Closed Bug 1733899 Opened 4 months ago Closed 4 months ago

Assertion failure: !JS_IsExceptionPending(cx_), at /js/src/vm/JSContext.cpp:1276

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
95 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- unaffected
firefox92 --- unaffected
firefox93 --- unaffected
firefox94 --- wontfix
firefox95 --- verified

People

(Reporter: decoder, Assigned: iain)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

The following testcase crashes on mozilla-central revision 20211003-37fd65de7f23 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

a = {}
a[Symbol.iterator] = function() {
    return {
        next() {
            return {
                done: this
            }
        }
    }
}
function b([[]] = a) {}
b();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556e8eef1 in js::AutoUnsafeCallWithABI::AutoUnsafeCallWithABI(js::UnsafeABIStrictness) ()
#1  0x0000555556c6d2fd in js::EmulatesUndefined(JSObject*) ()
#2  0x0000555556c6d210 in js::ToBooleanSlow(JS::Handle<JS::Value>) ()
#3  0x0000555556c22588 in Interpret(JSContext*, js::RunState&) ()
#4  0x0000555556c0fa51 in js::RunScript(JSContext*, js::RunState&) ()
[...]
#12 0x0000555556a7b07e in main ()
rax	0x555555821e77	93824995171959
rbx	0x7ffff6019000	140737320685568
rcx	0x5555581555e0	93825038374368
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffc070	140737488339056
rsp	0x7fffffffc050	140737488339024
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7ffff4a5a0d8	140737297883352
r13	0x7ffff6019000	140737320685568
r14	0x0	0
r15	0x7fffffffc080	140737488339072
rip	0x555556e8eef1 <js::AutoUnsafeCallWithABI::AutoUnsafeCallWithABI(js::UnsafeABIStrictness)+273>
=> 0x555556e8eef1 <_ZN2js21AutoUnsafeCallWithABIC2ENS_19UnsafeABIStrictnessE+273>:	movl   $0x4fc,0x0
   0x555556e8eefc <_ZN2js21AutoUnsafeCallWithABIC2ENS_19UnsafeABIStrictnessE+284>:	callq  0x555556b11bfe <abort>
Attached file Testcase
Regressed by: 1730426
Has Regression Range: --- → yes

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211004095342-06e67beeafc2.
The bug appears to have been introduced in the following build range:

Start: df8d93b9934294a67af0a05ea50070ce8e5fd8e6 (20210915171826)
End: ed6ca0884441cc361b1c2d01a7cb6c44ee7b8848 (20210915173940)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=df8d93b9934294a67af0a05ea50070ce8e5fd8e6&tochange=ed6ca0884441cc361b1c2d01a7cb6c44ee7b8848

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

In bug 1730426, Ted refactored exception handling so that we didn't run the RInstruction interpreter with a pending exception, which let us remove some cases where callWithABI allowed pending exceptions. However, it turns out that this particular case is also reachable with a pending exception via a ToBoolean call in ProcessTryNotes.

Assignee: nobody → iireland
Status: NEW → ASSIGNED
Pushed by iireland@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/eae74695e6b6
Allow EmulatesUndefined to be called during error handling r=mgaudet
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20211005035232-19fe4f009214.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

Is there a user-facing impact for this bug which would make us want to consider backporting the fix to Beta or can this ride the 95 train to release? Please nominate for Beta approval if you think it should be uplifted.

Flags: needinfo?(iireland)

There is no user-facing impact for this bug; the fix just relaxes an over-zealous assertion. It should ride the trains.

Flags: needinfo?(iireland)
You need to log in before you can comment on or make changes to this bug.