Closed Bug 1532602 Opened 1 year ago Closed 1 year ago

Assertion failure: state() == JS::PromiseState::Rejected, at js/src/builtin/Promise.h:124

Categories

(Core :: JavaScript Engine, defect, P1, critical)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla67
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- wontfix
firefox67 --- fixed

People

(Reporter: decoder, Assigned: arai)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: JS fuzzing bug [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision fd67a4332060 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

function newPromiseCapability() {
    var resolve, reject, promise = new Promise(function(meta , r2) {
        resolve = r1;
    });
    return {promise, resolve, reject};
}
var {promise, reject} = newPromiseCapability();
settlePromiseNow(promise);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::PromiseObject::reason (this=0x1770b7500628) at js/src/builtin/Promise.h:124
#1  0x000055555582f09b in PrintUnhandledRejection (promise=..., cx=<optimized out>) at js/src/shell/js.cpp:10231
#2  ReportUnhandledRejections (cx=<optimized out>) at js/src/shell/js.cpp:10320
#3  Shell (envp=<optimized out>, op=0x7fffffffd990, cx=<optimized out>) at js/src/shell/js.cpp:10399
#4  main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:10966
rax	0x555557c3d280	93825033032320
rbx	0x1770b7500628	25772879250984
rcx	0x555556b181f0	93825015054832
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffd6a0	140737488344736
rsp	0x7fffffffd690	140737488344720
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x1770b7500648	25772879251016
r13	0x7fffffffd7a8	140737488345000
r14	0x7fffffffd930	140737488345392
r15	0x7ffff5f17000	140737319628800
rip	0x55555586a3b1 <js::PromiseObject::reason()+145>
=> 0x55555586a3b1 <js::PromiseObject::reason()+145>:	movl   $0x0,0x0
   0x55555586a3bc <js::PromiseObject::reason()+156>:	ud2

Steven, could you please have someone look into this for the 67 soft freeze (Mar 11)?

Flags: needinfo?(sdetar)

Neha, the fix for this bug will make Fx67

Flags: needinfo?(sdetar)
Whiteboard: [jsbugmon:update,bisect] → JS fuzzing bug [jsbugmon:update,bisect]

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/c9f108854caa
user: Tooru Fujisawa
date: Tue Jan 08 02:34:57 2019 +0000
summary: Bug 1517868 - Report unhandled rejections in JS shell. r=jorendorff

Arai-san, is bug 1517868 a likely regressor?

Blocks: 1517868
Flags: needinfo?(arai.unmht)

this is shell-only and also possible only with testing function (that is also available on browser, but requires chrome priv)
the issue is that settlePromiseNow can fulfill a promise that is already rejected, that breaks the assumption about the rejection tracking.
we should reject calling settlePromiseNow on resolved promise.

Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Whiteboard: JS fuzzing bug [jsbugmon:update,bisect] → JS fuzzing bug [jsbugmon:update]
Flags: needinfo?(arai.unmht)
Priority: -- → P1

Comment 2 is a typo. Steve meant to say this fix will not make FF67 (although ... it could, I guess; but it shouldn't be tracked for FF67).

Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/6c08bfd19a36
Throw error when settlePromiseNow is called on already-resolved promise. r=jorendorff
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in before you can comment on or make changes to this bug.