received SIGSEGV on rejecting a promise

[ystskm]

• Version:
  v6.11.0
• Platform:
  Linux 4.4.0-79-generic Revert "path: resolve normalize drive letter to lower case" #100-Ubuntu SMP Wed May 17 19:58:14 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
  Intel(R) Xeon(R) CPU E5-2666 v3 @ 2.90GHz

I encountered the problem on my app.

Fact:
The sources (1) and (5) occurs SIGSEGV
But (2), (3), (4) hasn't the problem.

Option:
--max_old_space_size=1024 --expose-gc
and the process is forked process by forever.

(*) catch( ... ) part is written only in (1).
(1)

var when = Promise.resolve();
when = when.then(function() {
  return new Promise(function(rsl, rej) {
     rej('THROW ERROR');  // => SIGSEGV
  });
});
when['catch'](function(e){
  console.log(e);
});

(2)

var when = Promise.resolve();
when = when.then(function() {
  return new Promise(function(rsl, rej) {
     rsl();  // => OK
  });
});

(3)

var when = Promise.resolve();
when = when.then(function() {
  return new Promise(function(rsl, rej) {
     process.nextTick(rej);  // => OK
  });
});

(4)

var when = Promise.resolve();
when = when.then(function() {
  return new Promise(function(rsl, rej) {
     setImmediate(rej);  // => OK
  });
});

(5)

var when = Promise.resolve();
when = when.then(function() {
  return new Promise(function(rsl, rej) {
     throw 'THROW ERROR' // => SIGSEGV
  });
});

I wonder when this phenomena will reproduce in what condition.

[bnoordhuis]

I can't reproduce locally. Can you turn on core dump (ulimit -c unlimited) and check the backtrace (the bt command) in gdb? Does it happen for you with node 8?

[ystskm]

@bnoordhuis
Thx, that's a good idea!
Unfortunately, my app cannot running on v8.1.2 for the contextify module.

And I'm trying to get the backtrace without forever.

sudo gdb xxx/xxx/node 
(gdb) run xxx/xxx/start.js

Then the backtrace is found.

Thread 1 "node" received signal SIGSEGV, Segmentation fault.
0x000000000109a411 in node::PromiseRejectCallback(v8::PromiseRejectMessage) ()
(gdb) bt
#0  0x000000000109a411 in node::PromiseRejectCallback(v8::PromiseRejectMessage) ()
#1  0x0000000000d550cf in v8::internal::Isolate::ReportPromiseReject(v8::internal::Handle<v8::internal::JSObject>, v8::internal::Handle<v8::internal::Object>, v8::PromiseRejectEvent) ()
#2  0x0000000000eb6f79 in v8::internal::Runtime_PromiseRejectEvent(int, v8::internal::Object**, v8::internal::Isolate*) ()
#3  0x00003234f0c092a7 in ?? ()
#4  0x00003234f0c091e1 in ?? ()
#5  0x00003234f0c091e1 in ?? ()
#6  0x00007fffffffa4b0 in ?? ()
#7  0x0000000300000000 in ?? ()
#8  0x00007fffffffa510 in ?? ()
#9  0x00003234f132c385 in ?? ()
#10 0x000020c102904271 in ?? ()
#11 0x000031dd11950629 in ?? ()
#12 0x00002590b51f77c9 in ?? ()
#13 0x000020c102904271 in ?? ()
#14 0x0000088ec92189f1 in ?? ()
#15 0x0000088ec9217f61 in ?? ()
#16 0x00007fffffffa550 in ?? ()
#17 0x00003234f132c1f0 in ?? ()
#18 0x000031dd11950629 in ?? ()

Should get any more dump?
(Sorry for not familier with gdb dump)

[bnoordhuis]

Thanks, that's helpful. Can you paste the output of info registers and disassemble?

[ystskm]

okay!

(gdb) info registers
rax            0xb343411eaf1	12318839794417
rbx            0x7fffffffa168	140737488331112
rcx            0x7fffffff9f70	140737488330608
rdx            0x0	0
rsi            0xb3434104201	12318839685633
rdi            0x0	0
rbp            0x7fffffff9fb0	0x7fffffff9fb0
rsp            0x7fffffff9f70	0x7fffffff9f70
r8             0x1	1
r9             0x1e49320	31757088
r10            0x25	37
r11            0x36336dd04381	59594513597313
r12            0x1e372f0	31683312
r13            0x7fffffffa170	140737488331120
r14            0x1e75068	31936616
r15            0x1e75068	31936616
rip            0x109a411	0x109a411 <node::PromiseRejectCallback(v8::PromiseRejectMessage)+97>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
---Type <return> to continue, or q <return> to quit---
fs             0x0	0
gs             0x0	0

