1577613 - Assertion failure: !IsSettledMaybeWrappedPromise(promise), at js/src/builtin/Promise.cpp:836

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 23824765c6aa (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

let g14 = function*() {}
async function* fn() {
  for await ([...x88] of [g14()]) {}
}
let promise = fn().next();
settlePromiseNow(promise);

Backtrace:

received signal SIGSEGV, Segmentation fault.
ResolvePromiseInternal (cx=<optimized out>, promise=promise@entry=..., resolutionVal=resolutionVal@entry=...) at js/src/builtin/Promise.cpp:836
#0  ResolvePromiseInternal (cx=<optimized out>, promise=promise@entry=..., resolutionVal=resolutionVal@entry=...) at js/src/builtin/Promise.cpp:836
#1  0x0000555555989fc1 in AsyncGeneratorResumeNext (cx=<optimized out>, cx@entry=0x7ffff5f23000, generator=..., kind=<optimized out>, kind@entry=ResumeNextKind::Resolve, valueOrException_=..., done=<optimized out>) at js/src/builtin/Promise.cpp:4335
#2  0x000055555598ad46 in js::AsyncGeneratorResolve (cx=cx@entry=0x7ffff5f23000, asyncGenObj=..., asyncGenObj@entry=..., value=..., value@entry=..., done=<optimized out>) at js/src/builtin/Promise.cpp:4243
#3  0x00005555559cf4c3 in AsyncGeneratorReturned (value=..., asyncGenObj=..., cx=<optimized out>) at js/src/vm/AsyncIteration.cpp:306
#4  js::AsyncGeneratorResume (cx=<optimized out>, asyncGenObj=..., completionKind=completionKind@entry=js::CompletionKind::Normal, argument=...) at js/src/vm/AsyncIteration.cpp:392
#5  0x00005555559cf6cf in js::AsyncGeneratorAwaitedFulfilled (cx=<optimized out>, asyncGenObj=..., asyncGenObj@entry=..., value=..., value@entry=...) at js/src/vm/AsyncIteration.cpp:30
#6  0x000055555598b80d in AsyncGeneratorPromiseReactionJob (reaction=..., cx=<optimized out>) at js/src/builtin/Promise.cpp:1522
#7  PromiseReactionJob (cx=<optimized out>, cx@entry=0x7ffff5f23000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Promise.cpp:1658
#8  0x00005555558f195f in CallJSNative (cx=0x7ffff5f23000, native=native@entry=0x55555598ad70 <PromiseReactionJob(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:447
[...]
#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11363
rax	0x555557d1f140	93825033957696
rbx	0x7fffffffcea0	140737488342688
rcx	0x555556c80870	93825016531056
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffcd40	140737488342336
rsp	0x7fffffffcb30	140737488341808
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7fffffffcec0	140737488342720
r13	0x7ffff5f23000	140737319677952
r14	0x7fffffffccf0	140737488342256
r15	0x7fffffffceb0	140737488342704
rip	0x55555597b909 <ResolvePromiseInternal(JSContext*, JS::HandleObject, JS::HandleValue)+1257>
=> 0x55555597b909 <ResolvePromiseInternal(JSContext*, JS::HandleObject, JS::HandleValue)+1257>:	movl   $0x0,0x0
   0x55555597b914 <ResolvePromiseInternal(JSContext*, JS::HandleObject, JS::HandleValue)+1268>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a91dd87054d3
user:        Tooru Fujisawa
date:        Fri Aug 04 13:04:31 2017 +0900
summary:     Bug 1379525 - Part 1: Await on the value before yielding or returning inside async generator. r=shu,till

This iteration took 276.548 seconds to run.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Arai-san, is bug 1379525 a likely regressor?

Comment 3

[Tooru Fujisawa [:arai]]

The testcase uses settlePromiseNow that doesn't happen in wild.
async functions' and generators' implementation uses assumption about the promises created there are not resolved outside of their logic,
and the testcase breaks it for async generator.

so, the issue here is how to avoid this kind of crash in fuzzing, while keeping using settlePromiseNow in some other useful cases.

we already check async function's case here
https://searchfox.org/mozilla-central/rev/9415ecf29ba1acbef9381335e0ecde5916ca4073/js/src/builtin/TestingFunctions.cpp#2373-2377

we might be able to add yet another check for async generator's promise.

Comment 4

[Tooru Fujisawa [:arai]]

Attachment: Bug 1577613 - Throw when resolving/rejecting promises returned by async generator method. r?jorendorff

Comment 5

[Pulsebot]

Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/1e3d82eefca7
Throw when resolving/rejecting promises returned by async generator method. r=jorendorff

Comment 6

[Oana Pop-Rus]

https://hg.mozilla.org/mozilla-central/rev/1e3d82eefca7

Comment 7

[Ryan VanderMeulen [:RyanVM]]

Is there a user impact which justifies backport consideration here or can this fix ride Fx71 to release?

Comment 8

[Tooru Fujisawa [:arai]]

this is shell-only issue (or chrome-priv only if we consider Cu.getJSTestingFunctions),
so the affected case is mostly fuzzing.
redirecting to :decoder.

Comment 9

[Christian Holler (:decoder)]

Shell-only so no backport required.