1343426 - Assertion failure: throwing, at js/src/jscntxt.cpp:1275 with Debugger and Promise

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision e1135c6fdc9b (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/tests/test262/built-ins/Promise/prototype/then/resolve-pending-rejected-poisoned-then.js
poisonedThen = Object.defineProperty({}, 'then', {
    get: function() e
});
var p1 = new Promise(function(_, _reject) {
    reject = _reject;
});
p1.then(function() {}, function() {
    return poisonedThen;
});
reject();
// Adapted from randomly chosen test: js/src/jit-test/tests/auto-regress/bug1317460.js
g = newGlobal();
g.parent = this;
g.eval("(" + function() {
    Debugger(parent).onExceptionUnwind = function() {
        return 0;
    };
} + ")()");


Backtrace:

#0  0x000000000094f2d0 in JSContext::getPendingException (this=this@entry=0x7f72f4450000, rval=...) at js/src/jscntxt.cpp:1275
#1  0x000000000051f17f in js::GetAndClearException (cx=cx@entry=0x7f72f4450000, res=..., res@entry=...) at js/src/vm/Interpreter.cpp:4419
#2  0x00000000005d591e in ResolvePromiseInternal (cx=cx@entry=0x7f72f4450000, promise=promise@entry=..., resolutionVal=..., resolutionVal@entry=...) at js/src/builtin/Promise.cpp:367
#3  0x00000000005d617d in RunResolutionFunction (cx=0x7f72f4450000, resolutionFun=..., resolutionFun@entry=..., result=result@entry=..., mode=mode@entry=ResolveMode, promiseObj=promiseObj@entry=...) at js/src/builtin/Promise.cpp:1576
#4  0x00000000005d6809 in PromiseReactionJob (cx=0x7f72f4450000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Promise.cpp:917
/snip

For detailed crash information, see attachment.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/fe85f9809f82
user:        Luke Wagner
date:        Fri Feb 24 09:30:38 2017 -0600
summary:     Bug 1341749 - Drain job queue even after error (r=bbouvier)

Luke, is bug 1341749 a likely regressor?

Comment 3

[Luke Wagner [:luke]]

Locally, I seem to be able to reproduce this crash at the parent cset fe85f9809f82.  My impression here is that, before bug 1341749, there was a race to repro the crash and, after bug 1341749, the race goes away b/c we now drainJobQueue() even on the error path out of the shell.  I expect this is actually a pretty simple problem to diagnose for someone more familiar with the promise machinery.

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Promise -> ni? from :till

Comment 5

[Till Schneidereit [:till]]

This is almost certainly a dupe of bug 1339999. Will close as such after testing tomorrow.

Comment 6

[Fuzzing Team]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 23fe0b76a018).

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/caa3df341ea8
parent:      349667:f5e214144799
user:        Till Schneidereit
date:        Sat Mar 25 17:43:44 2017 -0700
summary:     Bug 1339999 - Properly handle OOM during exception throwing in all Promise code. r=arai

Indeed FIXED by bug 1339999.