Closed Bug 1731434 Opened 3 years ago Closed 3 years ago

Assertion failure: maybecx->unwrappedException().isObject(), at js/src/vm/JSContext.cpp:335

Tracking

()

Status:

VERIFIED FIXED

Milestone:

94 Branch

Tracking Flags:

Tracking

Status

firefox-esr78

---

unaffected

firefox-esr91

---

unaffected

firefox92

---

unaffected

firefox93

---

unaffected

firefox94

---

fixed

People

(Reporter: decoder, Assigned: tcampbell)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,confirmed,bisected][fuzzblocker])

Attachments

(3 files)

Detailed Crash Information 3 years ago Christian Holler (:decoder) 4.04 KB, text/plain		Details
Testcase 3 years ago Christian Holler (:decoder) 72 bytes, text/plain		Details
Bug 1731434 - Fix handling of double-faults while throwing overrecursed 3 years ago Ted Campbell [:tcampbell] 48 bytes, text/x-phabricator-request		Details \| Review

Christian Holler (:decoder)

Reporter

Description

•

3 years ago

The following testcase crashes on mozilla-central revision 20210918-b01f4c5fd7b7 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

enableShellAllocationMetadataBuilder();
function a() {
    a();
}
new a;

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556e90505 in js::ReportOverRecursed(JSContext*) ()
#1  0x0000555556fb8ab0 in CallJSAddPropertyOp(JSContext*, bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>), JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>) ()
#2  0x0000555556fa1e7b in bool AddOrChangeProperty<(IsAddOrChange)0>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::PropertyDescriptor>, js::PropertyResult*) ()
#3  0x0000555556fa0c44 in js::NativeDefineProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) ()
#4  0x0000555556f4b0c4 in js::DefineDataProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, unsigned int, JS::ObjectOpResult&) ()
#5  0x0000555556f2a2f4 in js::DefineDataProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, unsigned int) ()
#6  0x0000555556fd42eb in DefineDataPropertyById(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, unsigned int) ()
#7  0x0000555556fd4a7d in JS_DefinePropertyById(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JSObject*>, unsigned int) ()
#8  0x0000555557168193 in ShellAllocationMetadataBuilder::build(JSContext*, JS::Handle<JSObject*>, js::AutoEnterOOMUnsafeRegion&) const ()
#9  0x0000555556fe276c in JS::Realm::setNewObjectMetadata(JSContext*, JS::Handle<JSObject*>) ()
#10 0x0000555556bad7c4 in js::NativeObject::create(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, js::gc::AllocSite*) ()
#11 0x0000555556f3d2df in NewObject(JSContext*, JSClass const*, JS::Handle<js::TaggedProto>, js::gc::AllocKind, js::NewObjectKind) ()
#12 0x0000555556ffaa6a in js::SavedFrame::create(JSContext*) ()
#13 0x0000555557003735 in js::SavedStacks::createFrameFromLookup(JSContext*, JS::Handle<js::SavedFrame::Lookup>) ()
#14 0x0000555557003475 in js::SavedStacks::getOrCreateSavedFrame(JSContext*, JS::Handle<js::SavedFrame::Lookup>) ()
#15 0x0000555557000819 in js::SavedStacks::insertFrames(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) ()
#16 0x0000555556fff7ba in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) ()
#17 0x0000555556d2bed5 in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) ()
#18 0x0000555556d31c28 in js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) ()
#19 0x0000555556e2b43f in js::ReportErrorNumberVA(JSContext*, js::IsWarning, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, js::ErrorArgumentsType, __va_list_tag*) ()
#20 0x0000555556d0d42f in JS_ReportErrorNumberASCII(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, ...) ()
#21 0x0000555556e90411 in js::ReportOverRecursed(JSContext*) ()
#22 0x000055555773604a in js::jit::CheckOverRecursed(JSContext*) ()
#23 0x00002ecd3a15aaed in ?? ()
#24 0x0000000000000000 in ?? ()
rax	0x5555557c624f	93824994796111
rbx	0x7ffff6019000	140737320685568
rcx	0x55555816ec90	93825038478480
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffdfc7a0	140737486243744
rsp	0x7fffffdfc790	140737486243728
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7fffffdfcb38	140737486244664
r13	0xa805	43013
r14	0x555556c80a80	93825016531584
r15	0x7fffffdfcb50	140737486244688
rip	0x555556e90505 <js::ReportOverRecursed(JSContext*)+324>
=> 0x555556e90505 <_ZN2js18ReportOverRecursedEP9JSContext+324>:	movl   $0x14f,0x0
   0x555556e90510 <_ZN2js18ReportOverRecursedEP9JSContext+335>:	callq  0x555556b1218e <abort>

This is causing a massive influx of crashes (>700 since yesterday), marking as fuzzblocker.

