Closed
Bug 1415591
Opened 7 years ago
Closed 7 years ago
Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:294 with wasm
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla58
People
(Reporter: decoder, Assigned: bbouvier)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
59 bytes,
text/x-review-board-request
|
luke
:
review+
jcristau
:
approval-mozilla-beta-
|
Details |
The following testcase crashes on mozilla-central revision 4e6df5159df3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off): var desc = { element: "anyfunc", }; var proxy = new Proxy({}, { has: true }); Object.setPrototypeOf(desc, proxy); let table = new WebAssembly.Table(desc); Backtrace: received signal SIGSEGV, Segmentation fault. #0 0x000000000055e6a1 in js::CallJSNative (cx=0x7ffff6948000, native=native@entry=0xe05770 <js::WasmTableObject::construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:294 #1 0x000000000055e7bb in js::CallJSNativeConstructor (cx=0x7ffff6948000, native=0xe05770 <js::WasmTableObject::construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:324 #2 0x0000000000554394 in InternalConstruct (cx=0x7ffff6948000, args=...) at js/src/vm/Interpreter.cpp:567 #3 0x000000000054e0fd in Interpret (cx=0x7ffff6948000, state=...) at js/src/vm/Interpreter.cpp:3053 #4 0x0000000000552965 in js::RunScript (cx=0x7ffff6948000, state=...) at js/src/vm/Interpreter.cpp:422 #5 0x0000000000555a3d in js::ExecuteKernel (cx=0x7ffff6948000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:705 #6 0x0000000000555f21 in js::Execute (cx=cx@entry=0x7ffff6948000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:738 #7 0x0000000000995521 in ExecuteScript (cx=0x7ffff6948000, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4703 #8 0x0000000000995738 in JS_ExecuteScript (cx=cx@entry=0x7ffff6948000, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4736 #9 0x0000000000434ed4 in RunFile (compileOnly=false, file=0x7ffff4351400, filename=<optimized out>, cx=0x7ffff6948000) at js/src/shell/js.cpp:695 #10 Process (cx=0x7ffff6948000, filename=<optimized out>, forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:1048 #11 0x0000000000445eac in ProcessArgs (op=0x7fffffffda00, cx=0x7ffff6948000) at js/src/shell/js.cpp:8184 #12 Shell (envp=<optimized out>, op=0x7fffffffda00, cx=0x7ffff6948000) at js/src/shell/js.cpp:8556 #13 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:8962 rax 0x0 0 rbx 0x7ffff42730a0 140737289597088 rcx 0x7ffff6c282ad 140737333330605 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffcad0 140737488341712 rsp 0x7fffffffca80 140737488341632 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9e7a0 140737332766624 r12 0x7ffff6948000 140737330315264 r13 0xe05770 14702448 r14 0x7ffff42730b0 140737289597104 r15 0x1 1 rip 0x55e6a1 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+305> => 0x55e6a1 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+305>: movl $0x0,0x0 0x55e6ac <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+316>: ud2
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•7 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/88a175eed324 user: Luke Wagner date: Wed Sep 14 11:46:10 2016 -0500 summary: Bug 1284156 - Baldr: add Table.prototype.grow (r=bbouvier) This iteration took 227.585 seconds to run.
Comment hidden (mozreview-request) |
Comment 3•7 years ago
|
||
mozreview-review |
Comment on attachment 8926503 [details] Bug 1415591: Consider the result of HasProperty as a cx failure in wasm::GetLimits; https://reviewboard.mozilla.org/r/197762/#review202950 Arg, this is some great fuzzing. Thanks for the rapid fixes, Benjamin!
Attachment #8926503 -
Flags: review?(luke) → review+
Assignee | ||
Comment 4•7 years ago
|
||
Thanks for the quick reviews!
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6b85d55a5c18 Consider the result of HasProperty as a cx failure in wasm::GetLimits; r=luke
Assignee | ||
Comment 6•7 years ago
|
||
(wasm disabled by default on esr52)
status-firefox56:
--- → affected
status-firefox57:
--- → affected
status-firefox-esr52:
--- → fix-optional
Assignee | ||
Comment 7•7 years ago
|
||
Comment on attachment 8926503 [details] Bug 1415591: Consider the result of HasProperty as a cx failure in wasm::GetLimits; Approval Request Comment [Feature/Bug causing the regression]: Bug 1284156 [User impact if declined]: incorrect error reporting with wasm tables [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: yes [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: very very little [Why is the change risky/not risky?]: very targeted fix [String changes made/needed]: n/a (only a correctness fix, not a security issue, not a way to trigger browser DOS)
Attachment #8926503 -
Flags: approval-mozilla-beta?
Comment 8•7 years ago
|
||
Too late for 57.
Updated•7 years ago
|
Attachment #8926503 -
Flags: approval-mozilla-beta? → approval-mozilla-beta-
Comment 9•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/6b85d55a5c18
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in
before you can comment on or make changes to this bug.
Description
•