Crash [@ js::AsyncModuleExecutionFulfilled] or Assertion failure: cx->isExceptionPending(), at builtin/ModuleObject.cpp:2271
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
People
(Reporter: decoder, Assigned: dminor)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])
Crash Data
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20220531-e6db23e10c7b (opt build, run with --fuzzing-safe --ion-offthread-compile=off):
b = parseModule("await 10");
b.declarationInstantiation();
b.evaluation();
setInterruptCallback(function() {
c();
});
function c() {
interruptIf(true);
}
c();
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x000055555575c0d8 in js::AsyncModuleExecutionFulfilled(JSContext*, JS::Handle<js::ModuleObject*>) ()
#1 0x000055555575bf1b in js::AsyncModuleExecutionFulfilledHandler(JSContext*, unsigned int, JS::Value*) ()
#2 0x0000555555cb01d0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#3 0x00005555560a8925 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) ()
#4 0x0000555555cb01d0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#5 0x0000555555ce61a5 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) ()
#6 0x000055555578efa1 in js::InternalJobQueue::runJobs(JSContext*) ()
#7 0x0000555555fe1137 in RunShellJobs(JSContext*) ()
#8 0x0000555555fd31c9 in main ()
rax 0x0 0
rbx 0x7fffffffc690 140737488340624
rcx 0x7fffffffc628 140737488340520
rdx 0x7fffffffc578 140737488340344
rsi 0x0 0
rdi 0xfff8800000000000 -2111062325329920
rbp 0x7fffffffc670 140737488340592
rsp 0x7fffffffc5d0 140737488340432
r8 0x0 0
r9 0x1 1
r10 0x26b 619
r11 0xfff9800000000000 -1829587348619264
r12 0xfff9800000000000 -1829587348619264
r13 0x7ffff6022300 140737320723200
r14 0x7fffffffc620 140737488340512
r15 0x7ffff6022318 140737320723224
rip 0x55555575c0d8 <js::AsyncModuleExecutionFulfilled(JSContext*, JS::Handle<js::ModuleObject*>)+344>
=> 0x55555575c0d8 <_ZN2js29AsyncModuleExecutionFulfilledEP9JSContextN2JS6HandleIPNS_12ModuleObjectEEE+344>: mov 0x10(%rax),%rax
0x55555575c0dc <_ZN2js29AsyncModuleExecutionFulfilledEP9JSContextN2JS6HandleIPNS_12ModuleObjectEEE+348>: mov -0x4(%rax),%edx
This could be the same bug as 1771090, but the assert is different, it crashes and there is no OOM involved from what I can see. Though the interrupt could have a similar effect.
Reporter | ||
Comment 1•2 years ago
|
||
Reporter | ||
Comment 2•2 years ago
|
||
Comment 3•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220531040928-e6db23e10c7b.
The bug appears to have been introduced in the following build range:
Start: fef56f826d6496a73b1235abb1aaeae6dbb27f13 (20210817125524)
End: 0242c80e23928675d6c9d2748c9fe90df80b0aaa (20210817131624)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=fef56f826d6496a73b1235abb1aaeae6dbb27f13&tochange=0242c80e23928675d6c9d2748c9fe90df80b0aaa
Assignee | ||
Comment 4•2 years ago
|
||
At first glance, I think this is similar to Bug 1771090, but not the exact same problem.
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Assignee | ||
Comment 5•2 years ago
|
||
In AsyncModuleExecutionFulfilled, it's possible that the call to GatherAsyncParentCompletions
will fail if we are interrupted. The current code assumes that this is only reachable as a
result of an OOM. This changes the assertion to an if statement to handle being interrupted.
Assignee | ||
Updated•2 years ago
|
Comment 7•2 years ago
|
||
Backed out for SM build bustages
Failure log: https://treeherder.mozilla.org/logviewer?job_id=379975992&repo=autoland&lineNumber=42328
Jit failures: https://treeherder.mozilla.org/logviewer?job_id=379978071&repo=autoland&lineNumber=36896
Backout: https://hg.mozilla.org/integration/autoland/rev/43e366d7cbfd0e053721c2dc147a275c3759d6ac
Assignee | ||
Comment 8•2 years ago
|
||
The problem is with with the new test added here. I'm not sure why, I'll try to reproduce it locally.
Assignee | ||
Comment 9•2 years ago
|
||
The test needs to run in debug, otherwise the error condition does not occur, and we end up with an infinite recursion.
Comment 10•2 years ago
|
||
If an overrecursion is expected, you could add // |jit-test| error: InternalError
as first line of the test file.
Comment 11•2 years ago
|
||
Set release status flags based on info from the regressing bug 1725621
Updated•2 years ago
|
Comment 12•2 years ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:dminor, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 13•2 years ago
|
||
I still need to figure out why the test doesn't have a consistent result on different platforms, for some platforms it's overrecursion, for others it terminates with a signal.
Comment 14•2 years ago
|
||
Setting 103 to Won't Fix, but :dminor are you planning on fixing this for 104?
Assignee | ||
Comment 15•2 years ago
|
||
Yes, sorry for the delay. I'll look at this today.
Comment 16•2 years ago
|
||
Comment 17•2 years ago
|
||
bugherder |
Comment 18•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220706094022-fc7fbf3a78e0.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•2 years ago
|
Description
•