Closed Bug 759904 Opened 13 years ago Closed 13 years ago

Crash [@ JSContext::generatorFor] or "Assertion failure: fp->isGeneratorFrame(),"

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla15
Tracking Status
firefox14 --- unaffected
firefox15 --- fixed
firefox-esr10 --- unaffected

People

(Reporter: gkw, Assigned: Benjamin)

References

Details

(4 keywords, Whiteboard: js-triage-done)

Attachments

(2 files)

Attached file stack
function a(b = (function() {})) { yield } a() asserts js debug shell on m-c changeset f28d1ec8bd33 without any CLI arguments at Assertion failure: fp->isGeneratorFrame(), and crashes js opt shell at JSContext::generatorFor Seems to be a null crash, so feel free to open up if not s-s. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 95044:699a613bf616 user: Benjamin Peterson date: Sat May 26 09:33:53 2012 -0400 summary: Bug 757676 - Implement JS default parameters. r=jorendorff
Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000 0x000000010008af36 in JSContext::generatorFor (this=0x100c154f0, fp=0x1018000b8) at /Users/jorendorff/dev/mi/js/src/jscntxt.cpp:1087 1087 JS_ASSERT(fp->isGeneratorFrame()); (gdb) call js_DumpPC(this) loc line op ----- ---- -- main: 00000: 2 actualsfilled 0 00003: 2 tableswitch defaultOffset 26 low 0 high 0 0: 17 00020: 2 lambda (function () {}) 00025: 2 setarg 0 00028: 2 pop 00029: 3 undefined --> 00030: 3 yield 00031: 3 pop 00032: 3 stop $1 = 1 There ought to be a JSOP_GENERATOR opcode in the prologue.
Attached patch fixSplinter Review
I forgot to call endBody on GenexpGuard.
Assignee: general → bpeterson
Attachment #628489 - Flags: review?(jorendorff)
Attachment #628489 - Flags: review?(jorendorff) → review+
Keywords: checkin-needed
Keywords: checkin-needed
Whiteboard: js-triage-needed → js-triage-done
Target Milestone: --- → mozilla15
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Group: core-security
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: