Closed Bug 1477084 Opened 6 years ago Closed 5 years ago

Assertion failure: generatorVal.isObject(), at js/src/vm/AsyncIteration.cpp:285 with Debugger

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- wontfix
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- fixed

People

(Reporter: decoder, Assigned: jorendorff)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:testComment=14,origRev=8ec327de0ba7])

Attachments

(1 file)

Bug 1477084 - Fix assertion with Debugger forcing return from an async generator before its initial yield. r?jimb
47 bytes, text/x-phabricator-request
Details | Review 
The following testcase crashes on mozilla-central revision 183ee39bf309 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --no-threads):

g = newGlobal();
g.parent = this;
g.eval(`
  Debugger(parent).onExceptionUnwind = function(frame) {
    return frame.eval("");
  }
`);
var obj = {
  async *method({ x: callbackfn = unresolvableReference }) {}
};
obj.method().next().then(() => {}).each ($DONE, $DONE);


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000000000b03588 in js::AsyncGeneratorObject::create (cx=0x7ffff5f17000, asyncGen=asyncGen@entry=..., generatorVal=generatorVal@entry=...) at js/src/vm/AsyncIteration.cpp:285
#0  0x0000000000b03588 in js::AsyncGeneratorObject::create (cx=0x7ffff5f17000, asyncGen=asyncGen@entry=..., generatorVal=generatorVal@entry=...) at js/src/vm/AsyncIteration.cpp:285
#1  0x0000000000b056e7 in WrappedAsyncGenerator (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/AsyncIteration.cpp:48
#2  0x00000000005bfe13 in CallJSNative (cx=0x7ffff5f17000, native=0xb05380 <WrappedAsyncGenerator(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:444
[...]
#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9464
rax	0x0	0
rbx	0x7ffff5f17000	140737319628800
rcx	0x7ffff6c282ad	140737333330605
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffc7f0	140737488340976
rsp	0x7fffffffc740	140737488340800
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4780	140737354024832
r10	0x58	88
r11	0x7ffff6b9e7a0	140737332766624
r12	0x1	1
r13	0x7fffffffc860	140737488341088
r14	0x7fffffffc870	140737488341104
r15	0x7fffffffc830	140737488341040
rip	0xb03588 <js::AsyncGeneratorObject::create(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JS::Value>)+936>
=> 0xb03588 <js::AsyncGeneratorObject::create(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JS::Value>)+936>:	movl   $0x0,0x0
   0xb03593 <js::AsyncGeneratorObject::create(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JS::Value>)+947>:	ud2
Maybe from the generator/debugger changes (not sure if they landed tho).
Flags: needinfo?(jorendorff)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/09d4547a9714
user:        Jason Orendorff
date:        Fri Jul 06 18:09:05 2018 -0500
summary:     Bug 1471954 - Change behavior of `{return:}` resumption values in generators. r=jimb

This iteration took 282.726 seconds to run.
Jason, do you plan to work on this for 63? Thanks
No; I want to fix this, but it doesn't qualify for backporting. This can only happen with the use of a Debugger API feature that isn't exposed to content and also, IIUC, isn't used by any existing Firefox DevTools code.
Flags: needinfo?(jorendorff)
Priority: -- → P1
Thanks Jason, marking as wontfix for 63 then.
status-firefox63: affectedwontfix
status-firefox64: --- → affected
Flags: needinfo?(jorendorff)
status-firefox64: affectedfix-optional
Flags: needinfo?(jorendorff)
Flags: needinfo?(jorendorff)
Going to try to investigate this with jimb later today.
I have a partial patch for this. Ran out of time today; need to finish it up Monday.
status-firefox64: fix-optionalwontfix
status-firefox65: --- → wontfix
status-firefox66: --- → affected
Flags: needinfo?(jorendorff)
Flags: needinfo?(jorendorff)
Pushed by jorendorff@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/227f1a73b16f
Fix assertion with Debugger forcing return from an async generator before its initial yield. r=jimb
Backed out for spidermonkey bustages on tests/debug/Frame-onStep-generator-resumption-01.js

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception&fromchange=227f1a73b16fba34216e1fb408eca5aeefcf8497&tochange=1e6d3675ae4eaac986ecf27f76b5d2a4cf78b7b7&searchStr=spidermonkey&selectedJob=220001095

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=220001095&repo=autoland&lineNumber=46359

Backout link: https://hg.mozilla.org/integration/autoland/rev/1e6d3675ae4eaac986ecf27f76b5d2a4cf78b7b7

