Closed Bug 908472 Opened 11 years ago Closed 11 years ago

Crash [@ fun_isGenerator] or Assertion failure: isInterpretedLazy() && u.i.s.lazy_, at jsfun.h

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla26

People

(Reporter: gkw, Assigned: till)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(3 files)

stack
4.89 KB, text/plain
Details
make JSFunction::generatorKind() treat lazy self-hosted functions as non-generators.
2.28 KB, patch
Waldo
: review+
Details | Diff | Splinter Review
opt stack
4.37 KB, text/plain
Details
Attached file stack
[0].some(Function.isGenerator, [].map) asserts js debug shell on m-c changeset d58fc624899c without any CLI arguments at Assertion failure: isInterpretedLazy() && u.i.s.lazy_, at jsfun.h
Urgh. JSFunction::generatorKind doesn't work for self-hosted lazy functions, only for lazy-parsed ones. Shouldn't be too hard to fix, though.
Assignee: general → till
Status: NEW → ASSIGNED
As discussed on IRC, this patch makes JSFunction::generatorKind always return js::NotGenerator for lazy self-hosted functions. To ensure that it doesn't incorrectly do so, JSRuntime::cloneSelfHostedFunctionScript asserts that the cloned function isn't a generator.
Attachment #794313 - Flags: review?(jwalden+bmo)
Blocks: harmony:generators
OS: Mac OS X → All
Hardware: x86_64 → All
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/26d92ba69fe6 user: Andy Wingo date: Tue Aug 20 11:03:24 2013 +0200 summary: Bug 666399 - New Harmony syntax for generators. r=Waldo Yes, bug 666399 seems to be the regressor.
Comment on attachment 794313 [details] [diff] [review] make JSFunction::generatorKind() treat lazy self-hosted functions as non-generators. Review of attachment 794313 [details] [diff] [review]: ----------------------------------------------------------------- Yes, it looks like I misunderstood the interactions between lazyscript, script, and self-hosted functions. Thanks for looking at this; patch looks good to me!
Attached file opt stack
This also crashes js opt shell at fun_isGenerator, likely a null deref though.
Crash Signature: [@ fun_isGenerator]
Summary: Assertion failure: isInterpretedLazy() && u.i.s.lazy_, at jsfun.h → Crash [@ fun_isGenerator] or Assertion failure: isInterpretedLazy() && u.i.s.lazy_, at jsfun.h
Comment on attachment 794313 [details] [diff] [review] make JSFunction::generatorKind() treat lazy self-hosted functions as non-generators. Review of attachment 794313 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsfun.h @@ +290,5 @@ > + if (hasScript()) > + return nonLazyScript()->generatorKind(); > + js::LazyScript *lazy = lazyScriptOrNull(); > + if (lazy) > + return lazy->generatorKind(); if (js::LazyScript *lazy = lazyScriptOrNull()) return lazy->generatorKind(); is a little more compact. ::: js/src/vm/SelfHosting.cpp @@ +936,5 @@ > return false; > > RootedFunction sourceFun(cx, &funVal.toObject().as<JSFunction>()); > + // JSFunction::generatorKind can't handle lazy self-hosted function, so we make sure there > + // aren't any. "functions"
Attachment #794313 - Flags: review?(jwalden+bmo) → review+
https://hg.mozilla.org/mozilla-central/rev/799ed2cf9e82
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: