Closed Bug 1341358 Opened 7 years ago Closed 7 years ago

Crash [@ ??] or Assertion failure: cx->runtime()->getIncumbentGlobalCallback (Must set a callback using JS_SetGetIncumbentGlobalCallback before using Promises), at vm/Runtime.cpp:636

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla54
Tracking Status
firefox52 --- unaffected
firefox53 --- unaffected
firefox54 --- fixed

People

(Reporter: decoder, Assigned: bhackett1024)

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision d84beb192e57 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe):

evalInCooperativeThread("var x = 3");
let PromiseCtor = Promise;
let promises = [];
let p = new PromiseCtor(function(res_, rej_) {});
promises.push(p);
let allPromise = getWaitForAllPromise(promises);


Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
#0  0x0000000000000000 in ?? ()
#1  0x00000000007f4cd1 in js::GetObjectFromIncumbentGlobal (cx=cx@entry=0x7ffff6948800, obj=obj@entry=...) at js/src/jsobj.cpp:2010
#2  0x000000000055619d in PerformPromiseThen (cx=cx@entry=0x7ffff6948800, promise=..., promise@entry=..., onFulfilled_=..., onFulfilled_@entry=..., onRejected_=..., onRejected_@entry=..., resultPromise=..., resultPromise@entry=..., resolve=..., resolve@entry=..., reject=...) at js/src/builtin/Promise.cpp:2260
#3  0x0000000000556d6e in js::GetWaitForAllPromise (cx=cx@entry=0x7ffff6948800, promises=...) at js/src/builtin/Promise.cpp:1521
#4  0x0000000000778b15 in JS::GetWaitForAllPromise (cx=cx@entry=0x7ffff6948800, promises=...) at js/src/jsapi.cpp:5010
#5  0x0000000000733127 in GetWaitForAllPromise (cx=0x7ffff6948800, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1578
#6  0x00000000004d932f in js::CallJSNative (args=..., native=<optimized out>, cx=0x7ffff6948800) at js/src/jscntxtinlines.h:281
[...]
#19 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:8320
rax	0x0	0
rbx	0x7ffff6948800	140737330317312
rcx	0x7ffff077d220	140737227772448
rdx	0x1b77180	28799360
rsi	0x7ffff6948800	140737330317312
rdi	0x7ffff6948800	140737330317312
rbp	0x7fffffffd410	140737488344080
rsp	0x7fffffffd398	140737488343960
r8	0x7fffffffd560	140737488344416
r9	0xdf7268	14643816
r10	0x7ffff06005f0	140737226212848
r11	0x0	0
r12	0x7ffff6948820	140737330317344
r13	0x7fffffffd460	140737488344160
r14	0x7ffff6948800	140737330317312
r15	0xdf7268	14643816
rip	0x0	0
=> 0x0:
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/fad2e60d7843
user:        Brian Hackett
date:        Fri Feb 17 05:13:11 2017 -0700
summary:     Bug 1337968 - Add API and shell harness for cooperative multithreading, r=jandem.

This iteration took 229.698 seconds to run.
Attached patch patchSplinter Review
Runtime-wide callbacks shouldn't be cleared when destroying a cooperative context in the shell harness.
Assignee: nobody → bhackett1024
Attachment #8839686 - Flags: review?(jdemooij)
Comment on attachment 8839686 [details] [diff] [review]
patch

Review of attachment 8839686 [details] [diff] [review]:
-----------------------------------------------------------------

We use the same condition when we set these callbacks, so this makes sense.
Attachment #8839686 - Flags: review?(jdemooij) → review+
Pushed by bhackett@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c6a89afa0c6b
Don't accidentally clear the incumbent global callback when finishing a cooperative thread, r=jandem.
https://hg.mozilla.org/mozilla-central/rev/c6a89afa0c6b
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
You need to log in before you can comment on or make changes to this bug.