[Webkit-unassigned] [Bug 171274] New: ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Apr 25 09:01:06 PDT 2017


https://bugs.webkit.org/show_bug.cgi?id=171274

            Bug ID: 171274
           Summary: ASSERTION FAILED: generator.isConstructor() ||
                    generator.derivedContextType() ==
                    DerivedContextType::DerivedConstructorContext
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: andre.bargull at gmail.com

svn revision: 215724

Test case:
---
new class extends Object {
  constructor() {
    var f = async(a=super())=>{ super() }
    f()
  }
}
---


Asserts with:
---
ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext
---


Stacktrace:
---
#0  0x00007ffff6c4b5af in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:292
#1  0x00007ffff6045f40 in JSC::FunctionCallValueNode::emitBytecode (this=0x7fffad7f4188, generator=..., dst=0x7fffee78e580) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:822
#2  0x00007ffff6018bdd in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7fffee78e500, dst=0x7fffee78e580, n=0x7fffad7f4188) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:494
#3  0x00007ffff6018ab3 in JSC::BytecodeGenerator::emitNode (this=0x7fffee78e500, dst=0x7fffee78e580, n=0x7fffad7f4188) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:483
#4  0x00007ffff6053b9a in JSC::ExprStatementNode::emitBytecode (this=0x7fffad7f41d8, generator=..., dst=0x7fffee78e580) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2507
#5  0x00007ffff6060e79 in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7fffee78e500, dst=0x7fffee78e580, n=0x7fffad7f41d8) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:467
#6  0x00007ffff6061427 in JSC::SourceElements::emitBytecode (this=0x7fffad7f4150, generator=..., dst=0x7fffee78e580) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2464
#7  0x00007ffff6053a98 in JSC::BlockNode::emitBytecode (this=0x7fffad7f4210, generator=..., dst=0x7fffee78e580) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2484
#8  0x00007ffff6060e79 in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7fffee78e500, dst=0x7fffee78e580, n=0x7fffad7f4210) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:467
#9  0x00007ffff6061427 in JSC::SourceElements::emitBytecode (this=0x7fffad7f4140, generator=..., dst=0x7fffee78e580) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2464
#10 0x00007ffff6061506 in JSC::ScopeNode::emitStatementsBytecode (this=0x7fffee7bd4b0, generator=..., dst=0x7fffee78e580) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:3452
#11 0x00007ffff605a580 in JSC::FunctionNode::emitBytecode (this=0x7fffee7bd4b0, generator=...) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:3609
#12 0x00007ffff5ff66ee in JSC::BytecodeGenerator::generate (this=0x7fffee78e500) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:125
#13 0x00007ffff5fef0bb in JSC::BytecodeGenerator::generate<JSC::FunctionNode*, JSC::UnlinkedFunctionCodeBlock*&, JSC::DebuggerMode&, JSC::VariableEnvironment const*> (vm=...)
    at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:369
#14 0x00007ffff5fec9b8 in JSC::generateUnlinkedFunctionCodeBlock (vm=..., executable=0x7fffadf74260, source=..., kind=JSC::CodeForCall, debuggerMode=JSC::DebuggerOff, 
    functionKind=JSC::UnlinkedNormalFunction, error=..., parseMode=JSC::SourceParseMode::AsyncArrowFunctionBodyMode) at ../../Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:71
#15 0x00007ffff5fed781 in JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor (this=0x7fffadf74260, vm=..., source=..., specializationKind=JSC::CodeForCall, debuggerMode=JSC::DebuggerOff, error=..., 
    parseMode=JSC::SourceParseMode::AsyncArrowFunctionBodyMode) at ../../Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:212
...
---


Probably related null-pointer crashes with:
---
new class extends Object {
  constructor() {
    var f = async()=>{ super() }
    f()
  }
}
---

and:
---
new class extends Object {
  constructor() {
    var f = async(a=super())=>{  }
    f(0)
  }
}
---

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170425/b1332c0f/attachment-0001.html>


More information about the webkit-unassigned mailing list