1935283 - Crash [@ js::frontend::EmitterScope::prepareForForOfIteratorCloseOnThrow()]

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20241204-70cf5d90c346 (opt build, run with --fuzzing-safe --ion-offthread-compile=off --enable-explicit-resource-management test.js):

{
    using a
    for (b of c);
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000b93cb763c844 in js::frontend::EmitterScope::prepareForForOfIteratorCloseOnThrow() ()
#1  0x0000b93cb7688ce4 in js::frontend::ForOfEmitter::emitEnd(unsigned int) ()
#2  0x0000b93cb763bac4 in js::frontend::BytecodeEmitter::emitForOf(js::frontend::ForNode*, js::frontend::EmitterScope const*) ()
#3  0x0000b93cb7621a60 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#4  0x0000b93cb761e314 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#5  0x0000b93cb762fd84 in js::frontend::BytecodeEmitter::emitLexicalScope(js::frontend::LexicalScopeNode*) ()
#6  0x0000b93cb761e2f0 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#7  0x0000b93cb761e314 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) ()
#8  0x0000b93cb761d06c in js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) ()
#9  0x0000b93cb75dd368 in bool CompileGlobalScriptToStencilAndMaybeInstantiate<mozilla::Utf8Unit>(JSContext*, js::FrontendContext*, js::LifoAlloc&, js::frontend::CompilationInput&, js::frontend::ScopeBindingCache*, JS::SourceText<mozilla::Utf8Unit>&, js::ScopeKind, mozilla::Vector<js::frontend::ExtraBindingInfo, 0ul, js::SystemAllocPolicy>*, mozilla::Variant<RefPtr<js::frontend::CompilationStencil>, js::frontend::CompilationGCOutput*>&) ()
#10 0x0000b93cb7cb82a0 in js::frontend::CompileGlobalScript(JSContext*, js::FrontendContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<mozilla::Utf8Unit>&, js::ScopeKind) ()
#11 0x0000b93cb7aa65f0 in JSScript* CompileSourceBuffer<mozilla::Utf8Unit>(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<mozilla::Utf8Unit>&) [clone .llvm.16757164880143669552] ()
#12 0x0000b93cb7aa69bc in JS::CompileUtf8File(JSContext*, JS::ReadOnlyCompileOptions const&, _IO_FILE*) ()
#13 0x0000b93cb79cf65c in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) ()
#14 0x0000b93cb79cf310 in Process(JSContext*, char const*, bool, FileKind) ()
#15 0x0000b93cb757cbf8 in main ()
x0	0xf170cc00	281474732444672
x1	0xaf	175
x2	0xf170c308	281474732442376
x3	0x0	0
x4	0x20010062	536936546
x5	0x17f	383
x6	0x0	0
x7	0x1	1
x8	0x0	0
x9	0x3b9	953
x10	0xb6fee1ee	203670419333614
x11	0x8	8
x12	0x8	8
x13	0x1	1
x14	0xffffffff	4294967295
x15	0x1	1
x16	0x0	0
x17	0x52dd4352	269875660276562
x18	0xf170d758	281474732447576
x19	0xf170c1e0	281474732442080
x20	0x1c	28
x21	0xf170e8d0	281474732452048
x22	0x57bbf110	269875741978896
x23	0x0	0
x24	0x0	0
x25	0x0	0
x26	0xf170e8d8	281474732452056
x27	0xf170e8a0	281474732452000
x28	0xf170dc10	281474732448784
x29	0xf170c140	281474732441920
x30	0xb7688ce4	203670426258660
sp	0xf170c140	281474732441920
pc	0xb93cb763c844 <js::frontend::EmitterScope::prepareForForOfIteratorCloseOnThrow()+68>
cpsr	[ EL=0 BTYPE=0 SSBS N ]
fpcsr	void
fpcr	[ RMode=0 ]
=> 0xb93cb763c844 <_ZN2js8frontend12EmitterScope35prepareForForOfIteratorCloseOnThrowEv+68>:	str	w9, [x8]
   0xb93cb763c848 <_ZN2js8frontend12EmitterScope35prepareForForOfIteratorCloseOnThrowEv+72>:	bl	0xb93cb79db66c <abort>

Happens very frequently. I think this started after landing one of the previous fixes for the using feature.

Comment 1

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 2

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 3

[Christian Holler (:decoder)]

Would be good to prioritize this one as it is very easy to hit, therefore creating more crashes in fuzzing than other issues. Thanks!

Comment 4

[Debadree Chatterjee]

Oh no! looking at it at the earliest thank you!

Comment 5

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20241204215713-9a8cc59e9dab.
The bug appears to have been introduced in the following build range:

Start: c1acf137ed794e8b553c1f40512d21090d1a9b7c (20241114072145)
End: e299ddd844812c1cd97440fd74eb94e0736fbbe9 (20241114100954)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c1acf137ed794e8b553c1f40512d21090d1a9b7c&tochange=e299ddd844812c1cd97440fd74eb94e0736fbbe9

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Based on comment #5, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:debadree333, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1927195

Comment 8

[Debadree Chatterjee]

Attachment: Bug 1935283 - SyntaxError on using decls without binding list. r?arai

Comment 9

[Pulsebot]

Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/c7f4b0bfc0a1
SyntaxError on using decls without binding list. r=arai

Comment 10

[amarc]

https://hg.mozilla.org/mozilla-central/rev/c7f4b0bfc0a1

Comment 11

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20241206092831-34cbc79fe32c.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.