Closed Bug 1547039 Opened 4 months ago Closed 4 months ago

Crash [@ js::InterpreterActivation::resumeGeneratorFrame] or Crash [@ JSContext::runtime] or Assertion failure: !asyncGenObj->isClosed() (closed generator when resuming async generator), at vm/AsyncIteration.cpp:358 with Debugger

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- unaffected
firefox68 --- fixed

People

(Reporter: decoder, Assigned: anba)

References

(Blocks 1 open bug, Regression)

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 87829648b0e5 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

const dbg = new Debugger();
let g = newGlobal({ newCompartment: true });
let gw = dbg.addDebuggee(g);
g.eval(`
  async function* f2(x) {}
`);
dbg.onEnterFrame = frame => {
  frame.onPop = p => p;
};
let it2 = g.f2(123);
let p2 = it2.next();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555559edcd9 in JSContext::runtime (this=<optimized out>) at js/src/vm/JSContext.h:394
#1  JSContext::interpreterStack (this=<optimized out>) at js/src/vm/JSContext.h:472
#2  js::InterpreterActivation::resumeGeneratorFrame (this=this@entry=0x7fffffffc0f0, callee=callee@entry=..., envChain=envChain@entry=...) at js/src/vm/Stack-inl.h:963
#3  0x00005555559e8151 in js::AbstractGeneratorObject::resume (cx=<optimized out>, activation=..., genObj=..., arg=...) at js/src/vm/GeneratorObject.cpp:165
#4  0x0000555555883761 in Interpret (cx=0x7ffff5f27000, state=...) at js/src/vm/Interpreter.cpp:4084
#5  0x000055555588bbaa in js::RunScript (cx=0x7ffff5f27000, state=...) at js/src/vm/Interpreter.cpp:422
#6  0x000055555588c2ea in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff5f27000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:562
#7  0x000055555588d4e2 in InternalCall (args=..., cx=0x7ffff5f27000) at js/src/vm/Interpreter.cpp:589
#8  js::Call (cx=cx@entry=0x7ffff5f27000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:605
#9  0x0000555555b2de9f in js::CallSelfHostedFunction (cx=cx@entry=0x7ffff5f27000, name=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/SelfHosting.cpp:1943
#10 0x000055555592cd5c in js::AsyncGeneratorResume (cx=cx@entry=0x7ffff5f27000, asyncGenObj=asyncGenObj@entry=..., completionKind=completionKind@entry=js::CompletionKind::Normal, argument=..., argument@entry=...) at js/src/vm/AsyncIteration.cpp:373
#11 0x00005555558fcb87 in AsyncGeneratorResumeNext (cx=cx@entry=0x7ffff5f27000, generator=generator@entry=..., kind=<optimized out>, kind@entry=ResumeNextKind::Enqueue, valueOrException_=..., done=<optimized out>, done@entry=false) at js/src/builtin/Promise.cpp:4429
#12 0x00005555558fdcdb in js::AsyncGeneratorEnqueue (cx=0x7ffff5f27000, asyncGenVal=..., completionKind=completionKind@entry=js::CompletionKind::Normal, completionValue=..., result=...) at js/src/builtin/Promise.cpp:4486
#13 0x000055555591bd94 in AsyncGeneratorNext (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/AsyncIteration.cpp:129
#14 0x000055555588c181 in CallJSNative (args=..., native=0x55555591bd60 <AsyncGeneratorNext(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff5f27000) at js/src/vm/Interpreter.cpp:442
[...]
#33 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11369
rax	0x4000000000000	1125899906842624
rbx	0x7fffffffc0f0	140737488339184
rcx	0x4000000000000	1125899906842624
rdx	0x7fffffffbc60	140737488338016
rsi	0x7fffffffbc40	140737488337984
rdi	0x7fffffffc0f0	140737488339184
rbp	0x7ffff5f27000	140737319694336
rsp	0x7fffffffbb50	140737488337744
r8	0x0	0
r9	0xffffffff	4294967295
r10	0x0	0
r11	0x6a	106
r12	0x7ffff5f1a000	140737319641088
r13	0x7ffff5f27000	140737319694336
r14	0x7fffffffbc40	140737488337984
r15	0x1	1
rip	0x5555559edcd9 <js::InterpreterActivation::resumeGeneratorFrame(JS::Handle<JSFunction*>, JS::Handle<JSObject*>)+57>
=> 0x5555559edcd9 <js::InterpreterActivation::resumeGeneratorFrame(JS::Handle<JSFunction*>, JS::Handle<JSObject*>)+57>:	mov    0x30(%rax),%r13
   0x5555559edcdd <js::InterpreterActivation::resumeGeneratorFrame(JS::Handle<JSFunction*>, JS::Handle<JSObject*>)+61>:	lea    0x30(%rbp),%rax
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b86f47596771
user:        André Bargull
date:        Tue Mar 26 16:26:42 2019 +0000
summary:     Bug 1530754 - Part 3: Don't create unnecessary iterator result objects in async generators. r=arai

This iteration took 538.282 seconds to run.

Andre, is bug 1530754 a likely regressor?

Flags: needinfo?(andrebargull)
Regressed by: 1530754

Similar to AutoSetGeneratorRunning, AdjustGeneratorResumptionValue also needs to modify the
async-generator state in addition to the shared generator state.

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)

Andre, is bug 1530754 a likely regressor?

Yes, another fallout from the changeset.

Flags: needinfo?(andrebargull)
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED

Pushed by ncsoregi@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c3ea428d6b2a
Adjust async-generator state when manually closing an async-generator. r=arai

Keywords: checkin-needed
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
You need to log in before you can comment on or make changes to this bug.