Closed Bug 1629503 Opened 5 years ago Closed 5 years ago

Assertion failure: !doneValue.isMagic(), at jit/JitFrames.cpp:118

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla77
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox75 --- wontfix
firefox76 --- wontfix
firefox77 --- verified

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect])

Attachments

(2 files)

Testcase
307 bytes, text/plain
Details
Bug 1629503 - Set the hasTryBlock flag for JSOp::TryDestructuring. r?arai!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200410-82d84da94d8d (debug build, run with --fuzzing-safe --no-threads --ion-warmup-threshold=1 --baseline-warmup-threshold=0 --disable-oom-functions):

function testWithAwait() {
  const g37 = newGlobal({newCompartment: true});
  const dbg = new Debugger(g37);
  g37.eval(`
    async function f() {
      await p;
    };
  `);
  dbg.onEnterFrame = function(frame) { 
    [ , dbg ] = [];
  }
  g37.eval("var y;");
  g37.eval("var p = f();");
}
testWithAwait();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000055555669a543 in js::jit::HandleException(js::jit::ResumeFromException*) ()
#1  0x00000a0d3c45b766 in ?? ()
[...]
#5  0x0000000000000000 in ?? ()
rax	0x555556e90eb9	93825018695353
rbx	0x7ffff5eeeaa4	140737319463588
rcx	0x555557f4d850	93825036245072
rdx	0x0	0
rsi	0x7ffff6efd770	140737336301424
rdi	0x7ffff6efc540	140737336296768
rbp	0x7fffffffa270	140737488331376
rsp	0x7fffffff9c40	140737488329792
r8	0x7ffff6efd770	140737336301424
r9	0x7ffff7f9bd00	140737353727232
r10	0x0	0
r11	0x0	0
r12	0x7fffffffa290	140737488331408
r13	0xaaaaaaaaaaaaaaaa	-6148914691236517206
r14	0x7fffffffa1a0	140737488331168
r15	0x7ffff5e27000	140737318645760
rip	0x55555669a543 <js::jit::HandleException(js::jit::ResumeFromException*)+11731>
=> 0x55555669a543 <_ZN2js3jit15HandleExceptionEPNS0_19ResumeFromExceptionE+11731>:	movl   $0x76,0x0
   0x55555669a54e <_ZN2js3jit15HandleExceptionEPNS0_19ResumeFromExceptionE+11742>:	callq  0x5555558167f6 <abort>
Attached file Testcase
Flags: needinfo?(jdemooij)
Priority: -- → P1

It's basically like a try-catch so we have to ensure we don't optimize away
the done/iter stack slots.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/cb9f27043c05 Set the hasTryBlock flag for JSOp::TryDestructuring. r=arai

https://hg.mozilla.org/mozilla-central/rev/cb9f27043c05

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox77: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla77
Status: RESOLVED → VERIFIED
status-firefox77: fixedverified
Keywords: bugmon
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200423145559-03626342f6e6. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: