1519322 - Assertion failure: deleted, at js/src/shell/js.cpp:1100 with Promise

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 6317367156dd (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// jsfunfuzz-generated
z = newGlobal();
// Adapted from randomly chosen test: js/src/tests/test262/language/expressions/async-generator/named-yield-star-getiter-sync-returns-undefined-throw.js
evalcx("(async function() { l })()", z);
// jsfunfuzz-generated
Promise.prototype.then = z.Promise.prototype.then;
// Adapted from randomly chosen test: js/src/tests/test262/language/statements/async-generator/yield-star-next-not-callable-object-throw.js
async function* f() { n };
f().next().then();

Backtrace:

#0 TrackUnhandledRejections (cx=<optimized out>, state=JS::PromiseRejectionHandlingState::Handled, promise=...) at js/src/shell/js.cpp:1100
#1 ForwardingPromiseRejectionTrackerCallback (cx=0x7f636c718000, promise=..., state=JS::PromiseRejectionHandlingState::Handled, data=<optimized out>) at js/src/shell/js.cpp:1112
#2 0x000055944a096919 in PerformPromiseThenWithReaction (cx=0x7f636c718000, promise=..., reaction=...) at js/src/builtin/Promise.cpp:4274
#3 0x000055944a07bed3 in PerformPromiseThen (cx=0x7f636c718000, promise=..., onFulfilled_=..., onRejected_=..., resultCapability=...) at js/src/builtin/Promise.cpp:4212
#4 0x000055944a07dc68 in js::OriginalPromiseThen (cx=0x7f636c718000, promiseObj=..., onFulfilled=..., onRejected=..., dependent=..., createDependent=js::CreateDependentPromise::Always) at js/src/builtin/Promise.cpp:3393
#5 0x000055944a0825a4 in Promise_then_impl (cx=0x7f636c718000, promiseVal=..., onFulfilled=..., onRejected=..., rval=..., rvalUsed=<optimized out>) at js/src/builtin/Promise.cpp:4157
/snip

For detailed crash information, see attachment.

The assertion failure name is scary ("deleted") so setting s-s as a start.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/c9f108854caa
user: Tooru Fujisawa
date: Tue Jan 08 02:34:57 2019 +0000
summary: Bug 1517868 - Report unhandled rejections in JS shell. r=jorendorff

Arai-san, is bug 1517868 a likely regressor?

Comment 3

[Tooru Fujisawa [:arai]]

thanks.

this is shell-only and also not a security issue.
just that the JS shell doesn't track promise rejection properly.
(it doesn't wrap promise object on correct condition)

feel free to open.

I'll post patch shortly.

Comment 4

[Tooru Fujisawa [:arai]]

Attachment: Bug 1519322 - Wrap unhandled/handled promise properly in JS shell promise rejection tracker. r=jorendorff

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Opening up as per comment 3.

Comment 6

[Pulsebot]

Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/0279e3d8b2f1
Wrap unhandled/handled promise properly in JS shell promise rejection tracker. r=jorendorff

Comment 7

[Narcis Beleuzu [:NarcisB]]

https://hg.mozilla.org/mozilla-central/rev/0279e3d8b2f1