Closed Bug 1646317 Opened 5 years ago Closed 5 years ago

Assertion failure: errorObj->type() == JSEXN_AGGREGATEERR, at builtin/Promise.cpp:3896

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla79
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox77 --- unaffected
firefox78 --- unaffected
firefox79 --- verified

People

(Reporter: decoder, Assigned: jorendorff)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
177 bytes, text/plain
Details
Bug 1646317 - Fix Assertion failure: errorObj->type() == JSEXN_AGGREGATEERR, at builtin/Promise.cpp:3896. r=jwalden.
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200617-0e023da23571 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

Array.prototype[Symbol.iterator] = function*() {
  let rejected = Promise.reject(0);
  let p = Promise.any([rejected]);
}
new Set(Object.keys(this));
new Set(Object.keys(this));

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000555555be8610 in ThrowAggregateError(JSContext*, JS::Handle<PromiseCombinatorElements>, JS::Handle<JSObject*>) ()
#0  0x0000555555be8610 in ThrowAggregateError(JSContext*, JS::Handle<PromiseCombinatorElements>, JS::Handle<JSObject*>) ()
#1  0x0000555555be469e in PerformPromiseAny(JSContext*, PromiseForOfIterator&, JS::Handle<JSObject*>, JS::Handle<PromiseCapability>, JS::Handle<JS::Value>, bool*) ()
#2  0x0000555555be048c in CommonPromiseCombinator(JSContext*, JS::CallArgs&, CombinatorKind) ()
#3  0x0000555555bdfd00 in Promise_static_any(JSContext*, unsigned int, JS::Value*) ()
#4  0x00000ee71cbf98ef in ?? ()
#5  0x000021adc9da0380 in ?? ()
#6  0x00007fffffdff260 in ?? ()
#7  0x0000000000000000 in ?? ()
rax	0x55555705fd36	93825020591414
rbx	0x7ffff6027060	140737320743008
rcx	0x5555583e0980	93825041041792
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffdfeef0	140737486253808
rsp	0x7fffffdfede0	140737486253536
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9bd40	140737353727296
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7fffffdfee50	140737486253648
r13	0x7ffff6027000	140737320742912
r14	0x7fffffdfee10	140737486253584
r15	0x7fffffdff098	140737486254232
rip	0x555555be8610 <ThrowAggregateError(JSContext*, JS::Handle<PromiseCombinatorElements>, JS::Handle<JSObject*>)+2480>
=> 0x555555be8610 <_ZL19ThrowAggregateErrorP9JSContextN2JS6HandleI25PromiseCombinatorElementsEENS2_IP8JSObjectEE+2480>:	movl   $0xf38,0x0
   0x555555be861b <_ZL19ThrowAggregateErrorP9JSContextN2JS6HandleI25PromiseCombinatorElementsEENS2_IP8JSObjectEE+2491>:	callq  0x555555849bbe <abort>
Attached file Testcase
Regressed by: 1641355
Has Regression Range: --- → yes
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200617093637-3155ffead6ae. The bug appears to have been introduced in the following build range: > Start: 4b8bb44f41c18fc9eb546967044d0c8de3850152 (20200615125004) > End: 320f586f954c44ab10de6a345dab14420c654c0c (20200615130303) > Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=4b8bb44f41c18fc9eb546967044d0c8de3850152&tochange=320f586f954c44ab10de6a345dab14420c654c0c

Set release status flags based on info from the regressing bug 1641355

status-firefox77: --- → unaffected
status-firefox78: --- → unaffected
status-firefox-esr68: --- → unaffected
Assignee: nobody → jorendorff
status-firefox-esr78: --- → unaffected
Pushed by jorendorff@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5ab9fb4a98c6 Fix Assertion failure: errorObj->type() == JSEXN_AGGREGATEERR, at builtin/Promise.cpp:3896. r=jwalden.

https://hg.mozilla.org/mozilla-central/rev/5ab9fb4a98c6

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox79: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
Status: RESOLVED → VERIFIED
status-firefox79: fixedverified
Keywords: bugmon
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200625094452-db74cdf9afe7. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: