Closed Bug 1512008 Opened 6 years ago Closed 6 years ago

Assertion failure: CheckedUnwrap(promiseObj)->is<PromiseObject>(), at js/src/jsapi.cpp:4054 with ReadableStream

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla65
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- unaffected
firefox64 --- unaffected
firefox65 --- fixed
firefox66 --- fixed

People

(Reporter: gkw, Assigned: jorendorff)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
9.06 KB, text/plain
Details
Bug 1512008 - Fix assertion failure with ReadableStream and Promise[Symbol.species]. r?arai
47 bytes, text/x-phabricator-request
Details | Review
The following testcase crashes on mozilla-central revision 47077594d943 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): // Adapted from randomly chosen test: js/src/tests/non262/Promise/bug-1287334.js Object.defineProperty(Promise, Symbol.species, { value: function(g) { g(function() {}, function() {}) } }); // Adapted from randomly chosen test: js/src/tests/non262/ReadableStream/tee-start.js new ReadableStream(Object.e).tee(); Backtrace: #0 CallOriginalPromiseThenImpl (cx=0x7f8911e18000, promiseObj=..., onResolvedObj_=..., onRejectedObj_=..., resultObj=..., createDependent=js::CreateDependentPromise::Never) at js/src/jsapi.cpp:4054 #1 0x00005560fa7698f8 in JS::AddPromiseReactions (cx=0x7f8912f40680 <_IO_2_1_stderr_>, promiseObj=..., onResolvedObj=..., onRejectedObj=...) at js/src/jsapi.cpp:4079 #2 0x00005560fa5a91f3 in ReadableStreamControllerCallPullIfNeeded (cx=0x7f8911e18000, unwrappedController=...) at js/src/builtin/Stream.cpp:2773 #3 0x00005560fa5a79e8 in ControllerStartHandler (cx=0x7f8911e18000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Stream.cpp:2198 #4 0x00005560fa1c9365 in CallJSNative (cx=0x7f8911e18000, native=0x5560fa5a7810 <ControllerStartHandler(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:443 /snip For detailed crash information, see attachment.
autobisectjs shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/3db828b6494a user: Jason Orendorff date: Wed Oct 24 16:53:09 2018 +0000 summary: Bug 1501734 - Enable streams by default in the JS shell. r=tcampbell Jason, this is probably related to streams - bug 1501734 right?
Blocks: 1501734
Flags: needinfo?(jorendorff)
Assignee: nobody → jorendorff
Flags: needinfo?(jorendorff)
We need a CallOriginalPromiseThen variant that performs the type check in <https://tc39.github.io/ecma262/#sec-promise.prototype.then> step 2 rather than asserting it. There are already way too many variations on that theme, though. :-\
Blocks: streams-meta
Priority: -- → P1
Pushed by jorendorff@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/71253f35ac3c Fix assertion failure with ReadableStream and Promise[Symbol.species]. r=arai
Pushed by jorendorff@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c0c4ff2b0485 Fix assertion failure with ReadableStream and Promise[Symbol.species]. r=arai
https://hg.mozilla.org/mozilla-central/rev/c0c4ff2b0485
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox65: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: