Closed
Bug 1317460
Opened 8 years ago
Closed 8 years ago
Assertion failure: throwing, at js/src/jscntxt.cpp:911
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla53
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox50 | --- | unaffected |
firefox51 | --- | unaffected |
firefox52 | + | fixed |
firefox53 | --- | fixed |
People
(Reporter: gkw, Assigned: arai)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
29.52 KB,
text/plain
|
Details | |
1.42 KB,
patch
|
till
:
review+
jcristau
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 71fd23fa0803 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
g = newGlobal();
g.parent = this;
g.eval("(" + function() {
Debugger(parent).onExceptionUnwind = function() 0;
} + ")()");
async function f() {
t;
}
f();
Backtrace:
0 js-dbg-64-dm-clang-darwin-71fd23fa0803 0x0000000108f06eaa JSContext::getPendingException(JS::MutableHandle<JS::Value>) + 282 (jscntxt.cpp:911)
1 js-dbg-64-dm-clang-darwin-71fd23fa0803 0x000000010917e7ae js::GetAndClearException(JSContext*, JS::MutableHandle<JS::Value>) + 14 (Interpreter.cpp:4431)
2 js-dbg-64-dm-clang-darwin-71fd23fa0803 0x0000000108b027af js::AsyncFunctionThrown(JSContext*, JS::Handle<js::PromiseObject*>) + 111 (Promise.cpp:2138)
3 js-dbg-64-dm-clang-darwin-71fd23fa0803 0x000000010904b214 AsyncFunctionResume(JSContext*, JS::Handle<js::PromiseObject*>, JS::Handle<JS::Value>, ResumeKind, JS::Handle<JS::Value>) + 404 (AsyncFunction.cpp:165)
/snip
For detailed crash information, see attachment.
Reporter | ||
Comment 1•8 years ago
|
||
Reporter | ||
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/9ced693a9b87
user: Tooru Fujisawa
date: Wed Nov 09 03:27:49 2016 +0900
summary: Bug 1314055 - Part 1: Port async/await implementation from self-hosted JS to C++. r=till
Arai-san, is bug 1314055 a likely regressor?
Blocks: 1314055
Flags: needinfo?(arai.unmht)
Assignee | ||
Comment 3•8 years ago
|
||
Yes, thanks :)
I needed the same code as AbruptRejectPromise, to detect the case that no pending exception.
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Flags: needinfo?(arai.unmht)
Attachment #8810610 -
Flags: review?(till)
Comment 4•8 years ago
|
||
Comment on attachment 8810610 [details] [diff] [review]
Detect uncatchable exception in AsyncFunctionThrown.
Review of attachment 8810610 [details] [diff] [review]:
-----------------------------------------------------------------
Sorry, I should've caught this.
Attachment #8810610 -
Flags: review?(till) → review+
Assignee | ||
Comment 5•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/be0a409b178acc10fc89b0d528c78a03755d89e4
Bug 1317460 - Detect uncatchable exception in AsyncFunctionThrown. r=till
Comment 6•8 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Assignee | ||
Comment 7•8 years ago
|
||
Comment on attachment 8810610 [details] [diff] [review]
Detect uncatchable exception in AsyncFunctionThrown.
Approval Request Comment
> [Feature/regressing bug #]
Bug 1314055
> [User impact if declined]
Possible crash while using debugger
> [Describe test coverage new/current, TreeHerder]
Tested on m-c
> [Risks and why]
Low, it falls back to normal failure path, instead of crashing.
> [String/UUID change made/needed]
None
Attachment #8810610 -
Flags: approval-mozilla-aurora?
Assignee | ||
Updated•8 years ago
|
status-firefox50:
--- → unaffected
status-firefox51:
--- → unaffected
status-firefox52:
--- → affected
status-firefox-esr45:
--- → unaffected
tracking-firefox52:
--- → ?
Comment 8•8 years ago
|
||
Comment on attachment 8810610 [details] [diff] [review]
Detect uncatchable exception in AsyncFunctionThrown.
Fix recent regression, take in aurora
Attachment #8810610 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 9•8 years ago
|
||
bugherder uplift |
Updated•8 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•