Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:294 with wasm

RESOLVED FIXED in Firefox 58

Status

()

defect
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Assigned: bbouvier)

Tracking

(Blocks 1 bug, 4 keywords)

Trunk
mozilla58
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 wontfix, firefox56 wontfix, firefox57 wontfix, firefox58 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

Reporter

Description

2 years ago
The following testcase crashes on mozilla-central revision 4e6df5159df3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var desc = {
    element: "anyfunc",
};
var proxy = new Proxy({}, {
    has: true
});
Object.setPrototypeOf(desc, proxy);
let table = new WebAssembly.Table(desc);


Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000000000055e6a1 in js::CallJSNative (cx=0x7ffff6948000, native=native@entry=0xe05770 <js::WasmTableObject::construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:294
#1  0x000000000055e7bb in js::CallJSNativeConstructor (cx=0x7ffff6948000, native=0xe05770 <js::WasmTableObject::construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:324
#2  0x0000000000554394 in InternalConstruct (cx=0x7ffff6948000, args=...) at js/src/vm/Interpreter.cpp:567
#3  0x000000000054e0fd in Interpret (cx=0x7ffff6948000, state=...) at js/src/vm/Interpreter.cpp:3053
#4  0x0000000000552965 in js::RunScript (cx=0x7ffff6948000, state=...) at js/src/vm/Interpreter.cpp:422
#5  0x0000000000555a3d in js::ExecuteKernel (cx=0x7ffff6948000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:705
#6  0x0000000000555f21 in js::Execute (cx=cx@entry=0x7ffff6948000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:738
#7  0x0000000000995521 in ExecuteScript (cx=0x7ffff6948000, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4703
#8  0x0000000000995738 in JS_ExecuteScript (cx=cx@entry=0x7ffff6948000, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4736
#9  0x0000000000434ed4 in RunFile (compileOnly=false, file=0x7ffff4351400, filename=<optimized out>, cx=0x7ffff6948000) at js/src/shell/js.cpp:695
#10 Process (cx=0x7ffff6948000, filename=<optimized out>, forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:1048
#11 0x0000000000445eac in ProcessArgs (op=0x7fffffffda00, cx=0x7ffff6948000) at js/src/shell/js.cpp:8184
#12 Shell (envp=<optimized out>, op=0x7fffffffda00, cx=0x7ffff6948000) at js/src/shell/js.cpp:8556
#13 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:8962
rax	0x0	0
rbx	0x7ffff42730a0	140737289597088
rcx	0x7ffff6c282ad	140737333330605
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffcad0	140737488341712
rsp	0x7fffffffca80	140737488341632
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9e7a0	140737332766624
r12	0x7ffff6948000	140737330315264
r13	0xe05770	14702448
r14	0x7ffff42730b0	140737289597104
r15	0x1	1
rip	0x55e6a1 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+305>
=> 0x55e6a1 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+305>:	movl   $0x0,0x0
   0x55e6ac <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+316>:	ud2

Updated

2 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

2 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/88a175eed324
user:        Luke Wagner
date:        Wed Sep 14 11:46:10 2016 -0500
summary:     Bug 1284156 - Baldr: add Table.prototype.grow (r=bbouvier)

This iteration took 227.585 seconds to run.

Comment 3

2 years ago
mozreview-review
Comment on attachment 8926503 [details]
Bug 1415591: Consider the result of HasProperty as a cx failure in wasm::GetLimits;

https://reviewboard.mozilla.org/r/197762/#review202950

Arg, this is some great fuzzing.  Thanks for the rapid fixes, Benjamin!
Attachment #8926503 - Flags: review?(luke) → review+
Assignee

Comment 4

2 years ago
Thanks for the quick reviews!
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED

Comment 5

2 years ago
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6b85d55a5c18
Consider the result of HasProperty as a cx failure in wasm::GetLimits; r=luke
Assignee

Comment 6

2 years ago
(wasm disabled by default on esr52)
Assignee

Comment 7

2 years ago
Comment on attachment 8926503 [details]
Bug 1415591: Consider the result of HasProperty as a cx failure in wasm::GetLimits;

Approval Request Comment
[Feature/Bug causing the regression]: Bug 1284156
[User impact if declined]: incorrect error reporting with wasm tables
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: no 
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: very very little
[Why is the change risky/not risky?]: very targeted fix
[String changes made/needed]: n/a

(only a correctness fix, not a security issue, not a way to trigger browser DOS)
Attachment #8926503 - Flags: approval-mozilla-beta?
Attachment #8926503 - Flags: approval-mozilla-beta? → approval-mozilla-beta-

Comment 9

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/6b85d55a5c18
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.