[Webkit-unassigned] [Bug 242638] Segfault with top-level await using async generator

Tue Jul 12 12:47:42 PDT 2022

https://bugs.webkit.org/show_bug.cgi?id=242638

Alexey Proskuryakov <ap at webkit.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sbarati at apple.com,
                   |                            |webkit-bug-importer at group.a
                   |                            |pple.com, ysuzuki at apple.com

--- Comment #1 from Alexey Proskuryakov <ap at webkit.org> ---
I can reproduce a crash on macOS, although the signature appears to be different.

Thread[0] EXC_BAD_ACCESS (SIGSEGV) (0x0000000000000001, 0x0000000000000004)
[  0] 0x00000001a0652b14 JavaScriptCore`JSC::BytecodeGenerator::emitYieldPoint(JSC::RegisterID*, JSC::JSAsyncGenerator::AsyncGeneratorSuspendReason) + 120

     0x00000001a0652b04:     ldrb w9, [x9, #0x2a]
     0x00000001a0652b08:      mov w10, #-0x6001
     0x00000001a0652b0c:      lsr w9, w10, w9
     0x00000001a0652b10:      and w23, w9, #0x1
 ->  0x00000001a0652b14:      ldr w24, [x8, #0x4]
     0x00000001a0652b18:      ldr w25, [x0, #0x4]
     0x00000001a0652b1c:      mov x0, x19
     0x00000001a0652b20:      mov x1, x24
     0x00000001a0652b24:      mov x2, x23

[  1] 0x00000001a0652af3 JavaScriptCore`JSC::BytecodeGenerator::emitYieldPoint(JSC::RegisterID*, JSC::JSAsyncGenerator::AsyncGeneratorSuspendReason) + 87
[  2] 0x00000001a06533c3 JavaScriptCore`JSC::BytecodeGenerator::emitYield(JSC::RegisterID*, JSC::JSAsyncGenerator::AsyncGeneratorSuspendReason) + 35
[  3] 0x00000001a064f7c7 JavaScriptCore`JSC::BytecodeGenerator::emitIteratorGenericClose(JSC::RegisterID*, JSC::ThrowableExpressionData const*, JSC::EmitAwait) + 1267
[  4] 0x00000001a064de47 JavaScriptCore`JSC::BytecodeGenerator::emitGenericEnumeration(JSC::ThrowableExpressionData*, JSC::ExpressionNode*, WTF::ScopedLambda<void (JSC::BytecodeGenerator&, JSC::RegisterID*)> const&, JSC::ForOfNode*, JSC::RegisterID*) + 2591
[  5] 0x00000001a0672017 JavaScriptCore`JSC::ForOfNode::emitBytecode(JSC::BytecodeGenerator&, JSC::RegisterID*) + 211

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220712/1221b6c0/attachment-0001.htm>