Closed Bug 1287401 Opened 4 years ago Closed 4 years ago

Assertion failure: cx->compartment() == lazy->functionNonDelazifying()->compartment(), at js/src/frontend/BytecodeCompiler.cpp:813 or Crash/Assert with compartment mismatch involving Promise

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla50
Tracking Status
firefox47 --- unaffected
firefox48 --- unaffected
firefox49 --- unaffected
firefox50 --- fixed

People

(Reporter: decoder, Assigned: till)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update,ignore])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 711963e8daa3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe):

lfGlobal = newGlobal();
function rejectionTracker() {}
setPromiseRejectionTrackerCallback(rejectionTracker);
offThreadCompileScript(`new Promise(val=>push)`);
lfGlobal.runOffThreadScript();



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000cb5b00 in js::frontend::CompileLazyFunction (cx=cx@entry=0x7ffff6965000, lazy=lazy@entry=..., chars=0x7ffff304f262 u"() {}\nsetPromiseRejectionTrackerCallback(rejectionTracker);\noffThreadCompileScript(`new Promise(val=>push)`);\nlfGlobal.runOffThreadScript();\n", length=5) at js/src/frontend/BytecodeCompiler.cpp:813
#0  0x0000000000cb5b00 in js::frontend::CompileLazyFunction (cx=cx@entry=0x7ffff6965000, lazy=lazy@entry=..., chars=0x7ffff304f262 u"() {}\nsetPromiseRejectionTrackerCallback(rejectionTracker);\noffThreadCompileScript(`new Promise(val=>push)`);\nlfGlobal.runOffThreadScript();\n", length=5) at js/src/frontend/BytecodeCompiler.cpp:813
#1  0x00000000008f9a0d in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x7ffff6965000, fun=fun@entry=...) at js/src/jsfun.cpp:1514
#2  0x0000000000462114 in JSFunction::getOrCreateScript (this=<optimized out>, cx=<optimized out>) at js/src/jsfun.h:422
#3  0x0000000000aa27a6 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6965000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:456
#4  0x0000000000aa2a86 in InternalCall (cx=cx@entry=0x7ffff6965000, args=...) at js/src/vm/Interpreter.cpp:498
#5  0x0000000000aa2bde in js::Call (cx=cx@entry=0x7ffff6965000, fval=..., fval@entry=..., thisv=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:517
#6  0x000000000044c5af in ForwardingPromiseRejectionTrackerCallback (cx=0x7ffff6965000, promise=..., state=PromiseRejectionHandlingState::Unhandled, data=<optimized out>) at js/src/shell/js.cpp:700
#7  0x0000000000c3a0aa in js::PromiseObject::onSettled (this=<optimized out>, cx=cx@entry=0x7ffff6965000) at js/src/builtin/Promise.cpp:440
#8  0x0000000000af5900 in intrinsic_onPromiseSettled (cx=cx@entry=0x7ffff6965000, argc=<optimized out>, vp=0x7ffff30592c8) at js/src/vm/SelfHosting.cpp:2257
#9  0x0000000000aa7424 in js::CallJSNative (cx=cx@entry=0x7ffff6965000, native=0xaf5870 <intrinsic_onPromiseSettled(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:232
#10 0x0000000000aa2733 in js::InternalCallOrConstruct (cx=0x7ffff6965000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:453
#11 0x0000000000a966df in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:504
#12 Interpret (cx=0x7ffff6965000, state=...) at js/src/vm/Interpreter.cpp:2873
#13 0x0000000000aa2545 in js::RunScript (cx=cx@entry=0x7ffff6965000, state=...) at js/src/vm/Interpreter.cpp:399
#14 0x0000000000aa2838 in js::InternalCallOrConstruct (cx=0x7ffff6965000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:471
#15 0x0000000000a966df in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:504
#16 Interpret (cx=0x7ffff6965000, state=...) at js/src/vm/Interpreter.cpp:2873
#17 0x0000000000aa2545 in js::RunScript (cx=cx@entry=0x7ffff6965000, state=...) at js/src/vm/Interpreter.cpp:399
#18 0x0000000000aa2838 in js::InternalCallOrConstruct (cx=0x7ffff6965000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:471
#19 0x0000000000a966df in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:504
#20 Interpret (cx=0x7ffff6965000, state=...) at js/src/vm/Interpreter.cpp:2873
#21 0x0000000000aa2545 in js::RunScript (cx=cx@entry=0x7ffff6965000, state=...) at js/src/vm/Interpreter.cpp:399
#22 0x0000000000aa2838 in js::InternalCallOrConstruct (cx=0x7ffff6965000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:471
#23 0x0000000000aa2a86 in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:498
#24 0x0000000000aa2bde in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:517
