Closed Bug 1370875 Opened 8 years ago Closed 8 years ago

Assertion failure: !done(), at js/src/vm/Stack.h:1843 with Promise and inIon

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla56
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox54 --- wontfix
firefox55 --- wontfix
firefox56 --- fixed

People

(Reporter: decoder, Assigned: shu)

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Return false in inIon if there are no JS frames on stack.
1.49 KB, patch
nbp
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 5801aa478de1 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe): Promise.resolve().then(inIon); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000867858 in js::FrameIter::isJit (this=<optimized out>) at js/src/vm/Stack.h:1843 #0 0x0000000000867858 in js::FrameIter::isJit (this=<optimized out>) at js/src/vm/Stack.h:1843 #1 js::FrameIter::isIon (this=<optimized out>) at js/src/vm/Stack.h:2145 #2 testingFunc_inIon (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:2161 #3 0x00000000005402df in js::CallJSNative (cx=cx@entry=0x7ffff6924000, native=0x8675f0 <testingFunc_inIon(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293 #4 0x00000000005351d3 in js::InternalCallOrConstruct (cx=0x7ffff6924000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470 #5 0x00000000005355e8 in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:515 #6 0x000000000053571d in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:534 #7 0x00000000005b87e3 in PromiseReactionJob (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Promise.cpp:1001 #8 0x00000000005402df in js::CallJSNative (cx=cx@entry=0x7ffff6924000, native=0x5b7de0 <PromiseReactionJob(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293 #9 0x00000000005351d3 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6924000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470 #10 0x00000000005355e8 in InternalCall (cx=cx@entry=0x7ffff6924000, args=...) at js/src/vm/Interpreter.cpp:515 #11 0x000000000053571d in js::Call (cx=cx@entry=0x7ffff6924000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:534 #12 0x0000000000925db0 in JS::Call (cx=cx@entry=0x7ffff6924000, thisv=..., thisv@entry=..., fval=..., fval@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2891 #13 0x000000000096bbe3 in JS::Call (rval=..., args=..., funObj=..., thisv=..., cx=0x7ffff6924000) at js/src/jsapi.h:3448 #14 js::RunJobs (cx=cx@entry=0x7ffff6924000) at js/src/jscntxt.cpp:1253 #15 0x000000000043bcc9 in Shell (envp=<optimized out>, op=0x7fffffffda30, cx=0x7ffff6924000) at js/src/shell/js.cpp:8125 #16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:8511 rax 0x0 0 rbx 0x7fffffffcc10 140737488342032 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffd0a0 140737488343200 rsp 0x7fffffffcbd0 140737488341968 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x7ffff6924000 140737330167808 r13 0x7fffffffd3a0 140737488343968 r14 0x1 1 r15 0x7fffffffd3a8 140737488343976 rip 0x867858 <testingFunc_inIon(JSContext*, unsigned int, JS::Value*)+616> => 0x867858 <testingFunc_inIon(JSContext*, unsigned int, JS::Value*)+616>: movl $0x0,0x0 0x867863 <testingFunc_inIon(JSContext*, unsigned int, JS::Value*)+627>: ud2
Flags: needinfo?(nicolas.b.pierron)
Attachment #8880973 - Flags: review?(nicolas.b.pierron)
Assignee: nobody → shu
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/d4cf63e47ae9 user: Till Schneidereit date: Thu Jul 21 00:44:16 2016 +0200 summary: Bug 911216 - Part 30: Enable SpiderMonkey Promise implementation. r=bz,efaust,bholley,Paolo,tromey,shu This iteration took 224.683 seconds to run.
Comment on attachment 8880973 [details] [diff] [review] Return false in inIon if there are no JS frames on stack. Review of attachment 8880973 [details] [diff] [review]: ----------------------------------------------------------------- Thanks :)
Attachment #8880973 - Flags: review?(nicolas.b.pierron) → review+
Flags: needinfo?(nicolas.b.pierron)
Pushed by shu@rfrn.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/967aac2f682f Return false in inIon if there are no JS frames on stack. (r=nbp)
https://hg.mozilla.org/mozilla-central/rev/967aac2f682f
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox56: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: