Closed Bug 1314482 Opened 3 years ago Closed 3 years ago

Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:242

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla52
Tracking Status
firefox51 --- fixed
firefox52 --- fixed

People

(Reporter: gkw, Assigned: lth)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, jsbugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(3 files)

The following testcase crashes on mozilla-central revision 3e73fd638e68 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// jsfunfuzz-generated
options("werror");
// Adapted from randomly chosen testcase: js/src/tests/js1_8_5/extensions/sharedtypedarray.js
x = new SharedArrayBuffer("4096");
serialize(x, [x]);


Backtrace:

0   js-dbg-64-dm-clang-darwin-3e73fd638e68	0x000000010a2b35ef js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 271 (jscntxtinlines.h:242)
1   js-dbg-64-dm-clang-darwin-3e73fd638e68	0x000000010a2b320f js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 527 (Interpreter.cpp:446)
2   js-dbg-64-dm-clang-darwin-3e73fd638e68	0x000000010a2aae07 Interpret(JSContext*, js::RunState&) + 35495 (Interpreter.cpp:2922)
3   js-dbg-64-dm-clang-darwin-3e73fd638e68	0x000000010a2a218b js::RunScript(JSContext*, js::RunState&) + 443 (Interpreter.cpp:404)
4   js-dbg-64-dm-clang-darwin-3e73fd638e68	0x000000010a2b4952 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) + 850 (Interpreter.cpp:685)
/snip

For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/87a03a7398fc
user:        Lars T Hansen
date:        Mon Oct 24 14:22:47 2016 +0200
summary:     Bug 1302036 - Make structured clone accept argument that controls serialization of some data types. r=sfink

Lars, is bug 1302036 a likely regressor?
Blocks: 1302036
Flags: needinfo?(lhansen)
Yeah, my bug.  When a SharedArrayBuffer is included in the transfer list, the setup for StructuredClone prints a warning (in JSStructuredCloneWriter::parseTransferable), like so:

JS_ReportErrorFlagsAndNumberASCII(cx, JSREPORT_WARNING, GetErrorMessage, nullptr, JSMSG_SC_SAB_TRANSFER);

Then it continues execution.  But the above call sets the exception flag which is why we're seeing it being set later.  My mistake was assuming that JSREPORT_WARNING would not have that effect.  Silly me.
Assignee: nobody → lhansen
Flags: needinfo?(lhansen)
If the error reporter returns false, then propagate that value.

(Memo to self: need Aurora uplift for this.)
Attachment #8806649 - Flags: review?(arai.unmht)
Attachment #8806649 - Flags: review?(arai.unmht) → review+
Comment on attachment 8806649 [details] [diff] [review]
bug1314482-warning.patch

Approval Request Comment

[Feature/regressing bug #]:
Introduced by change in bug 1302036, where new code does not properly check the value from the error reporter.  See that bug for background etc.

[User impact if declined]:
Possible spuriously incorrect error reporting behavior; possible fuzzing failures and testing hardships.

[Describe test coverage new/current, TreeHerder]:
Found by fuzzing test, no test in tree to my knowledge.

[Risks and why]: 
Low risks: this simply failed to follow the standard pattern for checking and propagating an error return.

[String/UUID change made/needed]:
None.
Attachment #8806649 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/4135fed00f09
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Comment on attachment 8806649 [details] [diff] [review]
bug1314482-warning.patch

Fix a fuzzing assertion error. Take it in 51 aurora.
Attachment #8806649 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
needs rebasing for aurora

rafting 372711:4135fed00f09 "Bug 1314482 - heed the return value from the error reporter.  r=arai"
merging js/src/vm/StructuredClone.cpp
warning: conflicts while merging js/src/vm/StructuredClone.cpp! (edit, then use 'hg resolve --mark')
abort: unresolved conflicts, can't continue
(use 'hg resolve' and 'hg graft --continue')
Flags: needinfo?(lhansen)
Approval Request Comment

Corrected for Aurora (change in error reporting API), see earlier Approval Request Comment.
Flags: needinfo?(lhansen)
Attachment #8807073 - Flags: approval-mozilla-aurora?
(In reply to Lars T Hansen [:lth] from comment #10)
> Created attachment 8807073 [details] [diff] [review]
> bug1314482-warning-aurora.patch
> 
> Approval Request Comment
> 
> Corrected for Aurora (change in error reporting API), see earlier Approval
> Request Comment.

had aurora approval before so landing as https://hg.mozilla.org/releases/mozilla-aurora/rev/0ae3a7425ff1a1371b888313013be1c3bd5ddbdd
Attachment #8807073 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.