Open Bug 1706141 Opened 3 years ago Updated 11 months ago

Assertion failure: mMightHaveUnreportedJSException (Why didn't you tell us you planned to throw a JS exception?), at /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:650

Categories

(Core :: DOM: Web Payments, defect, P3)

Product:
Core
Component:
DOM: Web Payments
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox89 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
1.01 KB, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 8e850fd29a95 (built with --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following command:

$ pip install grizzly-framework
$ python3 -m grizzly.replay --xvfb ~/builds/mc-debug/firefox ./testcase.html

Assertion failure: mMightHaveUnreportedJSException (Why didn't you tell us you planned to throw a JS exception?), at /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:650

    #0 0x7fb8e0a77186 in mozilla::binding_danger::TErrorResult<mozilla::binding_danger::AssertAndSuppressCleanupPolicy>::StealExceptionFromJSContext(JSContext*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:649:3
    #1 0x7fb8e1f6f233 in mozilla::dom::PaymentRequest::ResolvedCallback(JSContext*, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/dom/payments/PaymentRequest.cpp:1119:12
    #2 0x7fb8e1d9e4a3 in mozilla::dom::(anonymous namespace)::PromiseNativeHandlerShim::ResolvedCallback(JSContext*, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/dom/promise/Promise.cpp:385:12
    #3 0x7fb8e1d9eaf5 in mozilla::dom::NativeHandlerCallback(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/promise/Promise.cpp:338:29
    #4 0x7fb8e3ae20d0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:437:13
    #5 0x7fb8e3ae183c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:522:12
    #6 0x7fb8e3ae3049 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:582:10
    #7 0x7fb8e3ae326f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:599:8
    #8 0x7fb8e3b76d21 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.h:106:10
    #9 0x7fb8e3d0c3a8 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:1905:10
    #10 0x7fb8e3ae20d0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:437:13
    #11 0x7fb8e3ae183c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:522:12
    #12 0x7fb8e3ae3049 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:582:10
    #13 0x7fb8e3ae326f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:599:8
    #14 0x7fb8e406a0cb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2830:10
    #15 0x7fb8dfdb7fd0 in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:31:8
    #16 0x7fb8dd9e441c in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:89:12
    #17 0x7fb8dd9e37b3 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:102:12
    #18 0x7fb8dd9e37b3 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:212:18
    #19 0x7fb8dd9cfd47 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:647:17
    #20 0x7fb8e0e33f6f in LeaveMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:233:7
    #21 0x7fb8e0e33f6f in ~nsAutoMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:383:13
    #22 0x7fb8e0e33f6f in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1112:3
    #23 0x7fb8e0e34b90 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1301:17
    #24 0x7fb8e0e29e95 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:390:5
    #25 0x7fb8e0e29e95 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:354:17
    #26 0x7fb8e0e29443 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:556:16
    #27 0x7fb8e0e2c041 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1099:11
    #28 0x7fb8e0e2ebd6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #29 0x7fb8df855893 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1331:17
    #30 0x7fb8df569faa in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4183:28
    #31 0x7fb8df569e36 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4153:10
    #32 0x7fb8df6d0993 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7672:3
    #33 0x7fb8df7436c6 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #34 0x7fb8df7436c6 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #35 0x7fb8df7436c6 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #36 0x7fb8ddacc032 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:143:20
    #37 0x7fb8ddaf7463 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:473:16
    #38 0x7fb8ddad4d09 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:757:26
    #39 0x7fb8ddad3c74 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:612:15
    #40 0x7fb8ddad3e03 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:396:36
    #41 0x7fb8ddafad86 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:37
    #42 0x7fb8ddafad86 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #43 0x7fb8ddae6b10 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
    #44 0x7fb8ddaed7ba in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #45 0x7fb8de427676 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #46 0x7fb8de392553 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #47 0x7fb8de39246d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #48 0x7fb8de39246d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #49 0x7fb8e21345f8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #50 0x7fb8e39adea3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:906:20
    #51 0x7fb8de42855c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #52 0x7fb8de392553 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #53 0x7fb8de39246d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #54 0x7fb8de39246d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #55 0x7fb8e39ada7f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:34
    #56 0x55fa7c3630d6 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #57 0x55fa7c3630d6 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
    #58 0x7fb8f2b7d0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210419221626-e2fb29057e4c.
The bug appears to have been introduced in the following build range:

Start: 5b033d5d6e6d1dcab03863b56c14cfaaf06ce7b3 (20210408024041)
End: f02d7172dafc11f018ac917ba5bc4dc6dd72d79d (20210408030858)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5b033d5d6e6d1dcab03863b56c14cfaaf06ce7b3&tochange=f02d7172dafc11f018ac917ba5bc4dc6dd72d79d

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

So the problem is that the code at https://searchfox.org/mozilla-central/rev/b6f52976b562008c9d9ceeda22907e1eda506c8e/dom/payments/PaymentRequest.cpp#1115-1122 needs to call result.MightThrowJSException() prior to attempting to initialize the dictionary, because the dictionary can be angry about the contents we try and initialize it with. The assertion in question only happens on debug builds, but given the lack of coverage for the file, we really want the fuzzing coverage.

Severity: -- → S3
Priority: -- → P3
No longer blocks: domino
Depends on: domino
Blocks: domino
No longer depends on: domino

Testcase crashes using the initial build (mozilla-central 20220528091325-c7f47d9896aa) but not with tip (mozilla-central 20230526215433-fc6056442a0f.)

The bug appears to have been fixed in the following build range:

Start: 3e4914be9f30f747091ed2a4bccbd8a56e40a0e6 (20230526172426)
End: fc6056442a0fa16146259cb730d4e34a16656952 (20230526194457)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3e4914be9f30f747091ed2a4bccbd8a56e40a0e6&tochange=fc6056442a0fa16146259cb730d4e34a16656952

jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(jkratzer)
Keywords: bugmon

I cannot reproduce this issue locally anymore. However, when I run the testcase, the browser exits without a crash or assertion even though there is nothing in the testcase that should cause it to do that. I don't see anything in the bisection range that would indicate why this is happening.

Flags: needinfo?(jkratzer)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: