6•13 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox14:
--- → unaffected
Updated•13 years ago
|
Group: core-security
![]() |
Reporter | |
Updated•13 years ago
|
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•