Assertion failure: !cx->isExceptionPending(), at vm/Interpreter.cpp:423
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
People
(Reporter: decoder, Assigned: dminor)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(4 files)
The following testcase crashes on mozilla-central revision 20220524-e4be78ca2e65 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):
asyncFunc1("geval0\n await ''")
async function asyncFunc1(lfVarx) {
lfMod = parseModule(lfVarx);
lfMod.declarationInstantiation();
await lfMod.evaluation();
}
oomAfterAllocations(1);
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000555556cee5a4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#0 0x0000555556cee5a4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#1 0x0000555556ced961 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#2 0x0000555556cef193 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#3 0x0000555556d6a38d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#4 0x0000555556fca973 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) ()
#5 0x0000555556cee2e1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#13 0x0000555556b476b2 in main ()
rax 0x5555557de8d9 93824994896089
rbx 0x7fffffffc468 140737488340072
rcx 0x5555581e7668 93825038972520
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffc330 140737488339760
rsp 0x7fffffffc2c0 140737488339648
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x7ffff6007400 140737320612864
r13 0x3ea68793f030 68884960112688
r14 0x7ffff602a200 140737320755712
r15 0x1d14c101 487899393
rip 0x555556cee5a4 <CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)+1204>
=> 0x555556cee5a4 <_Z12CallJSNativeP9JSContextPFbS0_jPN2JS5ValueEEN2js10CallReasonERKNS1_8CallArgsE+1204>: movl $0x1a7,0x0
0x555556cee5af <_Z12CallJSNativeP9JSContextPFbS0_jPN2JS5ValueEEN2js10CallReasonERKNS1_8CallArgsE+1215>: callq 0x555556bde458 <abort>
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
|
||
Comment 3•2 years ago
|
||
Exceptions from ModuleObject::topLevelCapabilityReject are ignored in AsyncModuleExecutionRejected.
|
||
Comment 4•2 years ago
|
||
Set release status flags based on info from the regressing bug 1519100
|
|
||
Comment 5•2 years ago
|
||
:yulia, since you are the author of the regressor, bug 1519100, could you take a look?
For more information, please visit auto_nag documentation.
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Comment 6•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220525150600-41271d27d65a.
The bug appears to have been introduced in the following build range:
Start: fef56f826d6496a73b1235abb1aaeae6dbb27f13 (20210817125524)
End: 0242c80e23928675d6c9d2748c9fe90df80b0aaa (20210817131624)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=fef56f826d6496a73b1235abb1aaeae6dbb27f13&tochange=0242c80e23928675d6c9d2748c9fe90df80b0aaa
|
Assignee | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 7•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 8•2 years ago
|
||
Depends on D147783
Pushed by dminor@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b2c7010f6d28 Check return values from ModuleObject::topLevelCapabilityResolve/Reject; r=jonco https://hg.mozilla.org/integration/autoland/rev/c4455abaf1f1 clang-tidy fixes; r=jonco
|
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 10•2 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/b2c7010f6d28
https://hg.mozilla.org/mozilla-central/rev/c4455abaf1f1
|
|
||
Comment 11•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220601213138-08038e535f58.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 12•2 years ago
|
||
The patch landed in nightly and beta is affected.
:dminor, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
Description
•