Closed Bug 1545369 Opened 5 years ago Closed 5 years ago

Crash [@ JSObject::getClass] involving async/await

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- unaffected
firefox68 --- fixed

People

(Reporter: gkw, Assigned: jonco)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

Detailed Crash Information
4.17 KB, text/plain
Details
Bug 1545369 - Check for OOM in shell ReportUnhandledRejections function r=pbone?
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 02b89c29412b (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion --no-cgc):

// jsfunfuzz-generated
async function f(x) {
    await await x;
};
for (let i = 0; i < 7; ++i) {
    for (let j = 0; j < 89; ++j) {
        f();
    }
}
// Adapted from randomly chosen test: js/src/jit-test/tests/parser/bug-1263355-14.js
gcparam("maxBytes", gcparam("gcBytes"));

Backtrace:

#0 JSObject::getClass (this=0x0) at js/src/vm/JSObject.h:106
#1 JSObject::is<js::ArrayObject> (this=0x0) at js/src/vm/JSObject.h:508
#2 JSObject::as<js::ArrayObject> (this=0x0) at js/src/vm/JSObject.h:513
#3 ReportUnhandledRejections (cx=<optimized out>) at js/src/shell/js.cpp:10667
/snip

For detailed crash information, see attachment.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/c6317f06ed07
user: Jon Coppeard
date: Mon Apr 01 18:38:26 2019 +0100
summary: Bug 1505622 - Skip last ditch GC and fail the allocation if we already did last ditch GC within the last minute r=sfink

Jon, is bug 1505622 a likely regressor?

Flags: needinfo?(jcoppeard)
Regressed by: 1505622
Summary: Crash [@ JSObject::getClass] → Crash [@ JSObject::getClass] involving async/await

This was caused by a missing error check in the shell.

Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)

Add an error check in ReportUnhandledRejections function.

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d06933631a6e
Check for OOM in shell ReportUnhandledRejections function r=pbone

https://hg.mozilla.org/mozilla-central/rev/d06933631a6e

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox68: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: