Crash [@ js::UnwindIteratorForUncatchableException(JSObject*)] or Assertion failure: !isEmptyIteratorSingleton(), at vm/Iteration.h:346
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox-esr91 | --- | unaffected |
| firefox92 | --- | unaffected |
| firefox93 | --- | unaffected |
| firefox94 | --- | verified |
People
(Reporter: decoder, Assigned: iain)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])
Crash Data
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20210919-21f27a8573cb (opt build, run with --fuzzing-safe --ion-offthread-compile=off --baseline-eager):
v11 = undefined;
interruptIf(true);
for (v63 in v11);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555555794798 in js::UnwindIteratorForUncatchableException(JSObject*) ()
#1 0x0000555556286f40 in js::jit::HandleException(js::jit::ResumeFromException*) ()
#2 0x0000327445ac0eeb in ?? ()
#3 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7fffffffc460 140737488340064
rcx 0x7ffff4a0b830 140737297561648
rdx 0x0 0
rsi 0x2 2
rdi 0x1c376dd3e128 31024391381288
rbp 0x7fffffffbf90 140737488338832
rsp 0x7fffffffbf90 140737488338832
r8 0x1 1
r9 0x1c376dd61060 31024391524448
r10 0x9 9
r11 0x7ffff6ec6e10 140737336077840
r12 0xfffe000000000000 -562949953421312
r13 0x7ffff6018018 140737320681496
r14 0x7fffffffc400 140737488339968
r15 0x7ffff6018000 140737320681472
rip 0x555555794798 <js::UnwindIteratorForUncatchableException(JSObject*)+56>
=> 0x555555794798 <_ZN2js37UnwindIteratorForUncatchableExceptionEP8JSObject+56>: mov %rdx,0x38(%rax)
0x55555579479c <_ZN2js37UnwindIteratorForUncatchableExceptionEP8JSObject+60>: mov 0x30(%rcx),%rax
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
|
||
Updated•3 years ago
|
|
||
Comment 3•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210920102201-29d6504debf5.
The bug appears to have been introduced in the following build range:
Start: 61c4f93eaf75dda3728e2b8efae186c442ee9e2a (20210915085457)
End: 8a9d97b273e76e44939b6ef6c4f9dd5b21ed37d0 (20210915092323)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=61c4f93eaf75dda3728e2b8efae186c442ee9e2a&tochange=8a9d97b273e76e44939b6ef6c4f9dd5b21ed37d0
|
Assignee | |
Comment 4•3 years ago
|
||
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 5•3 years ago
|
||
Took a very quick look at this and then ended up fixing it while writing up my findings. The problem is that we create an iterator for undefined, sync it to the stack for the interrupt check at the loophead of the for-in, and then interrupt. The unwinding code in CloseLiveIteratorsBaselineForUncatchableException finds the iterator on the stack, doesn't realize that it's an empty iterator, and tries to unlink it, which triggers an assert.
The equivalent code for catchable exceptions, closeIterator, has an early return for empty iterators. We should add the same thing to UnwindIteratorForUncatchableException.
|
||
Comment 6•3 years ago
|
||
:iain, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c71e5fccc8e6 Handle empty iterators when unwinding uncatchable exceptions r=jandem
|
||
Comment 8•3 years ago
|
||
| bugherder | ||
|
|
||
Comment 9•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210922040913-b6fd43458638.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•