Christian Holler (:decoder)

Reporter

Comment 1

•

3 years ago

Attached file Detailed Crash Information — Details

Christian Holler (:decoder)

Reporter

Comment 2

•

3 years ago

Attached file Testcase — Details

Christian Holler (:decoder)

Reporter

Updated

•

3 years ago

Flags: needinfo?(jdemooij)

Jan de Mooij [:jandem]

Comment 3

•

3 years ago

This is likely from bug 1730426. I don't have time to investigate now but I can look at this tomorrow if Ted doesn't beat me to it.

Flags: needinfo?(jdemooij) → needinfo?(tcampbell)

Ted Campbell [:tcampbell]

Assignee

Updated

•

3 years ago

Assignee: nobody → tcampbell

Flags: needinfo?(tcampbell)

Ted Campbell [:tcampbell]

Assignee

Comment 4

•

3 years ago

Attached file Bug 1731434 - Fix handling of double-faults while throwing overrecursed — Details

The JSContext::generatingError re-entrancy check can generate uncatchable
exceptions while throwing errors. Fix ReportOverRecursed to reflect this.

Pulsebot

Comment 5

•

3 years ago

Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9adcbf4e1bd9
Fix handling of double-faults while throwing overrecursed r=arai

Sandor Molnar[:smolnar]

Comment 6

•

3 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/9adcbf4e1bd9

Status: NEW → RESOLVED

Closed: 3 years ago

status-firefox94: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 94 Branch

Bugmon [:jkratzer for issues]

Comment 7

•

3 years ago

Bugmon Analysis
Bug marked as FIXED but still reproduces on mozilla-central 20210918213140-9adcbf4e1bd9.

Status: RESOLVED → REOPENED

status-firefox94: fixed → affected

Resolution: FIXED → ---

Whiteboard: [bugmon:update,bisect][fuzzblocker] → [bugmon:update,bisect,confirmed][fuzzblocker]

Bugmon [:jkratzer for issues]

Comment 8

•

3 years ago

Bugmon Analysis
Failed to bisect testcase (Testcase reproduces on start build!):

Start: a5cdfde00f159276453541049a8cbb5f7043ae2a (20200921213612)
End: b01f4c5fd7b7dde4083076217f0b0440e49db35e (20210918094657)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=False, fuzzing=False, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Whiteboard: [bugmon:update,bisect,confirmed][fuzzblocker] → [bugmon:update,confirmed,bisected][fuzzblocker]

Ted Campbell [:tcampbell]

Assignee

Comment 9

•

3 years ago

Jason, can you help determine if this is actually still happening? The changes that I landed change the crash from an assertion failure into a MOZ_CRASH([unhandleable oom]) which the reasonable answer for this AllocationMetadataBuilder API (that is only used in shell testing or controlled devtools cases).

Flags: needinfo?(jkratzer)

Jason Kratzer [:jkratzer]

Comment 10

•

3 years ago

Ted, I can confirm that it returns [unhandleable oom] using m-c rev b01f4c5fd7b7. Unfortunately, Bugmon doesn't differentiate between regular crashes and unhadleable oom. Though, adding this is on the roadmap. I'll try and implement it later today.

Flags: needinfo?(jkratzer)

Jason Kratzer [:jkratzer]

Updated

•

3 years ago

Status: REOPENED → RESOLVED

Closed: 3 years ago → 3 years ago

Resolution: --- → FIXED

Bugmon [:jkratzer for issues]

Comment 11

•

3 years ago

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210918213140-9adcbf4e1bd9.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED

Keywords: bugmon

Ryan VanderMeulen [:RyanVM]

Updated

•

3 years ago

status-firefox92: --- → unaffected

status-firefox93: affected → unaffected

status-firefox94: affected → fixed

status-firefox-esr78: --- → unaffected

status-firefox-esr91: --- → unaffected

Flags: in-testsuite+

BugBot [:suhaib / :marco/ :calixte]

Comment 12

•

2 years ago

:tcampbell, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(tcampbell)

Marco Castelluccio [:marco]

Comment 13

•

2 years ago

Sorry, bug in the bot.

Flags: needinfo?(tcampbell)

You need to log in before you can comment on or make changes to this bug.