#25 0x0000000000c39712 in js::PromiseObject::create (cx=cx@entry=0x7ffff6965000, executor=..., executor@entry=..., proto=..., proto@entry=...) at js/src/builtin/Promise.cpp:201
#26 0x0000000000c39b8c in js::PromiseConstructor (cx=cx@entry=0x7ffff6965000, argc=<optimized out>, vp=0x7ffff3059118) at js/src/builtin/Promise.cpp:375
#27 0x0000000000aa7424 in js::CallJSNative (cx=cx@entry=0x7ffff6965000, native=native@entry=0xc39890 <js::PromiseConstructor(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:232
#28 0x0000000000aaacdf in js::CallJSNativeConstructor (cx=cx@entry=0x7ffff6965000, native=0xc39890 <js::PromiseConstructor(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:265
#29 0x0000000000aa3d76 in InternalConstruct (cx=0x7ffff6965000, args=...) at js/src/vm/Interpreter.cpp:544
#30 0x0000000000a9e023 in Interpret (cx=0x7ffff6965000, state=...) at js/src/vm/Interpreter.cpp:2865
#31 0x0000000000aa2545 in js::RunScript (cx=cx@entry=0x7ffff6965000, state=...) at js/src/vm/Interpreter.cpp:399
#32 0x0000000000aa544b in js::ExecuteKernel (cx=cx@entry=0x7ffff6965000, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffc8f8) at js/src/vm/Interpreter.cpp:679
#33 0x0000000000aa5a28 in js::Execute (cx=cx@entry=0x7ffff6965000, script=..., script@entry=..., scopeChainArg=..., rval=rval@entry=0x7fffffffc8f8) at js/src/vm/Interpreter.cpp:712
#34 0x00000000008b2bdd in ExecuteScript (cx=cx@entry=0x7ffff6965000, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x7fffffffc8f8) at js/src/jsapi.cpp:4326
#35 0x00000000008b2df9 in JS_ExecuteScript (cx=cx@entry=0x7ffff6965000, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4352
#36 0x0000000000446aff in runOffThreadScript (cx=cx@entry=0x7ffff6965000, argc=<optimized out>, vp=0x7fffffffc8f8) at js/src/shell/js.cpp:3945
#37 0x0000000000aa7424 in js::CallJSNative (cx=cx@entry=0x7ffff6965000, native=0x4469c0 <runOffThreadScript(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:232
[...]
#58 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7519
rax	0x0	0
rbx	0x7ffff304f262	140737270575714
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffa050	140737488330832
rsp	0x7fffffff95a0	140737488328096
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fdc740	140737353992000
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7fffffffa090	140737488330896
r13	0x7fffffffa0a0	140737488330912
r14	0x7fffffffa0e0	140737488330976
r15	0x7ffff6965000	140737330434048
rip	0xcb5b00 <js::frontend::CompileLazyFunction(JSContext*, JS::Handle<js::LazyScript*>, char16_t const*, unsigned long)+2320>
=> 0xcb5b00 <js::frontend::CompileLazyFunction(JSContext*, JS::Handle<js::LazyScript*>, char16_t const*, unsigned long)+2320>:	movl   $0x0,0x0
   0xcb5b0b <js::frontend::CompileLazyFunction(JSContext*, JS::Handle<js::LazyScript*>, char16_t const*, unsigned long)+2331>:	ud2
Summary: Assertion failure: cx->compartment() == lazy->functionNonDelazifying()->compartment(), at js/src/frontend/BytecodeCompiler.cpp:813 with Promise → Assertion failure: cx->compartment() == lazy->functionNonDelazifying()->compartment(), at js/src/frontend/BytecodeCompiler.cpp:813 or Crash/Assert with compartment mismatch involving Promise
This is probably responsible for various crashes involving Promise, marking as fuzzblocker.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
Flags: needinfo?(till)
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a80fdfc128b0
user:        Till Schneidereit
date:        Sat Jul 16 15:05:12 2016 +0200
summary:     Bug 911216 - Part 30: Enable SpiderMonkey Promise implementation. r=bz,efaust,bholley,Paolo,tromey,shu

This iteration took 224.808 seconds to run.
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision fe6985c6e616).
This was probably fixed by the backout of Promises on m-c (rev fe6985c6e616 and 69a9474a3206).
Assignee: nobody → till
Status: NEW → ASSIGNED
Flags: needinfo?(till)
Attachment #8772362 - Flags: review?(jdemooij)
Attachment #8772362 - Flags: review?(jdemooij) → review+
Keywords: checkin-needed
OS: Linux → All
Hardware: x86_64 → All
Pushed by cbook@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/6b5a1893be91
Enter the callback's compartment before running it in the JS shell's ForwardingPromiseRejectionTrackerCallback. r=jandem
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/6b5a1893be91
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in before you can comment on or make changes to this bug.