Closed
Bug 1290844
Opened 9 years ago
Closed 9 years ago
Crash [@ js::CompartmentChecker::fail] with Promise
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1294241
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
The following testcase crashes on mozilla-central revision e5859dfe0bcb (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):
let rejections = new Map();
function rejectionTracker(promise, state) {
rejections.set(promise, state);
}
setPromiseRejectionTrackerCallback(rejectionTracker);
var g = newGlobal();
typeof new g.Promise(function() {
while (stack.length > 0) {}
});
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000000000abae60 in js::CompartmentChecker::fail (z2=<optimized out>, z1=<optimized out>) at js/src/jscntxtinlines.h:45
#0 0x0000000000abae60 in js::CompartmentChecker::fail (z2=<optimized out>, z1=<optimized out>) at js/src/jscntxtinlines.h:45
#1 js::CompartmentChecker::checkZone (z=<optimized out>, this=<optimized out>) at js/src/jscntxtinlines.h:67
#2 js::CompartmentChecker::check (str=<optimized out>, this=<synthetic pointer>) at js/src/jscntxtinlines.h:87
#3 js::CompartmentChecker::check (v=..., this=<synthetic pointer>) at js/src/jscntxtinlines.h:94
#4 js::assertSameCompartmentDebugOnly<JS::Value> (cx=<optimized out>, t1=...) at js/src/jscntxtinlines.h:168
#5 0x0000000000aa96a3 in Interpret (cx=0x7ffff6965000, state=...) at js/src/vm/Interpreter.cpp:3308
#6 0x0000000000ab0db5 in js::RunScript (cx=cx@entry=0x7ffff6965000, state=...) at js/src/vm/Interpreter.cpp:399
#7 0x0000000000ab10a8 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6965000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:471
#8 0x0000000000ab12f6 in InternalCall (cx=cx@entry=0x7ffff6965000, args=...) at js/src/vm/Interpreter.cpp:498
#9 0x0000000000ab144e in js::Call (cx=cx@entry=0x7ffff6965000, fval=..., fval@entry=..., thisv=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:517
#10 0x000000000044ccba in ForwardingPromiseRejectionTrackerCallback (cx=0x7ffff6965000, promise=..., state=PromiseRejectionHandlingState::Unhandled, data=<optimized out>) at js/src/shell/js.cpp:702
#11 0x0000000000c4b62a in js::PromiseObject::onSettled (this=<optimized out>, cx=cx@entry=0x7ffff6965000) at js/src/builtin/Promise.cpp:440
#12 0x0000000000b06780 in intrinsic_onPromiseSettled (cx=cx@entry=0x7ffff6965000, argc=<optimized out>, vp=0x7ffff305b240) at js/src/vm/SelfHosting.cpp:2257
#13 0x0000000000abaaa4 in js::CallJSNative (cx=cx@entry=0x7ffff6965000, native=0xb066f0 <intrinsic_onPromiseSettled(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:232
#14 0x0000000000ab0fa3 in js::InternalCallOrConstruct (cx=0x7ffff6965000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:453
#15 0x0000000000aa50ef in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:504
#16 Interpret (cx=0x7ffff6965000, state=...) at js/src/vm/Interpreter.cpp:2873
#17 0x0000000000ab0db5 in js::RunScript (cx=cx@entry=0x7ffff6965000, state=...) at js/src/vm/Interpreter.cpp:399
#18 0x0000000000ab10a8 in js::InternalCallOrConstruct (cx=0x7ffff6965000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:471
#19 0x0000000000aa50ef in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:504
#20 Interpret (cx=0x7ffff6965000, state=...) at js/src/vm/Interpreter.cpp:2873
#21 0x0000000000ab0db5 in js::RunScript (cx=cx@entry=0x7ffff6965000, state=...) at js/src/vm/Interpreter.cpp:399
#22 0x0000000000ab10a8 in js::InternalCallOrConstruct (cx=0x7ffff6965000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:471
#23 0x0000000000aa50ef in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:504
#24 Interpret (cx=0x7ffff6965000, state=...) at js/src/vm/Interpreter.cpp:2873
#25 0x0000000000ab0db5 in js::RunScript (cx=cx@entry=0x7ffff6965000, state=...) at js/src/vm/Interpreter.cpp:399
#26 0x0000000000ab10a8 in js::InternalCallOrConstruct (cx=0x7ffff6965000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:471
#27 0x0000000000ab12f6 in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:498
#28 0x0000000000ab144e in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:517
#29 0x0000000000c4ac02 in js::PromiseObject::create (cx=cx@entry=0x7ffff6965000, executor=..., executor@entry=..., proto=..., proto@entry=...) at js/src/builtin/Promise.cpp:201
#30 0x0000000000c4b0ac in js::PromiseConstructor (cx=cx@entry=0x7ffff6965000, argc=<optimized out>, vp=0x7fffffffc868) at js/src/builtin/Promise.cpp:375
#31 0x0000000000abaaa4 in js::CallJSNative (cx=cx@entry=0x7ffff6965000, native=native@entry=0xc4adb0 <js::PromiseConstructor(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:232
[...]
#52 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7515
rax 0x0 0
rbx 0x7ffff305b2e0 140737270624992
rcx 0x7ffff6c28a2d 140737333332525
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffffa410 140737488331792
rsp 0x7fffffffa400 140737488331776
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fdc740 140737353992000
r10 0x58 88
r11 0x7ffff6b9f750 140737332770640
r12 0x7ffff6952800 140737330358272
r13 0x7ffff305b2e0 140737270624992
r14 0x1d4f1e0 30732768
r15 0x7fffffffaa90 140737488333456
rip 0xabae60 <js::assertSameCompartmentDebugOnly<JS::Value>(js::ExclusiveContext*, JS::Value const&)+192>
=> 0xabae60 <js::assertSameCompartmentDebugOnly<JS::Value>(js::ExclusiveContext*, JS::Value const&)+192>: movl $0x0,0x0
0xabae6b <js::assertSameCompartmentDebugOnly<JS::Value>(js::ExclusiveContext*, JS::Value const&)+203>: ud2
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 2•9 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/d4cf63e47ae9
user: Till Schneidereit
date: Thu Jul 21 00:44:16 2016 +0200
summary: Bug 911216 - Part 30: Enable SpiderMonkey Promise implementation. r=bz,efaust,bholley,Paolo,tromey,shu
This iteration took 225.386 seconds to run.
|
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 3•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 91a319101587).
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/9e7be56f14ea
user: Jon Coppeard
date: Mon Aug 15 11:17:34 2016 +0100
summary: Bug 1294241 - Fix compartment mismatch tracking promise rejections in the shell r=till
Till/Jon, is bug 1294241 a likely fix?
Flags: needinfo?(jcoppeard)
|
||
Comment 5•9 years ago
|
||
Yes indeed.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
Flags: needinfo?(till)
You need to log in
before you can comment on or make changes to this bug.
Description
•