1539132 - Crash [@ mozilla::Span<unsigned int const, 18446744073709551615ul>::operator[]] or Assertion failure: asyncGenObj->isSuspended() (non-suspended generator when resuming async generator), at vm/AsyncIteration.cpp:341

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 4572f6055a6a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-offthread-compile=off):

let g = newGlobal({newCompartment: true});
g.eval(`async function* f2(x) { await x; return "moar ponies"; }`);
let dbg = new Debugger;
let gw = dbg.addDebuggee(g);
dbg.onEnterFrame = frame => {
    frame.onPop = completion => {
        let genObj = completion.return;
        let result = frame.evalWithBindings("genObj.next()", {genObj});
    };
};
let it2 = g.f2(123);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  mozilla::Span<unsigned int const, 18446744073709551615ul>::operator[] (idx=<optimized out>, this=<optimized out>) at dist/include/mozilla/Span.h:679
#1  js::AbstractGeneratorObject::resume (cx=<optimized out>, activation=..., genObj=..., arg=...) at js/src/vm/GeneratorObject.cpp:183
#2  0x000055555587d402 in Interpret (cx=0x7ffff5f16000, state=...) at js/src/vm/Interpreter.cpp:4084
#3  0x00005555558864c3 in js::RunScript (cx=0x7ffff5f16000, state=...) at js/src/vm/Interpreter.cpp:422
#4  0x0000555555886b06 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff5f16000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:562
#5  0x0000555555886fa5 in InternalCall (cx=cx@entry=0x7ffff5f16000, args=...) at js/src/vm/Interpreter.cpp:589
#6  0x0000555555887018 in js::Call (cx=cx@entry=0x7ffff5f16000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:605
#7  0x0000555555b141ff in js::CallSelfHostedFunction (cx=cx@entry=0x7ffff5f16000, name=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/SelfHosting.cpp:1919
#8  0x00005555559123a9 in js::AsyncGeneratorResume (cx=cx@entry=0x7ffff5f16000, asyncGenObj=asyncGenObj@entry=..., completionKind=completionKind@entry=js::CompletionKind::Normal, argument=..., argument@entry=...) at js/src/vm/AsyncIteration.cpp:352
#9  0x00005555558e5f7e in AsyncGeneratorResumeNext (cx=cx@entry=0x7ffff5f16000, unwrappedGenerator=unwrappedGenerator@entry=..., kind=<optimized out>, kind@entry=ResumeNextKind::Enqueue, valueOrException_=..., done=<optimized out>, done@entry=false) at js/src/builtin/Promise.cpp:4086
#10 0x00005555558e7145 in js::AsyncGeneratorEnqueue (cx=0x7ffff5f16000, asyncGenVal=..., completionKind=completionKind@entry=js::CompletionKind::Normal, completionValue=..., result=...) at js/src/builtin/Promise.cpp:4143
#11 0x0000555555903b64 in AsyncGeneratorNext (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/AsyncIteration.cpp:118
#12 0x0000555555886934 in CallJSNative (args=..., native=0x555555903b30 <AsyncGeneratorNext(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff5f16000) at js/src/vm/Interpreter.cpp:442
#13 js::InternalCallOrConstruct (cx=0x7ffff5f16000, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:534
#14 0x000055555587a6a6 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:593
#15 Interpret (cx=0x7ffff5f16000, state=...) at js/src/vm/Interpreter.cpp:3075
#16 0x00005555558864c3 in js::RunScript (cx=0x7ffff5f16000, state=...) at js/src/vm/Interpreter.cpp:422
#17 0x0000555555888afc in js::ExecuteKernel (cx=cx@entry=0x7ffff5f16000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=result@entry=0x7fffffffac40) at js/src/vm/Interpreter.cpp:781
#18 0x000055555596acf5 in EvaluateInEnv (rval=..., lineno=<optimized out>, filename=<optimized out>, chars=..., frame=..., env=..., cx=0x7ffff5f16000) at js/src/vm/Debugger.cpp:9281
#19 DebuggerGenericEval (cx=cx@entry=0x7ffff5f16000, chars=..., bindings=..., bindings@entry=..., options=..., resumeMode=@0x7fffffffb4dc: 32767, value=..., dbg=<optimized out>, envArg=..., iter=<optimized out>) at js/src/vm/Debugger.cpp:9369
#20 0x000055555596b180 in js::DebuggerFrame::eval (cx=cx@entry=0x7ffff5f16000, frame=..., frame@entry=..., chars=..., bindings=bindings@entry=..., options=..., resumeMode=@0x7fffffffb4dc: 32767, value=...) at js/src/vm/Debugger.cpp:9393