(gdb) disassemble
Dump of assembler code for function _ZN4node21PromiseRejectCallbackEN2v820PromiseRejectMessageE:
   0x000000000109a3b0 <+0>:	push   %rbp
   0x000000000109a3b1 <+1>:	mov    %rsp,%rbp
   0x000000000109a3b4 <+4>:	push   %r14
   0x000000000109a3b6 <+6>:	push   %r13
   0x000000000109a3b8 <+8>:	push   %r12
   0x000000000109a3ba <+10>:	push   %rbx
   0x000000000109a3bb <+11>:	sub    $0x20,%rsp
   0x000000000109a3bf <+15>:	mov    0x10(%rbp),%r13
   0x000000000109a3c3 <+19>:	mov    %r13,%rdi
   0x000000000109a3c6 <+22>:	callq  0x97c3e0 <_ZN2v86Object10GetIsolateEv>
   0x000000000109a3cb <+27>:	mov    0x18(%rbp),%esi
   0x000000000109a3ce <+30>:	mov    %rax,%r12
   0x000000000109a3d1 <+33>:	mov    %rax,%rdi
   0x000000000109a3d4 <+36>:	mov    0x20(%rbp),%rbx
   0x000000000109a3d8 <+40>:	callq  0x981c70 <_ZN2v87Integer3NewEPNS_7IsolateEi>
   0x000000000109a3dd <+45>:	mov    %r12,%rdi
   0x000000000109a3e0 <+48>:	mov    %rax,%r14
   0x000000000109a3e3 <+51>:	add    $0x60,%r12
   0x000000000109a3e7 <+55>:	callq  0x981df0 <_ZN2v87Isolate17GetCurrentContextEv>
   0x000000000109a3ec <+60>:	mov    (%rax),%rax
   0x000000000109a3ef <+63>:	test   %rbx,%rbx
   0x000000000109a3f2 <+66>:	lea    -0x40(%rbp),%rcx
---Type <return> to continue, or q <return> to quit---
   0x000000000109a3f6 <+70>:	cmove  %r12,%rbx
   0x000000000109a3fa <+74>:	mov    %r14,-0x40(%rbp)
   0x000000000109a3fe <+78>:	mov    %r13,-0x38(%rbp)
   0x000000000109a402 <+82>:	mov    %rbx,-0x30(%rbp)
   0x000000000109a406 <+86>:	mov    0x37(%rax),%rax
   0x000000000109a40a <+90>:	mov    0x10f(%rax),%rdx
=> 0x000000000109a411 <+97>:	mov    0x8a8(%rdx),%rdi
   0x000000000109a418 <+104>:	mov    0x8a0(%rdx),%rsi
   0x000000000109a41f <+111>:	mov    $0x3,%edx
   0x000000000109a424 <+116>:	callq  0x9832e0 <_ZN2v88Function4CallENS_5LocalINS_5ValueEEEiPS3_>
   0x000000000109a429 <+121>:	add    $0x20,%rsp
   0x000000000109a42d <+125>:	pop    %rbx
   0x000000000109a42e <+126>:	pop    %r12
   0x000000000109a430 <+128>:	pop    %r13
   0x000000000109a432 <+130>:	pop    %r14
   0x000000000109a434 <+132>:	pop    %rbp
   0x000000000109a435 <+133>:	retq   
End of assembler dump.

[bnoordhuis]

Let me guess, those examples you posted are running inside a contextify context?

[ystskm]

In fact, these codes are running on JSDOM.
Oh, that's a good hint!
I found the suspcious Segmentation fault!

(1-1) jsdom@3.1.1(my use)

var jsdom = require('jsdom').jsdom;
jsdom.env('<p>JSDOM!</p>', [],(er, win) => {
  Promise.resolve().then(() => new Promise( (rsl, rej) => rej('ERROR') )['catch']((e){ 
    console.log(e); // => output "ERROR" string
  });
});

(1-2) jsdom@3.1.1(my use)

jsdom.env('<p>JSDOM!</p>', [],(er, win) => {
  win.Proimse = global.Promise;
  with(win) {
    new Promise( (rsl, rej) => rej('ERROR') )['catch']( (e)=> console.log(e) );
     // => Segmentation fault: 11
  }
});

(2-1) jsdom@6.5.1(checking module)

  // => output "ERROR" string

(2-2) jsdom@6.5.1(checking module)

   // => NO Segmentation but output nothing 

Should think is contextify bug?
I know the logic is running on Node v0.12.10. with using es6-promise module.

[bnoordhuis]

Yes, it's a contextify issue. Contexts created by node have a pointer to node's execution environment but contextify's contexts don't. The segfault you get is node trying to look up that pointer. Unfortunately, there is no way for node to check if a context has that pointer or not.

FWIW, you shouldn't need contextify with node 8 (and neither with node 6, I think), the built-in vm module should be able to do everything contextify does.

In fact, I thought jsdom was already using vm. Perhaps you are using an old version?

[ystskm]

I understand the reason!
You are correct that the jsdom seems to be a little bit old for the new version of node.
I'll try to upgrade jsdom module. Thank you very much!

ADDITIONAL:
If you know, let me know why the error is not occured when with setImmediate.