Closed Bug 1539782 Opened 5 years ago Closed 5 years ago

Assertion failure: !IsSettledMaybeWrappedPromise(promise), at js/src/builtin/Promise.cpp:830 with Debugger

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla68

Tracking Flags:

Tracking

Status

firefox-esr60

---

unaffected

firefox66

---

unaffected

firefox67

---

wontfix

firefox68

---

fixed

People

(Reporter: decoder, Assigned: anba)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Bug 1539782: Don't attempt to resolve an already settled promise in the debugger. r=arai! 5 years ago André Bargull [:anba] 47 bytes, text/x-phabricator-request		Details \| Review

Christian Holler (:decoder)

Reporter

Description

•

5 years ago

The following testcase crashes on mozilla-central revision 7f816aa10a20 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

let g = newGlobal({newCompartment: true});
g.eval(`
  async function f() {
    debugger;
  }
`);
let dbg = Debugger(g);
dbg.onDebuggerStatement = frame => {
  frame.onPop = eval;
};
g.f();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  ResolvePromiseInternal (cx=<optimized out>, promise=..., resolutionVal=...) at js/src/builtin/Promise.cpp:830
#1  0x0000555555970949 in js::AsyncFunctionReturned (cx=<optimized out>, resultPromise=..., value=...) at js/src/builtin/Promise.cpp:3555
#2  0x00005555559ad4c5 in js::AsyncFunctionResolve (cx=0x7ffff5f17000, generator=..., generator@entry=..., valueOrReason=..., resolveKind=resolveKind@entry=js::AsyncFunctionResolveKind::Fulfill) at js/src/vm/AsyncFunction.cpp:162
#3  0x0000555555a310a0 in AdjustGeneratorResumptionValue (vp=..., resumeMode=@0x7fffffffb7ec: js::ResumeMode::Return, frame=..., cx=<optimized out>) at js/src/vm/Debugger.cpp:1649
#4  js::Debugger::leaveDebugger (this=this@entry=0x7ffff5f6f800, ar=..., frame=..., frame@entry=..., maybeThisv=..., callHook=callHook@entry=js::Debugger::CallUncaughtExceptionHook::Yes, resumeMode=<optimized out>, vp=...) at js/src/vm/Debugger.cpp:1784
#5  0x0000555555a36563 in js::Debugger::processParsedHandlerResult (this=this@entry=0x7ffff5f6f800, ar=..., frame=..., pc=pc@entry=0x7ffff4dec775 "\314\006\032", success=success@entry=true, resumeMode=js::ResumeMode::Return, vp=...) at js/src/vm/Debugger.cpp:1808
#6  0x0000555555a3af3f in js::Debugger::slowPathOnLeaveFrame (cx=<optimized out>, cx@entry=0x7ffff5f17000, frame=..., pc=pc@entry=0x7ffff4dec775 "\314\006\032", frameOk=frameOk@entry=true) at js/src/vm/Debugger.cpp:1072
#7  0x00005555558eaaf3 in js::Debugger::onLeaveFrame (cx=0x7ffff5f17000, frame=..., pc=0x7ffff4dec775 "\314\006\032", ok=true) at js/src/vm/Debugger-inl.h:30
#8  0x00005555558da9b2 in Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:4397
#9  0x00005555558e13b6 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:422
#10 0x00005555558e1c3f in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:562
#11 0x00005555558e208d in InternalCall (cx=cx@entry=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:589
#12 0x00005555558e2220 in js::Call (cx=cx@entry=0x7ffff5f17000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:605
#13 0x0000555555e57422 in js::ForwardingProxyHandler::call (this=<optimized out>, cx=0x7ffff5f17000, proxy=..., args=...) at js/src/proxy/Wrapper.cpp:162
#14 0x0000555555e42193 in js::CrossCompartmentWrapper::call (this=0x555557bdbc60 <js::CrossCompartmentWrapper::singleton>, cx=<optimized out>, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:238
#15 0x0000555555e4e755 in js::Proxy::call (cx=0x7ffff5f17000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:503
#16 0x00005555558e1e56 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:508
#17 0x00005555558e208d in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:589
#18 0x00005555558d3921 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:593
#19 Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:3075
#20 0x00005555558e13b6 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:422
[...]
#29 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11265
rax	0x555557c23240	93825032925760
rbx	0x555556b1c790	93825015072656
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffb770	140737488336752
rsp	0x7fffffffb560	140737488336224
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7fffffffbb00	140737488337664
r13	0x7ffff5f17000	140737319628800
r14	0x7fffffffb720	140737488336672
r15	0x7fffffffbbe0	140737488337888
rip	0x555555970209 <ResolvePromiseInternal(JSContext*, JS::HandleObject, JS::HandleValue)+1305>
=> 0x555555970209 <ResolvePromiseInternal(JSContext*, JS::HandleObject, JS::HandleValue)+1305>:	movl   $0x0,0x0
   0x555555970214 <ResolvePromiseInternal(JSContext*, JS::HandleObject, JS::HandleValue)+1316>:	ud2

Fuzzing Team

Updated

•

5 years ago

Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Fuzzing Team

Comment 1

•

5 years ago

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b84fd1d91da2
user:        André Bargull
date:        Tue Feb 26 08:08:36 2019 -0800
summary:     Bug 1530324 - Part 6: Add JSOP_ASYNCRESOLVE to fulfill/reject an async function promise. r=arai

This iteration took 1.538 seconds to run.

André Bargull [:anba]

Assignee

Updated

•

5 years ago

Assignee: nobody → andrebargull

Status: NEW → ASSIGNED

Jason Orendorff [:jorendorff]

Updated

•

5 years ago

Priority: -- → P1

André Bargull [:anba]

Assignee

Comment 2

•

5 years ago

Attached file Bug 1539782: Don't attempt to resolve an already settled promise in the debugger. r=arai! — Details

André Bargull [:anba]

Assignee

Comment 3

•

5 years ago

Try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=6dac73f065c71b4ef21481c32b5dcd3e9a976ef9

Keywords: checkin-needed

Pulsebot

Comment 4

•

5 years ago

Pushed by cbrindusan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4c40f8f355e3
Don't attempt to resolve an already settled promise in the debugger. r=arai

Keywords: checkin-needed

Cristian Brindusan [:cbrindusan]

Comment 5

•

5 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/4c40f8f355e3

Status: ASSIGNED → RESOLVED

Closed: 5 years ago

status-firefox68: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla68

Ryan VanderMeulen [:RyanVM]

Updated

•

5 years ago

status-firefox66: --- → unaffected

status-firefox67: --- → wontfix

status-firefox-esr60: --- → unaffected

Flags: in-testsuite+

Regressed by: 1530324

BugBot [:suhaib / :marco/ :calixte]

Updated

•

2 years ago

Has Regression Range: --- → yes

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Assertion failure: !IsSettledMaybeWrappedPromise(promise), at js/src/builtin/Promise.cpp:830 with Debugger

Categories

(Core :: JavaScript Engine, defect, P1)

Tracking

()

People

(Reporter: decoder, Assigned: anba)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Updated

Updated

Comment 2

Comment 3

Comment 4

Comment 5

Updated

Updated

Attachment

General

Description

File Name

Content Type