Assertion failure: generator->isAfterAwait(), at vm/AsyncFunction.cpp:150
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox87 | --- | wontfix |
| firefox88 | --- | wontfix |
| firefox89 | --- | verified |
People
(Reporter: decoder, Assigned: yulia)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20210411-1d03336aafcf (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --enable-top-level-await --more-compartments):
m = parseModule(`
await {} ? b : c
`);
m.declarationInstantiation();
m.evaluation();
d = newGlobal();
d.e = this;
d.eval(`
Debugger(e).onExceptionUnwind = function(f) {
return f.eval("")
}
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000555556cf480e in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) ()
#0 0x0000555556cf480e in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) ()
#1 0x0000555556dc3c7b in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) ()
#2 0x0000555556b86c01 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#11 0x00005555569f59cb in main ()
rax 0x55555584d17c 93824995348860
rbx 0x30d656c009f8 53697136560632
rcx 0x555558000128 93825036976424
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffc2c0 140737488339648
rsp 0x7fffffffc190 140737488339344
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x7fffffffc101 140737488339201
r13 0x7fffffffc390 140737488339856
r14 0x7ffff6026000 140737320738816
r15 0x30d656c009f8 53697136560632
rip 0x555556cf480e <AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>)+1374>
=> 0x555556cf480e <_ZL19AsyncFunctionResumeP9JSContextN2JS6HandleIPN2js28AsyncFunctionGeneratorObjectEEE10ResumeKindNS2_INS1_5ValueEEE+1374>: movl $0x96,0x0
0x555556cf4819 <_ZL19AsyncFunctionResumeP9JSContextN2JS6HandleIPN2js28AsyncFunctionGeneratorObjectEEE10ResumeKindNS2_INS1_5ValueEEE+1385>: callq 0x555556a7ff8f <abort>
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Updated•3 years ago
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 2•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210412092813-3e349af4587a.
The bug appears to have been introduced in the following build range:
Start: 85d1fafd696aadc3b5f53c79b918c2ebdf48dcb7 (20201204071028)
End: 7d9c82add62dbc4c7ab63f169c2be1a51c611f81 (20201204090051)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=85d1fafd696aadc3b5f53c79b918c2ebdf48dcb7&tochange=7d9c82add62dbc4c7ab63f169c2be1a51c611f81
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 3•3 years ago
|
||
Pushed by ystartsev@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b15e16c741cd Allow debugger to change exception on exception unwind for async modules; r=mgaudet
|
||
Comment 5•3 years ago
|
||
| bugherder | ||
|
|
||
Comment 6•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210415214643-48a99646f183.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Description
•