Closed
Bug 1314482
Opened 8 years ago
Closed 8 years ago
Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:242
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla52
People
(Reporter: gkw, Assigned: lth)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])
Attachments
(3 files)
|
28.71 KB,
text/plain
|
Details | |
|
1.33 KB,
patch
|
arai
:
review+
gchang
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
|
1.31 KB,
patch
|
gchang
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 3e73fd638e68 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
// jsfunfuzz-generated
options("werror");
// Adapted from randomly chosen testcase: js/src/tests/js1_8_5/extensions/sharedtypedarray.js
x = new SharedArrayBuffer("4096");
serialize(x, [x]);
Backtrace:
0 js-dbg-64-dm-clang-darwin-3e73fd638e68 0x000000010a2b35ef js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 271 (jscntxtinlines.h:242)
1 js-dbg-64-dm-clang-darwin-3e73fd638e68 0x000000010a2b320f js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 527 (Interpreter.cpp:446)
2 js-dbg-64-dm-clang-darwin-3e73fd638e68 0x000000010a2aae07 Interpret(JSContext*, js::RunState&) + 35495 (Interpreter.cpp:2922)
3 js-dbg-64-dm-clang-darwin-3e73fd638e68 0x000000010a2a218b js::RunScript(JSContext*, js::RunState&) + 443 (Interpreter.cpp:404)
4 js-dbg-64-dm-clang-darwin-3e73fd638e68 0x000000010a2b4952 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) + 850 (Interpreter.cpp:685)
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/87a03a7398fc
user: Lars T Hansen
date: Mon Oct 24 14:22:47 2016 +0200
summary: Bug 1302036 - Make structured clone accept argument that controls serialization of some data types. r=sfink
Lars, is bug 1302036 a likely regressor?
Blocks: 1302036
Flags: needinfo?(lhansen)
|
Assignee | |
Comment 3•8 years ago
|
||
Yeah, my bug. When a SharedArrayBuffer is included in the transfer list, the setup for StructuredClone prints a warning (in JSStructuredCloneWriter::parseTransferable), like so:
JS_ReportErrorFlagsAndNumberASCII(cx, JSREPORT_WARNING, GetErrorMessage, nullptr, JSMSG_SC_SAB_TRANSFER);
Then it continues execution. But the above call sets the exception flag which is why we're seeing it being set later. My mistake was assuming that JSREPORT_WARNING would not have that effect. Silly me.
Assignee: nobody → lhansen
Flags: needinfo?(lhansen)
|
|
Assignee | |
Comment 4•8 years ago
|
||
If the error reporter returns false, then propagate that value.
(Memo to self: need Aurora uplift for this.)
Attachment #8806649 -
Flags: review?(arai.unmht)
|
||
Updated•8 years ago
|
Attachment #8806649 -
Flags: review?(arai.unmht) → review+
|
|
Assignee | |
Comment 5•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4135fed00f09d87196f3b1382285b900615faf17
Bug 1314482 - heed the return value from the error reporter. r=arai
|
|
Assignee | |
Comment 6•8 years ago
|
||
Comment on attachment 8806649 [details] [diff] [review]
bug1314482-warning.patch
Approval Request Comment
[Feature/regressing bug #]:
Introduced by change in bug 1302036, where new code does not properly check the value from the error reporter. See that bug for background etc.
[User impact if declined]:
Possible spuriously incorrect error reporting behavior; possible fuzzing failures and testing hardships.
[Describe test coverage new/current, TreeHerder]:
Found by fuzzing test, no test in tree to my knowledge.
[Risks and why]:
Low risks: this simply failed to follow the standard pattern for checking and propagating an error return.
[String/UUID change made/needed]:
None.
Attachment #8806649 -
Flags: approval-mozilla-aurora?
|
||
Comment 7•8 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
|
||
Updated•8 years ago
|
status-firefox51:
--- → affected
|
|
||
Comment 8•8 years ago
|
||
Comment on attachment 8806649 [details] [diff] [review]
bug1314482-warning.patch
Fix a fuzzing assertion error. Take it in 51 aurora.
Attachment #8806649 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
||
Comment 9•8 years ago
|
||
needs rebasing for aurora
rafting 372711:4135fed00f09 "Bug 1314482 - heed the return value from the error reporter. r=arai"
merging js/src/vm/StructuredClone.cpp
warning: conflicts while merging js/src/vm/StructuredClone.cpp! (edit, then use 'hg resolve --mark')
abort: unresolved conflicts, can't continue
(use 'hg resolve' and 'hg graft --continue')
Flags: needinfo?(lhansen)
|
|
Assignee | |
Comment 10•8 years ago
|
||
Approval Request Comment
Corrected for Aurora (change in error reporting API), see earlier Approval Request Comment.
Flags: needinfo?(lhansen)
Attachment #8807073 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 11•8 years ago
|
||
(In reply to Lars T Hansen [:lth] from comment #10)
> Created attachment 8807073 [details] [diff] [review]
> bug1314482-warning-aurora.patch
>
> Approval Request Comment
>
> Corrected for Aurora (change in error reporting API), see earlier Approval
> Request Comment.
had aurora approval before so landing as https://hg.mozilla.org/releases/mozilla-aurora/rev/0ae3a7425ff1a1371b888313013be1c3bd5ddbdd
|
|
||
Updated•8 years ago
|
Attachment #8807073 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in
before you can comment on or make changes to this bug.
Description
•