[task 2019-01-04T16:51:13.647Z] Exit code: 3
[task 2019-01-04T16:51:13.647Z] FAIL - debug/Frame-onStep-generator-resumption-01.js
[task 2019-01-04T16:51:13.647Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/debug/Frame-onStep-generator-resumption-01.js | /builds/worker/workspace/build/src/js/src/jit-test/tests/debug/Frame-onStep-generator-resumption-01.js line 4 > eval:2:1 TypeError: can't force return from a generator or async function before the initial yield (code 3, args "--ion-eager --ion-offthread-compile=off --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads") [0.0 s]
[task 2019-01-04T16:51:13.647Z] {"action": "test_start", "jitflags": "--ion-eager --ion-offthread-compile=off --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads", "pid": 29106, "source": "jittests", "test": "debug/Frame-onStep-generator-resumption-01.js", "thread": "main", "time": 1546620673.608839}
[task 2019-01-04T16:51:13.647Z] {"action": "test_end", "extra": {"jitflags": "--ion-eager --ion-offthread-compile=off --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads", "pid": 29106}, "jitflags": "--ion-eager --ion-offthread-compile=off --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads", "message": "/builds/worker/workspace/build/src/js/src/jit-test/tests/debug/Frame-onStep-generator-resumption-01.js line 4 > eval:2:1 TypeError: can't force return from a generator or async function before the initial yield", "pid": 29106, "source": "jittests", "status": "FAIL", "test": "debug/Frame-onStep-generator-resumption-01.js", "thread": "main", "time": 1546620673.646848}
[task 2019-01-04T16:51:13.647Z] INFO exit-status     : 3
[task 2019-01-04T16:51:13.647Z] INFO timed-out       : False
[task 2019-01-04T16:51:13.647Z] INFO stderr         2> /builds/worker/workspace/build/src/js/src/jit-test/tests/debug/Frame-onStep-generator-resumption-01.js line 4 > eval:2:1 TypeError: can't force return from a generator or async function before the initial yield
[task 2019-01-04T16:51:13.648Z] INFO stderr         2> Stack:
[task 2019-01-04T16:51:13.648Z] INFO stderr         2> f@/builds/worker/workspace/build/src/js/src/jit-test/tests/debug/Frame-onStep-generator-resumption-01.js line 4 > eval:2:1
[task 2019-01-04T16:51:13.648Z] INFO stderr         2> test@/builds/worker/workspace/build/src/js/src/jit-test/tests/debug/Frame-onStep-generator-resumption-01.js:32:18
[task 2019-01-04T16:51:13.648Z] INFO stderr         2> @/builds/worker/workspace/build/src/js/src/jit-test/tests/debug/Frame-onStep-generator-resumption-01.js:42:20
[task 2019-01-04T16:51:13.648Z] /builds/worker/workspace/build/src/js/src/jit-test/tests/debug/Frame-onStep-generator-resumption-01.js line 4 > eval:2:1 TypeError: can't force return from a generator or async function before the initial yield
[task 2019-01-04T16:51:13.648Z] Stack:
[task 2019-01-04T16:51:13.648Z]   f@/builds/worker/workspace/build/src/js/src/jit-test/tests/debug/Frame-onStep-generator-resumption-01.js line 4 > eval:2:1
[task 2019-01-04T16:51:13.648Z]   test@/builds/worker/workspace/build/src/js/src/jit-test/tests/debug/Frame-onStep-generator-resumption-01.js:32:18
[task 2019-01-04T16:51:13.648Z]   @/builds/worker/workspace/build/src/js/src/jit-test/tests/debug/Frame-onStep-generator-resumption-01.js:42:20
[task 2019-01-04T16:51:13.648Z] Exit code: 3
[task 2019-01-04T16:51:13.648Z] FAIL - debug/Frame-onStep-generator-resumption-01.js
There are also jitttest failures on tests/jit-test/jit-test/tests/debug/Frame-onStep-generator-resumption-01.js
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=220017116&repo=autoland&lineNumber=42785

Here's one way the new code can go wrong:

  1. We fire the onStep hook before the initial yield for a generator.

  2. It returns {return: "banana"}.

  3. CheckResumptionValue is called, it closes the generator and throws an error, because this isn't supported anymore.

  4. BUT then the unhandledExceptionHook fires, and it returns undefined.

  5. Now we continue running the debuggee. But we already closed that generator object, screwing up the state machine.
    It asserts later.

Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
g = newGlobal();
g.parent = this;
g.eval(`
  Debugger(parent).onExceptionUnwind = function(frame) {
    return frame.eval("");
  }
`);
var obj = {
  async *method({ x: callbackfn = unresolvableReference }) {}
};
obj.method().next().then(() => {}).each ($DONE, $DONE);

asserts js shell compiled with --enable-debug on m-c rev 8ec327de0ba7 using --fuzzing-safe --no-threads --no-baseline --no-ion --more-compartments at Assertion failure: generatorVal.isObject(), at js/src/vm/AsyncIteration.cpp:273

Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,testComment=14,origRev=8ec327de0ba7]
Whiteboard: [jsbugmon:update,testComment=14,origRev=8ec327de0ba7] → [jsbugmon:testComment=14,origRev=8ec327de0ba7]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:jorendorff, could you have a look please?

Flags: needinfo?(jorendorff)

This time for sure.

Flags: needinfo?(jorendorff)
Pushed by jorendorff@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/277725a3d886
Fix assertion with Debugger forcing return from an async generator before its initial yield. r=jimb

https://hg.mozilla.org/mozilla-central/rev/277725a3d886

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox68: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Assignee: nobody → jorendorff
status-firefox-esr60: --- → unaffected
Flags: in-testsuite+
Regressed by: 1471954
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: