Closed
Bug 1364348
Opened 7 years ago
Closed 7 years ago
Assertion failure: !GetShellContext(cx)->quitting, at js/src/shell/js.cpp:806
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla55
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox53 | --- | unaffected |
| firefox54 | --- | unaffected |
| firefox55 | --- | fixed |
People
(Reporter: gkw, Assigned: till)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
12.51 KB,
text/plain
|
Details | |
|
1.34 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 8a7d0b15595f (build with --enable-debug --enable-more-deterministic --without-intl-api, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
// jsfunfuzz-generated
function d() {
quit();
}
(function () {
// Adapted from randomly chosen test: js/src/jit-test/tests/gc/bug-1218900.js
Function.prototype.toString = function () {
this();
}
getBacktrace({
thisprops: true
})
})()
Backtrace:
#0 DrainJobQueue (cx=0x7fce64675000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:806
#1 0x0000000000535edf in js::CallJSNative (cx=cx@entry=0x7fce64675000, native=0x4418f0 <DrainJobQueue(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
#2 0x000000000052ac43 in js::InternalCallOrConstruct (cx=0x7fce64675000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470
#3 0x000000000051d704 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:521
#4 Interpret (cx=0x7fce64675000, state=...) at js/src/vm/Interpreter.cpp:3025
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•7 years ago
|
||
|
|
Reporter | |
Comment 2•7 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/a56ac3aa583c user: Till Schneidereit date: Wed May 10 16:16:27 2017 +0200 summary: Bug 1357958 - Move the JS shell's Promise job handling into the engine to be used as a default implementation. r=jandem Till, is bug 1357958 a likely regressor?
Blocks: 1357958
Flags: needinfo?(till)
|
Assignee | |
Comment 3•7 years ago
|
||
I hadn't realized that there are situations in which additional JS is executed after quit() was called.
Assignee: nobody → till
Status: NEW → ASSIGNED
Flags: needinfo?(till)
Attachment #8867254 -
Flags: review?(jdemooij)
|
||
Updated•7 years ago
|
Attachment #8867254 -
Flags: review?(jdemooij) → review+
Pushed by tschneidereit@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/59b80bc77946 Throw instead of failing an assert if drainJobQueue is called after quit. r=jandem
|
||
Comment 5•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/59b80bc77946
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
|
|
||
Updated•7 years ago
|
status-firefox53:
--- → unaffected
status-firefox54:
--- → unaffected
status-firefox-esr52:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•