Closed Bug 1519612 Opened 9 months ago Closed 9 months ago

Assertion failure: !cx->isExceptionPending(), at js/src/vm/JSContext-inl.h:288 with Promise.reject

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla66
Tracking Status
firefox-esr60 --- unaffected
firefox64 --- unaffected
firefox65 --- unaffected
firefox66 --- fixed

People

(Reporter: gkw, Assigned: arai)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [jsbugmon:])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 3aec75953c28 (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion -D):

// jsfunfuzz-generated
x = [""];
// Adapted from randomly chosen test: js/src/jit-test/tests/promise/unhandled-rejections-error.js
Promise.reject(
    {
        toSource() {
            throw "";
        }
    }
);

Backtrace:

#0 js::CheckForInterrupt (cx=0x7fae07918000) at js/src/vm/JSContext-inl.h:288
#1 0x000055d1d55591b9 in array_toSource (cx=0x7fae07918000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Array.cpp:1207
#2 0x000055d1d5501950 in CallJSNative (cx=0x7fae07918000, native=0x55d1d5558e60 <array_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:444
#3 0x000055d1d54f1f4d in js::InternalCallOrConstruct (cx=0x7fae07918000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:536
#4 0x000055d1d54f2abd in js::Call (cx=0x7fae08abc680 <_IO_2_1_stderr_>, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:607
#5 0x000055d1d56b00bf in js::Call (cx=0x7fae07918000, fval=..., thisObj=<optimized out>, rval=...) at js/src/vm/Interpreter.h:91
/snip

For detailed crash information, see attachment.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/c9f108854caa
user: Tooru Fujisawa
date: Tue Jan 08 02:34:57 2019 +0000
summary: Bug 1517868 - Report unhandled rejections in JS shell. r=jorendorff

Arai-san, is bug 1517868 a likely regressor?

Blocks: 1517868
Flags: needinfo?(arai.unmht)

yes, thanks.

Flags: needinfo?(arai.unmht)
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/d915d432405f
Handle exception while reporting unhandled rejections. r=jorendorff
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66

Should we land the testcase from this still?

Flags: needinfo?(arai.unmht)
Flags: in-testsuite?

this is shell-only and needs special command-line flag for js shell,
so this cannot be tested on current automation,
and IMO test for this isn't much important.

Flags: needinfo?(arai.unmht)
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.