1545354 - Assertion failure: promise->state() == JS::PromiseState::Pending, at builtin/Promise.cpp:1117

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

The upcoming testcase crashes on mozilla-central revision 02b89c29412b (build with PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig AR=ar 'CXX="clang++ -m32 -msse2 -mfpmath=sse"' 'CC="clang -m32 -msse2 -mfpmath=sse"' sh ./configure --target=i686-pc-linux --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests --disable-cranelift, run with --fuzzing-safe --no-threads):

Backtrace:

#0 ResolvePromise (cx=<optimized out>, promise=..., valueOrReason=..., state=<optimized out>)
at /home/ubuntu/trees/mozilla-central/js/src/builtin/Promise.cpp:1117
#1 0x576114d4 in RejectPromiseInternal (cx=<optimized out>, promise=..., reason=...)
at /home/ubuntu/trees/mozilla-central/js/src/builtin/Promise.cpp:1161
#2 js::AsyncFunctionThrown (cx=0xf6c2a800, resultPromise=..., reason=...) at /home/ubuntu/trees/mozilla-central/js/src/builtin/Promise.cpp:3873
#3 0x5766e9ab in AsyncFunctionResume (cx=0x586c11f4 <gMozCrashReason>, generator=..., kind=<optimized out>, valueOrReason=...)
at /home/ubuntu/trees/mozilla-central/js/src/vm/AsyncFunction.cpp:126
#4 0x5766e314 in js::AsyncFunctionAwaitedFulfilled (cx=0xf6c2a800, generator=..., value=...)
at /home/ubuntu/trees/mozilla-central/js/src/vm/AsyncFunction.cpp:145
#5 0x5762cce9 in AsyncFunctionPromiseReactionJob (cx=0x56642f13, reaction=...) at /home/ubuntu/trees/mozilla-central/js/src/builtin/Promise.cpp:1496
/snip

For detailed crash information, see attachment.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/2e36a4f4d996
user: André Bargull
date: Thu Apr 11 12:22:43 2019 +0000
summary: Bug 1539694 - Part 2: Implement Promise.allSettled stage 3 proposal. r=jorendorff

Andre, is bug 1539694 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: w365-reduced.js

Please remember to point regressionTestsRoot at the top of the file to your m-c repository, ideally at m-c rev 02b89c29412b.

The testcase should crash after ~5 seconds.

Comment 2

[André Bargull [:anba]]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #0)

Andre, is bug 1539694 a likely regressor?

No, it was probably just found by autobisectjs because it added a new property to Promise and by that changed the OOM conditions under which this assertion is hit. The correct regressor is bug 1532265.

Simplified test case, run with: for i in {1..100}; do echo "i=${i}"; $MOZJS /tmp/test.js ${i}; done

ignoreUnhandledRejections();

var oomAt = 60;
if (scriptArgs.length) oomAt = scriptArgs[0]|0;

async function f(p) {
    await p;
}

var p = Promise.reject();

var o = f(p);

var a = [];
for (var i = 0; i < 10; ++i) a.push(o.then());

oomAtAllocation(oomAt);

drainJobQueue();

Comment 3

[André Bargull [:anba]]

Attachment: Bug 1545354: Don't try to reject an already resolved async function promise on OOM. r=arai!

Comment 4

[André Bargull [:anba]]

Try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=2099c81632ad3b31cf763ec0240642835d5780a0

Comment 5

[Pulsebot]

Pushed by csabou@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a296a09b1ad1
Don't try to reject an already resolved async function promise on OOM. r=arai

Comment 6

[Cristian Brindusan [:cbrindusan]]

https://hg.mozilla.org/mozilla-central/rev/a296a09b1ad1