Crash [@ ??] with generator function
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox-esr102 | --- | unaffected |
| firefox101 | --- | unaffected |
| firefox102 | --- | unaffected |
| firefox103 | --- | verified |
People
(Reporter: decoder, Assigned: jandem)
References
(Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Crash Data
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20220610-d62480e627da (debug build, run with --fuzzing-safe --ion-offthread-compile=off --ion-warmup-threshold=0 --blinterp-eager):
function* a() {
try {
yield;
} finally {
for (b = 0; b < 100; b++);
}
}
c = a();
c.next();
c.return();
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x00003f0b0832c459 in ?? ()
#0 0x00003f0b0832c459 in ?? ()
#1 0x0000000000009041 in ?? ()
#2 0x00002139e8800578 in ?? ()
#3 0x0000000000000000 in ?? ()
rax 0xd390bb49c03350 59550354156565328
rbx 0x1f00d2e3e030 34088398610480
rcx 0xfffe2139e8800728 -526417355864280
rdx 0x7ffff6c00ee0 140737333169888
rsi 0x0 0
rdi 0x7ffff6c00ee0 140737333169888
rbp 0x7fffffffb7a8 140737488336808
rsp 0x7fffffffb7b8 140737488336824
r8 0x0 0
r9 0x154612444a9e 23390698359454
r10 0x7ffff60cd880 140737321425024
r11 0x7ffff60183a4 140737320682404
r12 0x8 8
r13 0x7fffffffc118 140737488339224
r14 0x0 0
r15 0x3f0b08304c30 69316614573104
rip 0x3f0b0832c459 69316614734937
=> 0x3f0b0832c459: mov (%rax),%rax
0x3f0b0832c45c: mov 0x8(%rax),%rax
Marking s-s because we are crashing on a random address.
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
|
||
Comment 3•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220610035534-d62480e627da.
The bug appears to have been introduced in the following build range:
Start: 46c9d33f30a72f140193302ff4b64122fb3b3705 (20220609133354)
End: 056b37d052bcffdcee89a74c0da3a1c6a806d54e (20220609135206)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=46c9d33f30a72f140193302ff4b64122fb3b3705&tochange=056b37d052bcffdcee89a74c0da3a1c6a806d54e
|
||
Comment 4•3 years ago
|
||
Setting regressed_by field after analyzing regression range found by bugmon.
|
|
||
Comment 5•3 years ago
|
||
Set release status flags based on info from the regressing bug 1770366
|
|
||
Comment 6•3 years ago
|
||
:jandem, since you are the author of the regressor, bug 1770366, could you take a look?
For more information, please visit auto_nag documentation.
|
Assignee | |
Comment 7•3 years ago
|
||
Oops, I didn't notice this is from bug 1770366. I actually fixed the same issue earlier today in another patch stack I'm working on...
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 8•3 years ago
|
||
|
|
Assignee | |
Comment 9•3 years ago
|
||
|
||
Comment 10•3 years ago
|
||
|
|
||
Comment 11•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220611213147-effe6ef55974.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 12•3 years ago
|
||
Set release status flags based on info from the regressing bug 1770366
|
||
Updated•3 years ago
|
Description
•