Closed Bug 1634847 Opened 5 months ago Closed 3 months ago

Crash [@ js::DebuggerFrame::setGenerator] or Assertion failure: isObject(), at js/Value.h:721

Categories

(Core :: JavaScript Engine, defect, P2)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
mozilla79
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- wontfix
firefox77 --- wontfix
firefox78 --- wontfix
firefox79 --- verified

People

(Reporter: decoder, Assigned: jorendorff)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 20200501-0f9c5a59e45d (opt build, run with --fuzzing-safe --ion-offthread-compile=off --more-compartments):

var g71 = newGlobal();
var dbg = new Debugger(g71);
dbg.onDebuggerStatement = function handleDebugger(frame) {
    frame.onPop = function handlePop(c39) {
        (new Debugger(g71)).getNewestFrame().eval('assertEq(innerFun(), this)');
    }
};
g71.eval("function* g() { for (var i = 0; i < 10; i++) { debugger; yield i; } }");
g71.eval("var t = 0; for (j of g()) t += j; t;")

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000555555b743dd in js::DebuggerFrame::setGenerator(JSContext*, JS::Handle<js::AbstractGeneratorObject*>) ()
#0  0x0000555555b743dd in js::DebuggerFrame::setGenerator(JSContext*, JS::Handle<js::AbstractGeneratorObject*>) ()
#1  0x0000555555b4aa3c in js::DebuggerFrame::create(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::NativeObject*>, js::FrameIter const*, JS::Handle<js::AbstractGeneratorObject*>) ()
#2  0x0000555555b4a581 in js::Debugger::getFrame(JSContext*, js::FrameIter const&, JS::MutableHandle<js::DebuggerFrame*>) ()
#3  0x0000555555b5f94e in js::Debugger::CallData::getNewestFrame() ()
#4  0x0000555555b68436 in bool js::Debugger::CallData::ToNative<&js::Debugger::CallData::getNewestFrame>(JSContext*, unsigned int, JS::Value*) ()
#5  0x000055555578848b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#6  0x0000555555d9d55b in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) ()
#7  0x0000268f578b0c58 in ?? ()
#8  0x8eccfc2c30cfb300 in ?? ()
#9  0x00007fffffff9278 in ?? ()
#10 0x0000000000000000 in ?? ()
rax	0x4000000000000	1125899906842624
rbx	0x7ffff5e22000	140737318625280
rcx	0x8eccfc2c30cfb300	-8156867558347132160
rdx	0x0	0
rsi	0xced9a61e	3470370334
rdi	0xbbd34b7a	3151186810
rbp	0x7fffffff8400	140737488323584
rsp	0x7fffffff8370	140737488323440
r8	0x7fffffff82b0	140737488323248
r9	0x1a	26
r10	0x6	6
r11	0xbbd34b7a	3151186810
r12	0x7ffff5ef1ac0	140737319475904
r13	0xfffe000000000000	-562949953421312
r14	0x36ff00c77580	60468857632128
r15	0x36ff00c77580	60468857632128
rip	0x555555b743dd <js::DebuggerFrame::setGenerator(JSContext*, JS::Handle<js::AbstractGeneratorObject*>)+221>
=> 0x555555b743dd <_ZN2js13DebuggerFrame12setGeneratorEP9JSContextN2JS6HandleIPNS_23AbstractGeneratorObjectEEE+221>:	mov    0x30(%rax),%rax
   0x555555b743e1 <_ZN2js13DebuggerFrame12setGeneratorEP9JSContextN2JS6HandleIPNS_23AbstractGeneratorObjectEEE+225>:	mov    %rax,-0x78(%rbp)
Attached file Testcase

I do not think this is a higher priority based on the volume of crashes on beta. (note, the signature graph above does not show "beta" crashes because the crash reports are actually reporting "aurora" as the release channel)

Jan or Jason, can you have a brief look at this issue?

Severity: critical → S4
Flags: needinfo?(jorendorff)
Flags: needinfo?(jdemooij)
Priority: -- → P2
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200518152416-a627b6676824.
The bug appears to have been introduced in the following build range:
> Start: b7a24be78d82a8bfafae58fe2c5980df5a3f18ab (20190610234343)
> End: bb62c9157f04f6f2daa35d6d14e2a7252b5d2c61 (20190610234923)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b7a24be78d82a8bfafae58fe2c5980df5a3f18ab&tochange=bb62c9157f04f6f2daa35d6d14e2a7252b5d2c61
Assignee: nobody → jorendorff
Status: NEW → ASSIGNED
Flags: needinfo?(jorendorff)
Flags: needinfo?(jdemooij)
Pushed by jorendorff@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c958e2551f1c
Handle creating a new generator Debugger.Frame from onPop. r=jwalden.
Pushed by jorendorff@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e289767955a9
Handle creating a new generator Debugger.Frame from onPop. r=jwalden.
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
Status: RESOLVED → VERIFIED
Keywords: bugmon
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200616154959-89a54069f124.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.