Crash [@ js::InterpreterActivation::resumeGeneratorFrame] or Crash [@ JSContext::runtime] or Assertion failure: !asyncGenObj->isClosed() (closed generator when resuming async generator), at vm/AsyncIteration.cpp:358 with Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox67 | --- | unaffected |
firefox68 | --- | fixed |
People
(Reporter: decoder, Assigned: anba)
References
(Regression)
Details
(5 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
The following testcase crashes on mozilla-central revision 87829648b0e5 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):
const dbg = new Debugger();
let g = newGlobal({ newCompartment: true });
let gw = dbg.addDebuggee(g);
g.eval(`
async function* f2(x) {}
`);
dbg.onEnterFrame = frame => {
frame.onPop = p => p;
};
let it2 = g.f2(123);
let p2 = it2.next();
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555559edcd9 in JSContext::runtime (this=<optimized out>) at js/src/vm/JSContext.h:394
#1 JSContext::interpreterStack (this=<optimized out>) at js/src/vm/JSContext.h:472
#2 js::InterpreterActivation::resumeGeneratorFrame (this=this@entry=0x7fffffffc0f0, callee=callee@entry=..., envChain=envChain@entry=...) at js/src/vm/Stack-inl.h:963
#3 0x00005555559e8151 in js::AbstractGeneratorObject::resume (cx=<optimized out>, activation=..., genObj=..., arg=...) at js/src/vm/GeneratorObject.cpp:165
#4 0x0000555555883761 in Interpret (cx=0x7ffff5f27000, state=...) at js/src/vm/Interpreter.cpp:4084
#5 0x000055555588bbaa in js::RunScript (cx=0x7ffff5f27000, state=...) at js/src/vm/Interpreter.cpp:422
#6 0x000055555588c2ea in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff5f27000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:562
#7 0x000055555588d4e2 in InternalCall (args=..., cx=0x7ffff5f27000) at js/src/vm/Interpreter.cpp:589
#8 js::Call (cx=cx@entry=0x7ffff5f27000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:605
#9 0x0000555555b2de9f in js::CallSelfHostedFunction (cx=cx@entry=0x7ffff5f27000, name=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/SelfHosting.cpp:1943
#10 0x000055555592cd5c in js::AsyncGeneratorResume (cx=cx@entry=0x7ffff5f27000, asyncGenObj=asyncGenObj@entry=..., completionKind=completionKind@entry=js::CompletionKind::Normal, argument=..., argument@entry=...) at js/src/vm/AsyncIteration.cpp:373
#11 0x00005555558fcb87 in AsyncGeneratorResumeNext (cx=cx@entry=0x7ffff5f27000, generator=generator@entry=..., kind=<optimized out>, kind@entry=ResumeNextKind::Enqueue, valueOrException_=..., done=<optimized out>, done@entry=false) at js/src/builtin/Promise.cpp:4429
#12 0x00005555558fdcdb in js::AsyncGeneratorEnqueue (cx=0x7ffff5f27000, asyncGenVal=..., completionKind=completionKind@entry=js::CompletionKind::Normal, completionValue=..., result=...) at js/src/builtin/Promise.cpp:4486
#13 0x000055555591bd94 in AsyncGeneratorNext (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/AsyncIteration.cpp:129
#14 0x000055555588c181 in CallJSNative (args=..., native=0x55555591bd60 <AsyncGeneratorNext(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff5f27000) at js/src/vm/Interpreter.cpp:442
[...]
#33 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11369
rax 0x4000000000000 1125899906842624
rbx 0x7fffffffc0f0 140737488339184
rcx 0x4000000000000 1125899906842624
rdx 0x7fffffffbc60 140737488338016
rsi 0x7fffffffbc40 140737488337984
rdi 0x7fffffffc0f0 140737488339184
rbp 0x7ffff5f27000 140737319694336
rsp 0x7fffffffbb50 140737488337744
r8 0x0 0
r9 0xffffffff 4294967295
r10 0x0 0
r11 0x6a 106
r12 0x7ffff5f1a000 140737319641088
r13 0x7ffff5f27000 140737319694336
r14 0x7fffffffbc40 140737488337984
r15 0x1 1
rip 0x5555559edcd9 <js::InterpreterActivation::resumeGeneratorFrame(JS::Handle<JSFunction*>, JS::Handle<JSObject*>)+57>
=> 0x5555559edcd9 <js::InterpreterActivation::resumeGeneratorFrame(JS::Handle<JSFunction*>, JS::Handle<JSObject*>)+57>: mov 0x30(%rax),%r13
0x5555559edcdd <js::InterpreterActivation::resumeGeneratorFrame(JS::Handle<JSFunction*>, JS::Handle<JSObject*>)+61>: lea 0x30(%rbp),%rax
Updated•5 years ago
|
Comment 1•5 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/b86f47596771 user: André Bargull date: Tue Mar 26 16:26:42 2019 +0000 summary: Bug 1530754 - Part 3: Don't create unnecessary iterator result objects in async generators. r=arai This iteration took 538.282 seconds to run.
Andre, is bug 1530754 a likely regressor?
Assignee | ||
Comment 3•5 years ago
|
||
Similar to AutoSetGeneratorRunning, AdjustGeneratorResumptionValue also needs to modify the
async-generator state in addition to the shared generator state.
Assignee | ||
Comment 4•5 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)
Andre, is bug 1530754 a likely regressor?
Yes, another fallout from the changeset.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 5•5 years ago
|
||
Try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=e356c6b311fe453b38c2e8ea98fc7e25cd283215
Pushed by ncsoregi@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c3ea428d6b2a
Adjust async-generator state when manually closing an async-generator. r=arai
Comment 7•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Updated•2 years ago
|
Description
•