Closed
Bug 1341358
Opened 7 years ago
Closed 7 years ago
Crash [@ ??] or Assertion failure: cx->runtime()->getIncumbentGlobalCallback (Must set a callback using JS_SetGetIncumbentGlobalCallback before using Promises), at vm/Runtime.cpp:636
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla54
Tracking | Status | |
---|---|---|
firefox52 | --- | unaffected |
firefox53 | --- | unaffected |
firefox54 | --- | fixed |
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(5 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
2.20 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d84beb192e57 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe): evalInCooperativeThread("var x = 3"); let PromiseCtor = Promise; let promises = []; let p = new PromiseCtor(function(res_, rej_) {}); promises.push(p); let allPromise = getWaitForAllPromise(promises); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000000000 in ?? () #0 0x0000000000000000 in ?? () #1 0x00000000007f4cd1 in js::GetObjectFromIncumbentGlobal (cx=cx@entry=0x7ffff6948800, obj=obj@entry=...) at js/src/jsobj.cpp:2010 #2 0x000000000055619d in PerformPromiseThen (cx=cx@entry=0x7ffff6948800, promise=..., promise@entry=..., onFulfilled_=..., onFulfilled_@entry=..., onRejected_=..., onRejected_@entry=..., resultPromise=..., resultPromise@entry=..., resolve=..., resolve@entry=..., reject=...) at js/src/builtin/Promise.cpp:2260 #3 0x0000000000556d6e in js::GetWaitForAllPromise (cx=cx@entry=0x7ffff6948800, promises=...) at js/src/builtin/Promise.cpp:1521 #4 0x0000000000778b15 in JS::GetWaitForAllPromise (cx=cx@entry=0x7ffff6948800, promises=...) at js/src/jsapi.cpp:5010 #5 0x0000000000733127 in GetWaitForAllPromise (cx=0x7ffff6948800, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1578 #6 0x00000000004d932f in js::CallJSNative (args=..., native=<optimized out>, cx=0x7ffff6948800) at js/src/jscntxtinlines.h:281 [...] #19 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:8320 rax 0x0 0 rbx 0x7ffff6948800 140737330317312 rcx 0x7ffff077d220 140737227772448 rdx 0x1b77180 28799360 rsi 0x7ffff6948800 140737330317312 rdi 0x7ffff6948800 140737330317312 rbp 0x7fffffffd410 140737488344080 rsp 0x7fffffffd398 140737488343960 r8 0x7fffffffd560 140737488344416 r9 0xdf7268 14643816 r10 0x7ffff06005f0 140737226212848 r11 0x0 0 r12 0x7ffff6948820 140737330317344 r13 0x7fffffffd460 140737488344160 r14 0x7ffff6948800 140737330317312 r15 0xdf7268 14643816 rip 0x0 0 => 0x0:
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•7 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/fad2e60d7843 user: Brian Hackett date: Fri Feb 17 05:13:11 2017 -0700 summary: Bug 1337968 - Add API and shell harness for cooperative multithreading, r=jandem. This iteration took 229.698 seconds to run.
Assignee | ||
Comment 2•7 years ago
|
||
Runtime-wide callbacks shouldn't be cleared when destroying a cooperative context in the shell harness.
Assignee: nobody → bhackett1024
Attachment #8839686 -
Flags: review?(jdemooij)
Comment 3•7 years ago
|
||
Comment on attachment 8839686 [details] [diff] [review] patch Review of attachment 8839686 [details] [diff] [review]: ----------------------------------------------------------------- We use the same condition when we set these callbacks, so this makes sense.
Attachment #8839686 -
Flags: review?(jdemooij) → review+
Pushed by bhackett@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/c6a89afa0c6b Don't accidentally clear the incumbent global callback when finishing a cooperative thread, r=jandem.
Comment 5•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/c6a89afa0c6b
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Updated•7 years ago
|
status-firefox52:
--- → unaffected
status-firefox53:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•