Closed Bug 1934367 Opened 3 months ago Closed 2 months ago

Assertion failure: state_ == State::Iteration, at frontend/UsingEmitter.cpp:1080

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
135 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox133 --- unaffected
firefox134 --- disabled
firefox135 --- fixed

People

(Reporter: decoder, Assigned: debadree333)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

Detailed Crash Information
2.70 KB, text/plain
Details
Testcase
37 bytes, text/plain
Details
Bug 1934367 - Move ForOfDisposalEmitter allocation into ForOfLoopControl. r?arai
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20241129-1d6f0bc3f416 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --enable-explicit-resource-management test.js):

for (using a of b)
    for (c of []);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x5ec7abb6 in js::frontend::ForOfDisposalEmitter::emitEnd() ()
#1  0x5ebbff72 in js::frontend::ForOfLoopControl::emitEndCodeNeedingIteratorClose(js::frontend::BytecodeEmitter*) ()
#2  0x5ebbfcd3 in js::frontend::ForOfEmitter::emitEnd(unsigned int) ()
#3  0x5eb943f9 in js::frontend::BytecodeEmitter::emitForOf(js::frontend::ForNode*, js::frontend::EmitterScope const*) ()
#4  0x5eb923d7 in js::frontend::BytecodeEmitter::emitLexicalScope(js::frontend::LexicalScopeNode*) ()
#5  0x5eb8141e in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#6  0x5eb97dfb in js::frontend::BytecodeEmitter::emitStatementList(js::frontend::ListNode*) ()
#7  0x5eb81286 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#8  0x5eb84efd in js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) ()
#9  0x5ebae624 in ScriptCompiler<mozilla::Utf8Unit>::compile(JSContext*, js::frontend::SharedContext*) ()
#10 0x5ebadfb9 in bool CompileGlobalScriptToStencilAndMaybeInstantiate<mozilla::Utf8Unit>(JSContext*, js::FrontendContext*, js::LifoAlloc&, js::frontend::CompilationInput&, js::frontend::ScopeBindingCache*, JS::SourceText<mozilla::Utf8Unit>&, js::ScopeKind, mozilla::Vector<js::frontend::ExtraBindingInfo, 0u, js::SystemAllocPolicy>*, mozilla::Variant<RefPtr<js::frontend::CompilationStencil>, js::frontend::CompilationGCOutput*>&) ()
#11 0x5eb73188 in js::frontend::CompileGlobalScript(JSContext*, js::FrontendContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<mozilla::Utf8Unit>&, js::ScopeKind) ()
#12 0x5e4fd7c8 in JSScript* CompileSourceBuffer<mozilla::Utf8Unit>(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<mozilla::Utf8Unit>&) ()
#13 0x5e4fdddc in JS::CompileUtf8File(JSContext*, JS::ReadOnlyCompileOptions const&, _IO_FILE*) ()
#14 0x5e27f89a in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) ()
#15 0x5e27eef5 in Process(JSContext*, char const*, bool, FileKind) ()
#16 0x5e219c62 in Shell(JSContext*, js::cli::OptionParser*) ()
#17 0x5e21040a in main ()
eax	0x5cc38933	1556318515
ebx	0x5fc45d3c	1606704444
ecx	0x5fc4bc7c	1606728828
edx	0xe998c9a8	-375862872
esi	0xffc10e34	-4125132
edi	0xffc10c90	-4125552
ebp	0xffc10b78	4290841464
esp	0xffc10b50	4290841424
eip	0x5ec7abb6 <js::frontend::ForOfDisposalEmitter::emitEnd()+294>
=> 0x5ec7abb6 <_ZN2js8frontend20ForOfDisposalEmitter7emitEndEv+294>:	movl   $0x438,0x0
   0x5ec7abc0 <_ZN2js8frontend20ForOfDisposalEmitter7emitEndEv+304>:	call   0x5e2a4df0 <abort>
Attached file Testcase

Verified bug as reproducible on mozilla-central 20241201095257-4df19decbcec.
The bug appears to have been introduced in the following build range:

Start: c1acf137ed794e8b553c1f40512d21090d1a9b7c (20241114072145)
End: e299ddd844812c1cd97440fd74eb94e0736fbbe9 (20241114100954)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c1acf137ed794e8b553c1f40512d21090d1a9b7c&tochange=e299ddd844812c1cd97440fd74eb94e0736fbbe9

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

This is another explicit resource management bug. Debadree, please take a look at this one too.

Flags: needinfo?(debadree333)
Regressed by: 1927195

on it aswell!

Flags: needinfo?(debadree333)

Set release status flags based on info from the regressing bug 1927195

status-firefox133: --- → unaffected
status-firefox134: --- → affected
status-firefox-esr128: --- → unaffected
Blocks: 1569081
Severity: -- → S3
Priority: -- → P3
Assignee: nobody → debadree333
Attachment #9442336 - Attachment description: Bug 1934367 - check if using decls are present before emitting disposals in for-of loops. r?arai → Bug 1934367 - Move ForOfDisposalEmitter allocation into ForOfLoopControl. r?arai
Pushed by arai_a@mac.com: https://hg.mozilla.org/integration/autoland/rev/b38314ae3fa4 Move ForOfDisposalEmitter allocation into ForOfLoopControl. r=arai

https://hg.mozilla.org/mozilla-central/rev/b38314ae3fa4

Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 135 Branch

Verified bug as fixed on rev mozilla-central 20241210093052-b16c09f16ef5.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
status-firefox135: disabledfixed
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: