[Webkit-unassigned] [Bug 171274] New: ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Apr 25 09:01:06 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=171274
Bug ID: 171274
Summary: ASSERTION FAILED: generator.isConstructor() ||
generator.derivedContextType() ==
DerivedContextType::DerivedConstructorContext
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: andre.bargull at gmail.com
svn revision: 215724
Test case:
---
new class extends Object {
constructor() {
var f = async(a=super())=>{ super() }
f()
}
}
---
Asserts with:
---
ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext
---
Stacktrace:
---
#0 0x00007ffff6c4b5af in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:292
#1 0x00007ffff6045f40 in JSC::FunctionCallValueNode::emitBytecode (this=0x7fffad7f4188, generator=..., dst=0x7fffee78e580) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:822
#2 0x00007ffff6018bdd in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7fffee78e500, dst=0x7fffee78e580, n=0x7fffad7f4188) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:494
#3 0x00007ffff6018ab3 in JSC::BytecodeGenerator::emitNode (this=0x7fffee78e500, dst=0x7fffee78e580, n=0x7fffad7f4188) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:483
#4 0x00007ffff6053b9a in JSC::ExprStatementNode::emitBytecode (this=0x7fffad7f41d8, generator=..., dst=0x7fffee78e580) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2507
#5 0x00007ffff6060e79 in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7fffee78e500, dst=0x7fffee78e580, n=0x7fffad7f41d8) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:467
#6 0x00007ffff6061427 in JSC::SourceElements::emitBytecode (this=0x7fffad7f4150, generator=..., dst=0x7fffee78e580) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2464
#7 0x00007ffff6053a98 in JSC::BlockNode::emitBytecode (this=0x7fffad7f4210, generator=..., dst=0x7fffee78e580) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2484
#8 0x00007ffff6060e79 in JSC::BytecodeGenerator::emitNodeInTailPosition (this=0x7fffee78e500, dst=0x7fffee78e580, n=0x7fffad7f4210) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:467
#9 0x00007ffff6061427 in JSC::SourceElements::emitBytecode (this=0x7fffad7f4140, generator=..., dst=0x7fffee78e580) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:2464
#10 0x00007ffff6061506 in JSC::ScopeNode::emitStatementsBytecode (this=0x7fffee7bd4b0, generator=..., dst=0x7fffee78e580) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:3452
#11 0x00007ffff605a580 in JSC::FunctionNode::emitBytecode (this=0x7fffee7bd4b0, generator=...) at ../../Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:3609
#12 0x00007ffff5ff66ee in JSC::BytecodeGenerator::generate (this=0x7fffee78e500) at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:125
#13 0x00007ffff5fef0bb in JSC::BytecodeGenerator::generate<JSC::FunctionNode*, JSC::UnlinkedFunctionCodeBlock*&, JSC::DebuggerMode&, JSC::VariableEnvironment const*> (vm=...)
at ../../Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:369
#14 0x00007ffff5fec9b8 in JSC::generateUnlinkedFunctionCodeBlock (vm=..., executable=0x7fffadf74260, source=..., kind=JSC::CodeForCall, debuggerMode=JSC::DebuggerOff,
functionKind=JSC::UnlinkedNormalFunction, error=..., parseMode=JSC::SourceParseMode::AsyncArrowFunctionBodyMode) at ../../Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:71
#15 0x00007ffff5fed781 in JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor (this=0x7fffadf74260, vm=..., source=..., specializationKind=JSC::CodeForCall, debuggerMode=JSC::DebuggerOff, error=...,
parseMode=JSC::SourceParseMode::AsyncArrowFunctionBodyMode) at ../../Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:212
...
---
Probably related null-pointer crashes with:
---
new class extends Object {
constructor() {
var f = async()=>{ super() }
f()
}
}
---
and:
---
new class extends Object {
constructor() {
var f = async(a=super())=>{ }
f(0)
}
}
---
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170425/b1332c0f/attachment-0001.html>
More information about the webkit-unassigned
mailing list