Closed Bug 883826 Opened 11 years ago Closed 1 year ago

Assertion failure: !bce->script->noScriptRval, at js/src/frontend/BytecodeEmitter.cpp:4874

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: Yoric, Unassigned)

References

Details

(Keywords: crash, Whiteboard: qa-not-actionable)

Attachments

(2 files)

Test case
2.21 KB, patch
Details | Diff | Splinter Review
Test case for the web
1.49 KB, application/x-gzip
Details
Attached patch Test caseSplinter Review 
Trying to perform a |new Function()| call in a chrome worker seems to crash down everything.
Ohoh.
(almost) same sample crashes web code.
Making confidential/critical.
Group: mozilla-corporation-confidential
Severity: major → critical
Attached file Test case for the web 
Here's the relevant stack:

Thread 41 Crashed:: DOM Worker
0   XUL                           	0x000000010574ce64 JSScript::fullyInitFromEmitter(JSContext*, JS::Handle<JSScript*>, js::frontend::BytecodeEmitter*) + 2708
1   XUL                           	0x000000010534f425 js::frontend::EmitFunctionScript(JSContext*, js::frontend::BytecodeEmitter*, js::frontend::ParseNode*) + 1093
2   XUL                           	0x0000000105344bde js::frontend::CompileFunctionBody(JSContext*, JS::MutableHandle<JSFunction*>, JS::CompileOptions, js::AutoNameVector const&, unsigned short const*, unsigned long, bool) + 3326
3   XUL                           	0x00000001056242a3 js::Function(JSContext*, unsigned int, JS::Value*) + 3619
4   XUL                           	0x00000001053deb1d js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 173
5   XUL                           	0x00000001053dedcf js::CallJSNativeConstructor(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 207
6   XUL                           	0x00000001053d31c3 js::InvokeConstructor(JSContext*, JS::CallArgs) + 499
7   XUL                           	0x00000001053ccc0a _ZL9InterpretP9JSContextPN2js10StackFrameE + 24154
8   XUL                           	0x00000001053c6c94 js::RunScript(JSContext*, js::StackFrame*) + 1316
9   XUL                           	0x00000001053d398a js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) + 794
10  XUL                           	0x00000001053d3cb4 js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 660
11  XUL                           	0x0000000105571ef5 JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) + 1093
12  XUL                           	0x0000000102b5f22b (anonymous namespace)::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) + 1179 (ScriptLoader.cpp:661)
13  XUL                           	0x0000000102b66e08 mozilla::dom::workers::WorkerRunnable::Run() + 648 (WorkerPrivate.cpp:1678)
14  XUL                           	0x0000000102b6d34d mozilla::dom::workers::WorkerPrivate::RunSyncLoop(JSContext*, unsigned int) + 413 (WorkerPrivate.cpp:3567)
15  XUL                           	0x0000000102b5a3f5 mozilla::dom::workers::AutoSyncLoopHolder::RunAndForget(JSContext*) + 53 (WorkerPrivate.h:1016)
16  XUL                           	0x0000000102b5c3b0 (anonymous namespace)::LoadAllScripts(JSContext*, mozilla::dom::workers::WorkerPrivate*, nsTArray<(anonymous namespace)::ScriptLoadInfo>&, bool) + 576 (ScriptLoader.cpp:718)
17  XUL                           	0x0000000102b5c101 mozilla::dom::workers::scriptloader::LoadWorkerScript(JSContext*) + 161 (ScriptLoader.cpp:909)
18  XUL                           	0x0000000102b77688 (anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) + 200 (WorkerPrivate.cpp:706)
19  XUL                           	0x0000000102b66e08 mozilla::dom::workers::WorkerRunnable::Run() + 648 (WorkerPrivate.cpp:1678)
20  XUL                           	0x0000000102b69898 mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) + 1448 (WorkerPrivate.cpp:2863)
21  XUL                           	0x0000000102b5570e (anonymous namespace)::WorkerThreadRunnable::Run() + 238 (RuntimeService.cpp:876)
22  XUL                           	0x0000000104341326 nsThread::ProcessNextEvent(bool, bool*) + 1654 (nsThread.cpp:627)
23  XUL                           	0x00000001042a19a9 NS_ProcessNextEvent(nsIThread*, bool) + 169 (nsThreadUtils.cpp:238)
24  XUL                           	0x000000010433fd17 nsThread::ThreadFunc(void*) + 295 (nsThread.cpp:264)
25  libnss3.dylib                 	0x00000001012376e5 _pt_root + 357
26  libsystem_c.dylib             	0x00007fff9a3558bf _pthread_start + 335
27  libsystem_c.dylib             	0x00007fff9a358b75 thread_start + 13
Group: mozilla-corporation-confidential
Assignee: general → nobody
Whiteboard: qa-not-actionable
Severity: critical → S2
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: