Closed
Bug 1402593
Opened 8 years ago
Closed 8 years ago
Crash [@ ??] with evalInCooperativeThread and Promise
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
RESOLVED
DUPLICATE
of bug 1402596
| Tracking | Status | |
|---|---|---|
| firefox57 | --- | fix-optional |
People
(Reporter: decoder, Unassigned)
References
Details
(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update,ignore])
Crash Data
The following testcase crashes on mozilla-central revision 2cd3752963fc (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off min.js):
evalInCooperativeThread(`
Promise.resolve().then(3);
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff41ff700 (LWP 1850)]
0x0000000000000000 in ?? ()
#0 0x0000000000000000 in ?? ()
#1 0x00000000009cf010 in JSRuntime::enqueuePromiseJob (this=<optimized out>, cx=cx@entry=0x7ffff432e000, job=job@entry=..., promise=..., promise@entry=..., incumbentGlobal=...) at js/src/vm/Runtime.cpp:746
#2 0x00000000005a5c39 in EnqueuePromiseReactionJob (cx=cx@entry=0x7ffff432e000, reactionObj=..., reactionObj@entry=..., handlerArg_=..., handlerArg_@entry=..., targetState=<optimized out>) at js/src/builtin/Promise.cpp:764
#3 0x00000000005a6b34 in PerformPromiseThenWithReaction (cx=cx@entry=0x7ffff432e000, promise=promise@entry=..., reaction=reaction@entry=...) at js/src/builtin/Promise.cpp:3019
#4 0x00000000005a6e39 in PerformPromiseThen (cx=cx@entry=0x7ffff432e000, promise=..., promise@entry=..., onFulfilled_=..., onFulfilled_@entry=..., onRejected_=..., onRejected_@entry=..., resultPromise=..., resolve=..., reject=...) at js/src/builtin/Promise.cpp:2983
#5 0x00000000005a70e0 in js::OriginalPromiseThen (cx=cx@entry=0x7ffff432e000, promise=promise@entry=..., onFulfilled=..., onFulfilled@entry=..., onRejected=onRejected@entry=..., dependent=..., dependent@entry=..., createDependent=createDependent@entry=true) at js/src/builtin/Promise.cpp:2421
#6 0x00000000005a7411 in js::Promise_then (cx=0x7ffff432e000, argc=<optimized out>, vp=0x7ffff69c2090) at js/src/builtin/Promise.cpp:2945
#7 0x000000000052560e in js::CallJSNative (args=..., native=0x5a7170 <js::Promise_then(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff432e000) at js/src/jscntxtinlines.h:293
#8 js::InternalCallOrConstruct (cx=0x7ffff432e000, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:495
#9 0x0000000000517ee0 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:546
#10 Interpret (cx=0x7ffff432e000, state=...) at js/src/vm/Interpreter.cpp:3084
#11 0x00000000005252e6 in js::RunScript (cx=0x7ffff432e000, state=...) at js/src/vm/Interpreter.cpp:435
#12 0x0000000000527785 in js::ExecuteKernel (result=0x7ffff41fed90, evalInFrame=..., newTargetValue=..., envChainArg=..., script=..., cx=0x7ffff432e000) at js/src/vm/Interpreter.cpp:724
#13 js::Execute (cx=cx@entry=0x7ffff432e000, script=script@entry=..., envChainArg=..., rval=0x7ffff41fed90) at js/src/vm/Interpreter.cpp:757
#14 0x000000000080200a in ExecuteScript (cx=cx@entry=0x7ffff432e000, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x7ffff41fed90) at js/src/jsapi.cpp:4648
#15 0x0000000000809bab in JS_ExecuteScript (cx=cx@entry=0x7ffff432e000, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4674
#16 0x000000000045de61 in WorkerMain (arg=0x7ffff432f080) at js/src/shell/js.cpp:3534
#17 0x0000000000462e4a in js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::callMain<0ul> (this=0x7ffff6916300) at js/src/threading/Thread.h:234
#18 js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::Start (aPack=0x7ffff6916300) at js/src/threading/Thread.h:227
#19 0x00007ffff7bc16fa in start_thread (arg=0x7ffff41ff700) at pthread_create.c:333
#20 0x00007ffff6c38b5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax 0x7ffff432e020 140737290362912
rbx 0x7ffff432e000 140737290362880
rcx 0x7ffff41fe020 140737289117728
rdx 0x7ffff41fdea0 140737289117344
rsi 0x7ffff41fdfe0 140737289117664
rdi 0x7ffff432e000 140737290362880
rbp 0x7ffff41fde90 140737289117328
rsp 0x7ffff41fde78 140737289117304
r8 0x0 0
r9 0x7ffff47006e0 140737294370528
r10 0x1b 27
r11 0x1b 27
r12 0x7ffff41fdfe0 140737289117664
r13 0x7ffff41fdeb0 140737289117360
r14 0x7ffff432e000 140737290362880
r15 0x0 0
rip 0x0 0
=> 0x0:
This blocks all fuzzing with evalInCooperativeThread.
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
|
|
||
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/90fccc166e44
user: Bill McCloskey
date: Fri Apr 21 20:16:57 2017 -0700
summary: Bug 1359245 - Move JS engine promise callbacks from JSRuntime to JSContext (r=till)
This iteration took 226.125 seconds to run.
Bill, is bug 1359245 a likely regressor?
Blocks: 1359245
Flags: needinfo?(wmccloskey)
|
||
Comment 3•8 years ago
|
||
https://crash-stats.mozilla.com/search/?proto_signature=~enqueuePromiseJob&product=Firefox&date=%3E%3D2017-09-28T19%3A27%3A00.000Z&date=%3C2017-10-05T19%3A27%3A00.000Z&_sort=-date&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature
Searches for enqueuePromiseJob, which may not be enough here (assuming we hit it at all in the field)
|
||
Updated•8 years ago
|
|
|
||
Comment 4•8 years ago
|
||
Till do you know enough about Bill's patch to answer #2?
Flags: needinfo?(till)
Priority: -- → P2
Is this still a problem, Christian? My understanding is that Brian fixed something in bug 1402580 that might have fixed this.
Flags: needinfo?(wmccloskey) → needinfo?(choller)
|
Reporter | |
Comment 6•8 years ago
|
||
(In reply to Bill McCloskey (:billm) from comment #5)
> Is this still a problem, Christian? My understanding is that Brian fixed
> something in bug 1402580 that might have fixed this.
Still reproduces for me.
Flags: needinfo?(choller) → needinfo?(wmccloskey)
|
|
||
Updated•8 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
|
|
||
Comment 7•8 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 196dadb2fe50).
|
|
Reporter | |
Updated•8 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update,ignore] → [fuzzblocker] [jsbugmon:update,bisectfix]
|
||
Updated•8 years ago
|
Flags: needinfo?(bhackett1024)
|
|
||
Updated•8 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update,bisectfix] → [fuzzblocker] [jsbugmon:update,ignore]
|
|
||
Comment 8•8 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision dfb54d604158).
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/7dd785b2c201
user: Ted Campbell
date: Wed Oct 11 11:32:32 2017 -0400
summary: Bug 1402596 - Init Promise job queue on cooperative threads (jsshell) r=till
This iteration took 229.110 seconds to run.
|
|
Reporter | |
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(wmccloskey)
Flags: needinfo?(till)
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•