#21 0x000055555596b9c5 in js::DebuggerFrame::evalWithBindingsMethod (cx=0x7ffff5f16000, argc=2, vp=0x7ffff5fda1f0) at js/src/vm/Debugger.cpp:10013
#22 0x0000555555886934 in CallJSNative (args=..., native=0x55555596b660 <js::DebuggerFrame::evalWithBindingsMethod(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff5f16000) at js/src/vm/Interpreter.cpp:442
#23 js::InternalCallOrConstruct (cx=0x7ffff5f16000, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:534
#24 0x000055555587a6a6 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:593
#25 Interpret (cx=0x7ffff5f16000, state=...) at js/src/vm/Interpreter.cpp:3075
#26 0x00005555558864c3 in js::RunScript (cx=0x7ffff5f16000, state=...) at js/src/vm/Interpreter.cpp:422
#27 0x0000555555886b06 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff5f16000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:562
#28 0x0000555555886fa5 in InternalCall (cx=cx@entry=0x7ffff5f16000, args=...) at js/src/vm/Interpreter.cpp:589
#29 0x0000555555887018 in js::Call (cx=cx@entry=0x7ffff5f16000, fval=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:605
#30 0x0000555555976909 in js::Call (cx=cx@entry=0x7ffff5f16000, fval=..., fval@entry=..., thisObj=<optimized out>, arg0=..., arg0@entry=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.h:106
#31 0x000055555593a007 in js::ScriptedOnPopHandler::onPop (this=0x7ffff5fbc360, cx=0x7ffff5f16000, frame=..., resumeMode=@0x7fffffffbf9c: js::ResumeMode::Return, vp=...) at js/src/vm/Debugger.cpp:8843
#32 0x0000555555971212 in js::Debugger::slowPathOnLeaveFrame (cx=<optimized out>, frame=..., pc=0x7ffff4d7baee <incomplete sequence \312>, frameOk=<optimized out>) at js/src/vm/Debugger.cpp:1066
#33 0x0000555555878a6a in Interpret (cx=0x7ffff5f16000, state=...) at js/src/vm/Interpreter.cpp:4397
#34 0x00005555558864c3 in js::RunScript (cx=0x7ffff5f16000, state=...) at js/src/vm/Interpreter.cpp:422
#35 0x0000555555886b06 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff5f16000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:562
#36 0x0000555555886fa5 in InternalCall (cx=cx@entry=0x7ffff5f16000, args=...) at js/src/vm/Interpreter.cpp:589
#37 0x0000555555887018 in js::Call (cx=cx@entry=0x7ffff5f16000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:605
#38 0x0000555555c45267 in js::ForwardingProxyHandler::call (this=<optimized out>, cx=0x7ffff5f16000, proxy=..., args=...) at js/src/proxy/Wrapper.cpp:162
#39 0x0000555555c33499 in js::CrossCompartmentWrapper::call (this=0x55555750b260 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff5f16000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:238
#40 0x0000555555c3e56a in js::Proxy::call (cx=cx@entry=0x7ffff5f16000, proxy=..., proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:503
#41 0x0000555555886e78 in js::InternalCallOrConstruct (cx=0x7ffff5f16000, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:508
#42 0x000055555587a6a6 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:593
#43 Interpret (cx=0x7ffff5f16000, state=...) at js/src/vm/Interpreter.cpp:3075
#44 0x00005555558864c3 in js::RunScript (cx=0x7ffff5f16000, state=...) at js/src/vm/Interpreter.cpp:422
[...]
#53 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11259
rax	0x555557543120	93825025716512
rbx	0x55555657bbd0	93825009171408
rcx	0x7fffffff9890	140737488328848
rdx	0x3	3
rsi	0x7ffff5f59130	140737319899440
rdi	0x7fffffff9890	140737488328848
rbp	0x7fffffff9d20	140737488330016
rsp	0x7fffffff9880	140737488328832
r8	0x1	1
r9	0x7ffff5fda378	140737320428408
r10	0x8	8
r11	0x80	128
r12	0x7fffffff	2147483647
r13	0x180c4dfc40d0	26441127051472
r14	0x1	1
r15	0x0	0
rip	0x5555559cf16e <js::AbstractGeneratorObject::resume(JSContext*, js::InterpreterActivation&, JS::Handle<js::AbstractGeneratorObject*>, JS::Handle<JS::Value>)+718>
=> 0x5555559cf16e <js::AbstractGeneratorObject::resume(JSContext*, js::InterpreterActivation&, JS::Handle<js::AbstractGeneratorObject*>, JS::Handle<JS::Value>)+718>:	movl   $0x0,0x0
   0x5555559cf179 <js::AbstractGeneratorObject::resume(JSContext*, js::InterpreterActivation&, JS::Handle<js::AbstractGeneratorObject*>, JS::Handle<JS::Value>)+729>:	ud2

