1633360 - Assertion failure: !cx->isExceptionPending(), at js/src/jsexn.cpp:479 with async function

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect, P2)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20200426-df251f2e0320 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --more-compartments):

var z18 = newGlobal();
z18.eval(`
  var p = (async function() { throw 'some reason' })()
`);
var p90 = (async function f81() {
  throw f81(100);
})();

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000555555a6427a in js::ErrorReport::init(JSContext*, JS::Handle<JS::Value>, js::ErrorReport::SniffingBehavior, JS::Handle<JSObject*>) ()
#0  0x0000555555a6427a in js::ErrorReport::init(JSContext*, JS::Handle<JS::Value>, js::ErrorReport::SniffingBehavior, JS::Handle<JSObject*>) ()
#1  0x000055555578829e in js::shell::AutoReportException::~AutoReportException() ()
#2  0x000055555578f269 in ForwardingPromiseRejectionTrackerCallback(JSContext*, bool, JS::Handle<JSObject*>, JS::PromiseRejectionHandlingState, void*) ()
#3  0x0000555555b860a0 in js::PromiseObject::onSettled(JSContext*, JS::Handle<js::PromiseObject*>) ()
#4  0x0000555555b85a06 in ResolvePromise(JSContext*, JS::Handle<js::PromiseObject*>, JS::Handle<JS::Value>, JS::PromiseState) ()
#5  0x0000555555ae2aaa in js::AsyncFunctionResolve(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, JS::Handle<JS::Value>, js::AsyncFunctionResolveKind) ()
#6  0x0000328627331f1d in ?? ()
[...]
#23 0x0000000000000000 in ?? ()
rax	0x555556eaa258	93825018798680
rbx	0x7fffffdfd930	140737486248240
rcx	0x555557f9c908	93825036568840
rdx	0x0	0
rsi	0x7ffff6efd770	140737336301424
rdi	0x7ffff6efc540	140737336296768
rbp	0x7fffffdfd910	140737486248208
rsp	0x7fffffdfd830	140737486247984
r8	0x7ffff6efd770	140737336301424
r9	0x7ffff7f9bd00	140737353727232
r10	0x58	88
r11	0x7ffff6ba47a0	140737332791200
r12	0x7fffffdfd950	140737486248272
r13	0x7fffffdfd938	140737486248248
r14	0x7ffff5e27000	140737318645760
r15	0x7fffffdfd950	140737486248272
rip	0x555555a6427a <js::ErrorReport::init(JSContext*, JS::Handle<JS::Value>, js::ErrorReport::SniffingBehavior, JS::Handle<JSObject*>)+5626>
=> 0x555555a6427a <_ZN2js11ErrorReport4initEP9JSContextN2JS6HandleINS3_5ValueEEENS0_16SniffingBehaviorENS4_IP8JSObjectEE+5626>:	movl   $0x1df,0x0
   0x555555a64285 <_ZN2js11ErrorReport4initEP9JSContextN2JS6HandleINS3_5ValueEEENS0_16SniffingBehaviorENS4_IP8JSObjectEE+5637>:	callq  0x555555818636 <abort>

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200428100141-a99c73301874.
The bug appears to have been introduced in the following build range:
> Start: 93bdbca5399c12b3eec5f03bbc323e00f7ef3a51 (20200409131623)
> End: b6fd7b67139a9915b286a6827bc12741847ee1d7 (20200410025909)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=93bdbca5399c12b3eec5f03bbc323e00f7ef3a51&tochange=b6fd7b67139a9915b286a6827bc12741847ee1d7

Comment 3

[Steven DeTar [:sdetar]]

Tom, could this be related at all to any of the recent changes you made around exception handling?

Comment 4

[Tom S. (please needinfo tschuster)]

Yeah. We are not clearing the pending exception after StealPendingExceptionStack in js::shell::AutoReportException::~AutoReportException. This code is shell-only.

Comment 5

[Tom S. (please needinfo tschuster)]

Attachment: Bug 1633360 - Handle OOM in StealPendingException. r?sfink

Comment 6

[Pulsebot]

Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/b366b7e6d4ea
Handle OOM in StealPendingException. r=sfink

Comment 7

[Cristian Brindusan [:cbrindusan]]

https://hg.mozilla.org/mozilla-central/rev/b366b7e6d4ea

Comment 8

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200518152416-a627b6676824.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.