Closed Bug 590064 Opened 14 years ago Closed 14 years ago

JM: Crash [@ JSContext::generatorFor] or "Assertion failure: !fp->hasFunction() || !(fp->getFunction()->flags & JSFUN_HEAVYWEIGHT) || fp->hasCallObj(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 588362

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords)

Crash Data

for (a = 0; a < 5; a++) {
  (function n() {
    with({}) {
      yield
    }
  } ())
}

crashes js opt shell on JM changeset e42b505b43f3 with -m and -j at JSContext::generatorFor and asserts js debug shell at Assertion failure: !fp->hasFunction() || !(fp->getFunction()->flags & JSFUN_HEAVYWEIGHT) || fp->hasCallObj(), at ../jsinterp.cpp:117

(gdb) bt
#0  0x001695c8 in JS_Assert (s=0x281d5c "!fp->hasFunction() || !(fp->getFunction()->flags & JSFUN_HEAVYWEIGHT) || fp->hasCallObj()", file=0x2817f0 "../jsinterp.cpp", ln=117) at ../jsutil.cpp:80
#1  0x000beba5 in js_GetScopeChain (cx=0x60ab00, fp=0x1000110) at jsinterp.cpp:115
#2  0x000bf012 in js_EnterWith (cx=0x60ab00, stackIndex=-1) at jsinterp.cpp:1296
#3  0x00094e73 in js::Interpret (cx=0x60ab00, entryFrame=0x1000110, inlineCallCount=0) at ../jsinterp.cpp:2673
#4  0x0024b955 in PartialInterpret (f=@0xbffff3c0) at ../methodjit/InvokeHelpers.cpp:737
#5  0x0024db93 in RemoveExcessFrames (f=@0xbffff3c0, entryFrame=0x10000a8) at ../methodjit/InvokeHelpers.cpp:778
#6  0x0024de25 in RunTracer (f=@0xbffff3c0, mic=@0x60d260) at ../methodjit/InvokeHelpers.cpp:901
#7  0x0024e0ef in js::mjit::stubs::InvokeTracer (f=@0xbffff3c0, index=3) at ../methodjit/InvokeHelpers.cpp:960
#8  0x005ca32b in ?? ()
#9  0x001fdf66 in EnterMethodJIT (cx=0x60ab00, fp=0x10000a8, code=0x5ca05c, safePoint=0x0) at ../methodjit/MethodJIT.cpp:757
#10 0x001fe12d in js::mjit::JaegerShot (cx=0x60ab00) at ../methodjit/MethodJIT.cpp:785
#11 0x000bc10b in js::RunScript (cx=0x60ab00, script=0x60ce20, fun=0x0, scopeChain=0x1402000) at jsinterp.cpp:465
#12 0x000bdaee in js::Execute (cx=0x60ab00, chain=0x1402000, script=0x60ce20, down=0x0, flags=0, result=0x0) at jsinterp.cpp:945
#13 0x00016f43 in JS_ExecuteScript (cx=0x60ab00, obj=0x1402000, script=0x60ce20, rval=0x0) at ../jsapi.cpp:4762
#14 0x0000c4d0 in Process (cx=0x60ab00, obj=0x1402000, filename=0xbffff942 "w2040-reduced.js", forceTTY=0) at ../../shell/js.cpp:442
#15 0x0000d243 in ProcessArgs (cx=0x60ab00, obj=0x1402000, argv=0xbffff81c, argc=3) at ../../shell/js.cpp:862
#16 0x0000d35c in shell (cx=0x60ab00, argc=3, argv=0xbffff81c, envp=0xbffff82c) at ../../shell/js.cpp:5151
#17 0x0000d480 in main (argc=3, argv=0xbffff81c, envp=0xbffff82c) at ../../shell/js.cpp:5247
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Crash Signature: [@ JSContext::generatorFor]
A testcase for this bug was already added in the original bug (bug 588362).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.