Assertion failure: throwing, at js/src/vm/JSContext.cpp:1437 with setModuleResolveHook

RESOLVED FIXED in Firefox 65

Status

()

defect
P2
critical
RESOLVED FIXED
6 months ago
5 months ago

People

(Reporter: decoder, Assigned: jorendorff)

Tracking

(Blocks 1 bug, 4 keywords)

Trunk
mozilla65
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox63 unaffected, firefox64 unaffected, firefox65 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

Reporter

Description

6 months ago
The following testcase crashes on mozilla-central revision ce39a152428a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

setModuleResolveHook(function(module, specifier) {
    throw "Module '" + specifier + "' not found";
});
g = newGlobal();
g.parent = this;
g.eval("new Debugger(parent).onExceptionUnwind = function () { hits++; };");
let lfPromise = import("javascript: " + ``);


Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  JSContext::getPendingException (this=this@entry=0x7ffff5f18000, rval=...) at js/src/vm/JSContext.cpp:1437
#1  0x000055555589eb2f in js::GetAndClearException (cx=cx@entry=0x7ffff5f18000, res=..., res@entry=...) at js/src/vm/Interpreter.cpp:5129
#2  0x000055555594ffb9 in js::RejectPromiseWithPendingError (cx=0x7ffff5f18000, promise=promise@entry=...) at js/src/builtin/Promise.cpp:3412
#3  0x00005555559528af in js::FinishDynamicModuleImport (cx=<optimized out>, referencingPrivate=..., specifier=..., promiseArg=...) at js/src/builtin/ModuleObject.cpp:1888
#4  0x0000555555819420 in FinishDynamicModuleImport (cx=<optimized out>, cx@entry=0x7ffff5f18000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:4994
#5  0x00005555558c7af1 in CallJSNative (cx=0x7ffff5f18000, native=0x555555819270 <FinishDynamicModuleImport(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:468
#6  0x00005555558b92f7 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f18000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:560
#7  0x00005555558b99dd in InternalCall (cx=0x7ffff5f18000, args=...) at js/src/vm/Interpreter.cpp:614
#8  0x00005555558ab630 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:620
#9  Interpret (cx=0x7ffff5f18000, state=...) at js/src/vm/Interpreter.cpp:3494
#10 0x00005555558b8d05 in js::RunScript (cx=0x7ffff5f18000, state=...) at js/src/vm/Interpreter.cpp:447
#11 0x00005555558b93bf in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f18000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:587
#12 0x00005555558b99dd in InternalCall (cx=cx@entry=0x7ffff5f18000, args=...) at js/src/vm/Interpreter.cpp:614
#13 0x00005555558b9b70 in js::Call (cx=cx@entry=0x7ffff5f18000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:634
#14 0x000055555590e6db in js::Call (cx=0x7ffff5f18000, fval=..., thisv=..., arg0=..., rval=...) at js/src/vm/Interpreter.h:103
#15 0x00005555559586c6 in PromiseReactionJob (cx=<optimized out>, cx@entry=0x7ffff5f18000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Promise.cpp:1626
#16 0x00005555558c7af1 in CallJSNative (cx=0x7ffff5f18000, native=0x555555957e50 <PromiseReactionJob(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:468
[...]
#24 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11415
rax	0x555557b5b480	93825032107136
rbx	0x7ffff5f18000	140737319632896
rcx	0x555556a1eca3	93825014033571
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffc600	140737488340480
rsp	0x7fffffffc5d0	140737488340432
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x0	0
r11	0x0	0
r12	0x0	0
r13	0x7fffffffc640	140737488340544
r14	0x7fffffffc640	140737488340544
r15	0x7fffffffc7d0	140737488340944
rip	0x555555acc879 <JSContext::getPendingException(JS::MutableHandle<JS::Value>)+617>
=> 0x555555acc879 <JSContext::getPendingException(JS::MutableHandle<JS::Value>)+617>:	movl   $0x0,0x0
   0x555555acc884 <JSContext::getPendingException(JS::MutableHandle<JS::Value>)+628>:	ud2


This is a shell-only problem with setModuleResolveHook. I think Jon was mentioning that this function probably isn't fuzzing-safe anymore?

Updated

6 months ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

6 months ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/41812db6caba
user:        Jon Coppeard
date:        Mon Oct 22 11:28:17 2018 +0100
summary:     Bug 1499140 - Support dynamic module import in the shell r=jandem

This iteration took 389.029 seconds to run.
Assignee

Updated

6 months ago
Priority: -- → P2
Assignee

Comment 2

6 months ago
The bug is that js::RejectPromiseWithPendingError assumes GetAndClearException is safe to call if we have an uncatchable error (i.e. there's no exception pending). It's not.
Assignee: nobody → jorendorff

Comment 4

6 months ago
Pushed by jorendorff@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0b3de1c4a2ae
Handle uncatchable errors in RejectPromiseWithPendingError. r=jonco

Comment 5

6 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/0b3de1c4a2ae
Status: NEW → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
You need to log in before you can comment on or make changes to this bug.