1764117 - Assertion failure: false (JS_GetPendingException(aCx, aValue)), at /dom/bindings/ToJSValue.cpp:57

Status: VERIFIED FIXED

(Core :: DOM: Streams, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 87b37ed2950d (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 87b37ed2950d --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip --repeat 10 --relaunch 1 --no-harness

Assertion failure: false (JS_GetPendingException(aCx, aValue)), at /dom/bindings/ToJSValue.cpp:57

    =================================================================
    ==3607875==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fc489948dc7 bp 0x7fc46fc99ed0 sp 0x7fc46fc99ec0 T21)
    ==3607875==The signal is caused by a WRITE memory access.
    ==3607875==Hint: address points to the zero page.
        #0 0x7fc489948dc7 in mozilla::dom::ToJSValue(JSContext*, mozilla::ErrorResult&&, JS::MutableHandle<JS::Value>) /dom/bindings/ToJSValue.cpp:57:3
        #1 0x7fc48cc4a696 in mozilla::dom::PipeToPump::Read(JSContext*) /dom/streams/ReadableStreamPipeTo.cpp:709:15
        #2 0x7fc48cc4a337 in mozilla::dom::PipeToPump::Start(JSContext*, mozilla::dom::AbortSignal*) /dom/streams/ReadableStreamPipeTo.cpp:333:3
        #3 0x7fc48cc37169 in mozilla::dom::ReadableStreamPipeTo(mozilla::dom::ReadableStream*, mozilla::dom::WritableStream*, bool, bool, bool, mozilla::dom::AbortSignal*, mozilla::ErrorResult&) /dom/streams/ReadableStreamPipeTo.cpp:951:9
        #4 0x7fc48cc38dfa in mozilla::dom::ReadableStream::PipeTo(mozilla::dom::WritableStream&, mozilla::dom::StreamPipeOptions const&, mozilla::ErrorResult&) /dom/streams/ReadableStream.cpp:813:10
        #5 0x7fc4888ec973 in pipeTo /builds/worker/workspace/obj-build/dom/bindings/ReadableStreamBinding.cpp:678:60
        #6 0x7fc4888ec973 in mozilla::dom::ReadableStream_Binding::pipeTo_promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/ReadableStreamBinding.cpp:692:13
        #7 0x7fc489916a3a in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3270:13
        #8 0x7fc4938d2e74 in CallJSNative /js/src/vm/Interpreter.cpp:420:13
        #9 0x7fc4938d2e74 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:507:12
        #10 0x7fc4938bf5bb in CallFromStack /js/src/vm/Interpreter.cpp:571:10
        #11 0x7fc4938bf5bb in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3293:16
        #12 0x7fc4938a46b1 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:389:13
        #13 0x7fc4938d2faf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:539:13
        #14 0x7fc4938d4b9b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:584:8
        #15 0x7fc4923aa737 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1588:10
        #16 0x7fc491fed109 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:152:8
        #17 0x7fc4922b390a in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:1949:12
        #18 0x7fc4922b390a in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2012:12
        #19 0x7fc4938d2e74 in CallJSNative /js/src/vm/Interpreter.cpp:420:13
        #20 0x7fc4938d2e74 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:507:12
        #21 0x7fc4938d4b9b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:584:8
        #22 0x7fc49202541d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #23 0x7fc48870c90c in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:35:8
        #24 0x7fc484764837 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:89:12
        #25 0x7fc484764837 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:102:12
        #26 0x7fc484764837 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
        #27 0x7fc484743a87 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:674:17
        #28 0x7fc484744a6f in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:463:3
        #29 0x7fc484988b88 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1224:24
        #30 0x7fc48499273c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #31 0x7fc48c4d1dd0 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /dom/workers/WorkerPrivate.cpp:3133:7
        #32 0x7fc48c497724 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /dom/workers/RuntimeService.cpp:2162:42
        #33 0x7fc484988e6b in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1181:16
        #34 0x7fc48499273c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #35 0x7fc4860a2be1 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
        #36 0x7fc485f1b321 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
        #37 0x7fc485f1b321 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #38 0x7fc485f1b321 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #39 0x7fc484980a89 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:385:10
        #40 0x7fc4a7a3702e in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #41 0x7fc4a9b4e608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8
        #42 0x7fc4a9715162 in __clone /build/glibc-sMfBJT/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /dom/bindings/ToJSValue.cpp:57:3 in mozilla::dom::ToJSValue(JSContext*, mozilla::ErrorResult&&, JS::MutableHandle<JS::Value>)
    Thread T21 (DOM Worker) created by T0 (Isolated Web Co) here:
        #0 0x55c9ec12223c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
        #1 0x7fc4a7a270b4 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
        #2 0x7fc4a7a1835e in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
        #3 0x7fc484983da5 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:611:18
        #4 0x7fc48c4f8e62 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /dom/workers/WorkerThread.cpp:102:7
        #5 0x7fc48c477758 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /dom/workers/RuntimeService.cpp:1321:14
        #6 0x7fc48c476677 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /dom/workers/RuntimeService.cpp:1188:19
        #7 0x7fc48c4cc244 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /dom/workers/WorkerPrivate.cpp:2528:24
        #8 0x7fc48c481a1d in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /dom/workers/Worker.cpp:44:41
        #9 0x7fc489187b3c in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1105:52
        #10 0x7fc4938d5745 in CallJSNative /js/src/vm/Interpreter.cpp:420:13
        #11 0x7fc4938d5745 in CallJSNativeConstructor /js/src/vm/Interpreter.cpp:436:8
        #12 0x7fc4938d5745 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /js/src/vm/Interpreter.cpp:631:10
        #13 0x7fc4938bf56c in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3283:16
        #14 0x7fc4938a46b1 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:389:13
        #15 0x7fc4938d2faf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:539:13
        #16 0x7fc4938d4b9b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:584:8
        #17 0x7fc49202541d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #18 0x7fc489536b69 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
        #19 0x7fc48a2e2004 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #20 0x7fc48a2e1ac0 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1310:43
        #21 0x7fc48a2e316c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1507:17
        #22 0x7fc48a2d0b5e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:348:17
        #23 0x7fc48a2cf36d in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:550:16
        #24 0x7fc48a2d365d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1119:11
        #25 0x7fc48a2d9429 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
        #26 0x7fc487d8d234 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/base/nsINode.cpp:1354:17
        #27 0x7fc4876b4877 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /dom/base/nsContentUtils.cpp:4332:28
        #28 0x7fc4876b453e in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /dom/base/nsContentUtils.cpp:4302:10
        #29 0x7fc4879ed576 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:7909:3
        #30 0x7fc487ae19ad in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
        #31 0x7fc487ae19ad in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
        #32 0x7fc487ae19ad in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
        #33 0x7fc48495505f in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
        #34 0x7fc4849a1db2 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:467:16
        #35 0x7fc48496812d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:780:26
        #36 0x7fc484965628 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:612:15
        #37 0x7fc484965d59 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:390:36
        #38 0x7fc4849ae751 in operator() /xpcom/threads/TaskController.cpp:124:37
        #39 0x7fc4849ae751 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #40 0x7fc484988637 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1187:16
        #41 0x7fc48499273c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #42 0x7fc4860a12ef in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #43 0x7fc485f1b321 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
        #44 0x7fc485f1b321 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #45 0x7fc485f1b321 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #46 0x7fc48cd931d7 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #47 0x7fc491bd064f in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:870:20
        #48 0x7fc485f1b321 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
        #49 0x7fc485f1b321 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #50 0x7fc485f1b321 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #51 0x7fc491bcf873 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:729:34
        #52 0x55c9ec16c47d in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #53 0x55c9ec16c8b0 in main /browser/app/nsBrowserApp.cpp:327:18
        #54 0x7fc4a961a0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    ==3607875==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Matthew Gaudet (he/him) [:mgaudet]]