Comment 1

[André Bargull [:anba]]

Bisection will probably end up pointing to me, because I last touched that code, even though, I guess, the underlying issue is a pre-existing problem.

Comment 2

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/135c13d4ceba
user:        André Bargull
date:        Mon Feb 25 05:09:51 2019 -0800
summary:     Bug 1530324 - Part 4: Remove wrapper function for async generators. r=arai

This iteration took 536.699 seconds to run.

Comment 3

[Jason Orendorff [:jorendorff]]

Arai, would you please take a look?

Comment 4

[André Bargull [:anba]]

Attachment: Bug 1539132 - Part 1: Don't root common-names which are implicitly rooted. r=arai!

Comment 5

[André Bargull [:anba]]

Attachment: Bug 1539132 - Part 2: Create Function constructor instead of silently failing when not present. r=arai!

Depends on D25568

Comment 6

[André Bargull [:anba]]

Attachment: Bug 1539132 - Part 3: Update spec references for async-functions. r=arai!

Depends on D25569

Comment 7

[André Bargull [:anba]]

Attachment: Bug 1539132 - Part 4: Remove unused return-value parameter from promise-reaction job functions. r=arai!

Depends on D25570

Comment 8

[André Bargull [:anba]]

Attachment: Bug 1539132 - Part 5: Add assertions and comments for async-generator states. r=arai!

Depends on D25572

Comment 9

[André Bargull [:anba]]

Attachment: Bug 1539132 - Part 6: Save and restore async-generator state in debugger. r=arai!

Depends on D25573

Comment 10

[Tooru Fujisawa [:arai]]

will review those patches :)

Comment 11

[André Bargull [:anba]]

Try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=c65f2b542b9c9904f1cf2a30c45adaf662202bf1

Comment 12

[Pulsebot]

Pushed by nerli@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f8e989e26332
Part 1: Don't root common-names which are implicitly rooted. r=arai
https://hg.mozilla.org/integration/autoland/rev/784e5f703238
Part 2: Create Function constructor instead of silently failing when not present. r=arai
https://hg.mozilla.org/integration/autoland/rev/33a065112966
Part 3: Update spec references for async-functions. r=arai
https://hg.mozilla.org/integration/autoland/rev/ef5b0d01d900
Part 4: Remove unused return-value parameter from promise-reaction job functions. r=arai
https://hg.mozilla.org/integration/autoland/rev/201c7691d719
Part 5: Add assertions and comments for async-generator states. r=arai
https://hg.mozilla.org/integration/autoland/rev/e1d21ee0fa85
Part 6: Save and restore async-generator state in debugger. r=arai

Comment 13

[Arthur Iakab [arthur_iakab]]

https://hg.mozilla.org/mozilla-central/rev/f8e989e26332
https://hg.mozilla.org/mozilla-central/rev/784e5f703238
https://hg.mozilla.org/mozilla-central/rev/33a065112966
https://hg.mozilla.org/mozilla-central/rev/ef5b0d01d900
https://hg.mozilla.org/mozilla-central/rev/201c7691d719
https://hg.mozilla.org/mozilla-central/rev/e1d21ee0fa85