(Reporter: decoder, Assigned: anba)




(5 keywords)

The following testcase crashes on mozilla-central revision 87829648b0e5 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

const dbg = new Debugger();
let g = newGlobal({ newCompartment: true });
let gw = dbg.addDebuggee(g);
  async function* f2(x) {}
dbg.onEnterFrame = frame => {
  frame.onPop = p => p;
let it2 = g.f2(123);
let p2 =;


received signal SIGSEGV, Segmentation fault.
#0  0x00005555559edcd9 in JSContext::runtime (this=<optimized out>) at js/src/vm/JSContext.h:394
#1  JSContext::interpreterStack (this=<optimized out>) at js/src/vm/JSContext.h:472
#2  js::InterpreterActivation::resumeGeneratorFrame (this=this@entry=0x7fffffffc0f0, callee=callee@entry=..., envChain=envChain@entry=...) at js/src/vm/Stack-inl.h:963
#3  0x00005555559e8151 in js::AbstractGeneratorObject::resume (cx=<optimized out>, activation=..., genObj=..., arg=...) at js/src/vm/GeneratorObject.cpp:165
#4  0x0000555555883761 in Interpret (cx=0x7ffff5f27000, state=...) at js/src/vm/Interpreter.cpp:4084
#5  0x000055555588bbaa in js::RunScript (cx=0x7ffff5f27000, state=...) at js/src/vm/Interpreter.cpp:422
#6  0x000055555588c2ea in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff5f27000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:562
#7  0x000055555588d4e2 in InternalCall (args=..., cx=0x7ffff5f27000) at js/src/vm/Interpreter.cpp:589
#8  js::Call (cx=cx@entry=0x7ffff5f27000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:605
#9  0x0000555555b2de9f in js::CallSelfHostedFunction (cx=cx@entry=0x7ffff5f27000, name=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/SelfHosting.cpp:1943
#10 0x000055555592cd5c in js::AsyncGeneratorResume (cx=cx@entry=0x7ffff5f27000, asyncGenObj=asyncGenObj@entry=..., completionKind=completionKind@entry=js::CompletionKind::Normal, argument=..., argument@entry=...) at js/src/vm/AsyncIteration.cpp:373
#11 0x00005555558fcb87 in AsyncGeneratorResumeNext (cx=cx@entry=0x7ffff5f27000, generator=generator@entry=..., kind=<optimized out>, kind@entry=ResumeNextKind::Enqueue, valueOrException_=..., done=<optimized out>, done@entry=false) at js/src/builtin/Promise.cpp:4429
#12 0x00005555558fdcdb in js::AsyncGeneratorEnqueue (cx=0x7ffff5f27000, asyncGenVal=..., completionKind=completionKind@entry=js::CompletionKind::Normal, completionValue=..., result=...) at js/src/builtin/Promise.cpp:4486
#13 0x000055555591bd94 in AsyncGeneratorNext (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/AsyncIteration.cpp:129
#14 0x000055555588c181 in CallJSNative (args=..., native=0x55555591bd60 <AsyncGeneratorNext(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff5f27000) at js/src/vm/Interpreter.cpp:442
#33 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11369
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
user:        André Bargull
date:        Tue Mar 26 16:26:42 2019 +0000
summary:     Bug 1530754 - Part 3: Don't create unnecessary iterator result objects in async generators. r=arai

This iteration took 538.282 seconds to run.

Andre, is bug 1530754 a likely regressor?

Similar to AutoSetGeneratorRunning, AdjustGeneratorResumptionValue also needs to modify the
async-generator state in addition to the shared generator state.

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)

Andre, is bug 1530754 a likely regressor?

Yes, another fallout from the changeset.

Assignee: nobody → andrebargull

Pushed by
Adjust async-generator state when manually closing an async-generator. r=arai