Without having yet done my own reproduction, I'd say by eyeball my informed guess is that the issue is here, where we attempt to process a JSException by calling into JSAPI while that exception is still pending on the JSContext

We need to instead ensure the exception has been removed from the JSContext before doing error handling.

Comment 3

[Matthew Gaudet (he/him) [:mgaudet]]

During my reproduction I actually got a different assertion:

!aArgument.IsUncatchableException() (Doesn't make sense to convert uncatchable exception to a JS value!)

Not much more detail than that yet tho.

Comment 4

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220411215938-872b574394a6.
The bug appears to have been introduced in the following build range:

Start: 0d1d9fa72512cf8da0bc8c0fdd63f3fb3ff0a468 (20220322200148)
End: 39b9b2ea812745fc89d98d71c5601758d83342e1 (20220322213301)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0d1d9fa72512cf8da0bc8c0fdd63f3fb3ff0a468&tochange=39b9b2ea812745fc89d98d71c5601758d83342e1

Comment 5

[Matthew Gaudet (he/him) [:mgaudet]]

Attachment: Bug 1764117 - Restructure Error Handling in PipeToPump::Read r?evilpie

Comment 6

[Pulsebot]

Pushed by mgaudet@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/17b8c4329525
Restructure Error Handling in PipeToPump::Read r=evilpie

Comment 7

[Cristina Cozmuta (:CrissCozmuta)]

https://hg.mozilla.org/mozilla-central/rev/17b8c4329525

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

:mgaudet, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1759597

Comment 10

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220413094328-bc9d2af4c01e.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 11

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:mgaudet, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Comment 12

[Matthew Gaudet (he/him) [:mgaudet]]

Comment on attachment 9271965 [details]
Bug 1764117 - Restructure Error Handling in PipeToPump::Read r?evilpie

Beta/Release Uplift Approval Request

• User impact if declined: Potential tab or worker crashes; expected to be very low volume however.
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Restructures error handling around a low frequency path; the new handling is more idiomatic as well as not subject to the failure the fuzz test was.
• String changes made/needed:

Comment 13

[Dianna Smith [:diannaS]]

Comment on attachment 9271965 [details]
Bug 1764117 - Restructure Error Handling in PipeToPump::Read r?evilpie

Approved for 100.0b8

Comment 14

[Dianna Smith [:diannaS]]

https://hg.mozilla.org/releases/mozilla-beta/rev/fc5c27a64d7b