Closed Bug 1530345 Opened 8 months ago Closed 7 months ago

Assertion failure: cx->jobQueue->empty(), at js/src/builtin/Promise.cpp:5182 with Debugger

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox67 --- affected

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update,ignore])

The following testcase crashes on mozilla-central revision 6924dd16f7b1 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var g = newGlobal({ newCompartment: true });
var dbg = new Debugger;
var gDO = dbg.addDebuggee(g);
function exercise(name) {
  Promise.resolve(42).then(v => {});
}
dbg.onDebuggerStatement = function (frame) {
  frame.onStep = function () {
    this.bar.a ^ this;
  };
  dbg.uncaughtExceptionHook = function (ex) {
    exercise('uncaught');
  };
};
g.eval("debugger;");

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  JS::AutoDebuggerJobQueueInterruption::~AutoDebuggerJobQueueInterruption (this=0x7fffffffb120, __in_chrg=<optimized out>) at js/src/builtin/Promise.cpp:5182
#1  0x0000555555a3d584 in js::Debugger::onSingleStep (cx=<optimized out>, vp=...) at js/src/vm/Debugger.cpp:2296
#2  0x00005555558e4bd8 in Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:1887
#3  0x00005555558e7996 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:420
#4  0x00005555558eaf1d in js::ExecuteKernel (cx=<optimized out>, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=0x7fffffffc5e0) at js/src/vm/Interpreter.cpp:779
#5  0x0000555555924319 in EvalKernel (cx=<optimized out>, cx@entry=0x7ffff5f17000, v=..., evalType=evalType@entry=INDIRECT_EVAL, caller=..., env=..., pc=pc@entry=0x0, vp=...) at js/src/builtin/Eval.cpp:325
#6  0x0000555555924b35 in js::IndirectEval (cx=cx@entry=0x7ffff5f17000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Eval.cpp:423
#7  0x00005555558f6269 in CallJSNative (cx=0x7ffff5f17000, native=0x555555924a80 <js::IndirectEval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:440
#8  0x00005555558e7f57 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:532
#9  0x00005555558e867d in InternalCall (cx=cx@entry=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:587
#10 0x00005555558e8810 in js::Call (cx=cx@entry=0x7ffff5f17000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:603
#11 0x0000555555e6d3f2 in js::ForwardingProxyHandler::call (this=<optimized out>, cx=0x7ffff5f17000, proxy=..., args=...) at js/src/proxy/Wrapper.cpp:162
#12 0x0000555555e57593 in js::CrossCompartmentWrapper::call (this=0x555557be8920 <js::CrossCompartmentWrapper::singleton>, cx=<optimized out>, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:238
#13 0x0000555555e63d55 in js::Proxy::call (cx=0x7ffff5f17000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:501
#14 0x00005555558e8446 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:506
#15 0x00005555558e867d in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:587
#16 0x00005555558da989 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:591
#17 Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:3051
#18 0x00005555558e7996 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:420
[...]
#27 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:10970
rax	0x555557c31280	93825032983168
rbx	0x7fffffffb120	140737488335136
rcx	0x555556b24b70	93825015106416
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffb0a0	140737488335008
rsp	0x7fffffffb090	140737488334992
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7ffff5f17000	140737319628800
r13	0x1	1
r14	0x7fffffffb1b0	140737488335280
r15	0x7fffffffb170	140737488335216
rip	0x5555559495d9 <JS::AutoDebuggerJobQueueInterruption::~AutoDebuggerJobQueueInterruption()+185>
=> 0x5555559495d9 <JS::AutoDebuggerJobQueueInterruption::~AutoDebuggerJobQueueInterruption()+185>:	movl   $0x0,0x0
   0x5555559495e4 <JS::AutoDebuggerJobQueueInterruption::~AutoDebuggerJobQueueInterruption()+196>:	ud2

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/3ae9f2b94f97
user: Jim Blandy
date: Tue Feb 12 08:10:54 2019 +0000
summary: Bug 1145201: Use AutoDebuggerJobQueueInterruption in Debugger. r=jorendorff

Jim, is bug 1145201 a likely regressor?

Blocks: 1145201
Flags: needinfo?(jimb)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 98d4803bb2de).

Christian, can you please confirm if this is no longer reproducible (per comment 2) and we should close it appropriately?

Flags: needinfo?(choller)
Flags: needinfo?(choller)
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision ab709310d23f).
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b84fd1d91da2
user:        André Bargull
date:        Tue Feb 26 08:08:36 2019 -0800
summary:     Bug 1530324 - Part 6: Add JSOP_ASYNCRESOLVE to fulfill/reject an async function promise. r=arai

This iteration took 517.054 seconds to run.

Andre, is bug 1530324 a likely fix?

Flags: needinfo?(jimb) → needinfo?(andrebargull)

Probably it's the same issue I've faced in bug 1530324 where some internal state of shell promise-queue wasn't properly saved and restored in AutoDebuggerJobQueueInterruption. From bug 1530324 comment #7:

This uncovered an existing bug in js::InternalJobQueue::SavedQueue, where the js::InternalJobQueue::draining_ state wasn't properly reset. A regression test for this bug was added at "js/src/jit-test/tests/debug/save-queue-resets-draining.js" (fail in current tip).

Flags: needinfo?(andrebargull)

Gary, should this bug be closed since this testcase doesn’t reproduce anymore?

Flags: needinfo?(nth10sd)

No, someone has got to figure out the next steps. Jim, any thoughts?

Flags: needinfo?(nth10sd) → needinfo?(jimb)

André's changes in Bug 1530324 would reasonably have fixed this bug - in particular, expanding js::InternalJobQueue::SavedQueue to also save and restore InternalJobQueue::draining_, as done here:

https://hg.mozilla.org/mozilla-central/diff/b84fd1d91da2/js/src/vm/JSContext.cpp#l1.47

So I think this bug is fine to close.

Status: NEW → RESOLVED
Closed: 7 months ago
Flags: needinfo?(jimb)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.