1375436 - Assertion failure: throwing, at js/src/jscntxt.cpp:1466 with Debugger and async

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision e49151136658 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):

var g = newGlobal();
var dbg = new Debugger(g);
function test(type, provocation) {
    dbg.onEnterFrame = function handleFirstFrame(f) {
        assertEq(f.eval(provocation), null);
    };
    assertEq(typeof g.eval('eval'), 'function');
}
g.eval("async function f() { await 3; }");
test('call', 'f();');



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x000000000096f180 in JSContext::getPendingException (this=this@entry=0x7ffff6924000, rval=...) at js/src/jscntxt.cpp:1466
#0  0x000000000096f180 in JSContext::getPendingException (this=this@entry=0x7ffff6924000, rval=...) at js/src/jscntxt.cpp:1466
#1  0x000000000051f45f in js::GetAndClearException (cx=cx@entry=0x7ffff6924000, res=..., res@entry=...) at js/src/vm/Interpreter.cpp:4529
#2  0x0000000000a7e4bb in WrappedAsyncFunction (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/AsyncFunction.cpp:100
#3  0x000000000054167f in js::CallJSNative (cx=cx@entry=0x7ffff6924000, native=0xa7de70 <WrappedAsyncFunction(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
#4  0x0000000000537083 in js::InternalCallOrConstruct (cx=0x7ffff6924000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470
#5  0x00000000005296fc in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:521
#6  Interpret (cx=0x7ffff6924000, state=...) at js/src/vm/Interpreter.cpp:3067
#7  0x0000000000536c32 in js::RunScript (cx=0x7ffff6924000, state=...) at js/src/vm/Interpreter.cpp:410
#8  0x00000000005398b9 in js::ExecuteKernel (cx=cx@entry=0x7ffff6924000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=result@entry=0x7fffffe026f0) at js/src/vm/Interpreter.cpp:699
#9  0x0000000000b2826e in EvaluateInEnv (rval=..., lineno=<optimized out>, filename=<optimized out>, pc=<optimized out>, frame=..., env=..., cx=0x7ffff6924000, chars=...) at js/src/vm/Debugger.cpp:8175
#10 DebuggerGenericEval (cx=cx@entry=0x7ffff6924000, bindings=..., bindings@entry=..., options=..., status=@0x7fffffe02f7c: 3980621395, value=..., dbg=0x7ffff6939800, envArg=..., iter=0x7fffffe02a80, chars=...) at js/src/vm/Debugger.cpp:8262
#11 0x0000000000b28f6d in js::DebuggerFrame::eval (cx=cx@entry=0x7ffff6924000, frame=..., frame@entry=..., chars=..., bindings=..., bindings@entry=..., options=..., status=@0x7fffffe02f7c: 3980621395, value=value@entry=...) at js/src/vm/Debugger.cpp:8286
#12 0x0000000000b29209 in js::DebuggerFrame::evalMethod (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:8942
[...]
#16 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff6924000	140737330167808
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffe019e0	140737486264800
rsp	0x7fffffe019a0	140737486264736
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x0	0
r11	0x0	0
r12	0x7fffffe01b20	140737486265120
r13	0x7fffffe01b20	140737486265120
r14	0x7fffffe01bc0	140737486265280
r15	0x7fffffe01b10	140737486265104
rip	0x96f180 <JSContext::getPendingException(JS::MutableHandle<JS::Value>)+240>
=> 0x96f180 <JSContext::getPendingException(JS::MutableHandle<JS::Value>)+240>:	movl   $0x0,0x0
   0x96f18b <JSContext::getPendingException(JS::MutableHandle<JS::Value>)+251>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/9ced693a9b87
user:        Tooru Fujisawa
date:        Wed Nov 09 03:27:49 2016 +0900
summary:     Bug 1314055 - Part 1: Port async/await implementation from self-hosted JS to C++. r=till

This iteration took 249.033 seconds to run.

Comment 2

[Jan de Mooij [:jandem]]

NI arai based on comment 1 :)

Comment 3

[Tooru Fujisawa [:arai]]

Attachment: Do not reject promise for unhandlable exception in Async Function.

Forgot to handle unhandlable exception case in WrappedAsyncFunction.

changed it to just return false if there's no exception pending after running function body and it failed.
the testcase is not stored because it runs forever.
I'll try to figure out if there's any simpler testcase.

Comment 4

[Till Schneidereit [:till]]

Comment on attachment 8881147 [details] [diff] [review]
Do not reject promise for unhandlable exception in Async Function.

Review of attachment 8881147 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry, didn't see this while traveling.

Comment 5

[Tooru Fujisawa [:arai]]

I'll look for testcase later.

Comment 6

[Tooru Fujisawa [:arai]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/bc7cfe0be797acecdb98638d1961977b538ccc74
Bug 1375436 - Do not reject promise for unhandlable exception in Async Function. r=till

Comment 7

[Pulsebot]

Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/bc7cfe0be797
Do not reject promise for unhandlable exception in Async Function. r=till

Comment 8

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/bc7cfe0be797

Comment 9

[Fuzzing Team]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 211d4dd61025).