Closed
Bug 1766670
Opened 2 years ago
Closed 2 years ago
Assertion failure: !aArgument.IsUncatchableException() (Doesn't make sense to convert uncatchable exception to a JS value!), at /dom/bindings/ToJSValue.cpp:55
Categories
(Core :: Performance, defect)
Tracking
()
People
(Reporter: jkratzer, Assigned: sefeng)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 139c89a60b72 (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 139c89a60b72 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: !aArgument.IsUncatchableException() (Doesn't make sense to convert uncatchable exception to a JS value!), at /dom/bindings/ToJSValue.cpp:55
==1443836==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f27a5d82a8f bp 0x7f27987972c0 sp 0x7f27987972b0 T1444007)
==1443836==The signal is caused by a WRITE memory access.
==1443836==Hint: address points to the zero page.
#0 0x7f27a5d82a8f in mozilla::dom::ToJSValue(JSContext*, mozilla::ErrorResult&&, JS::MutableHandle<JS::Value>) /dom/bindings/ToJSValue.cpp:53:3
#1 0x7f27a2f1530a in void mozilla::dom::Promise::MaybeSomething<mozilla::ErrorResult>(mozilla::ErrorResult&&, void (mozilla::dom::Promise::*)(JSContext*, JS::Handle<JS::Value>)) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:364:10
#2 0x7f27a7a030cb in MaybeReject /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:105:5
#3 0x7f27a7a030cb in mozilla::dom::WebTask::Run() /dom/webscheduling/WebTaskScheduler.cpp:114:17
#4 0x7f27a7a05121 in mozilla::dom::WebTaskWorkerRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /dom/webscheduling/WebTaskSchedulerWorker.cpp:31:13
#5 0x7f27a75b1c13 in mozilla::dom::WorkerRunnable::Run() /dom/workers/WorkerRunnable.cpp:377:12
#6 0x7f27a2e0b447 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1174:16
#7 0x7f27a2e1176d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#8 0x7f27a75a0964 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /dom/workers/WorkerPrivate.cpp:3134:7
#9 0x7f27a7580195 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /dom/workers/RuntimeService.cpp:2020:42
#10 0x7f27a2e0b447 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1174:16
#11 0x7f27a2e1176d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#12 0x7f27a39b333b in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
#13 0x7f27a38d0dd7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
#14 0x7f27a38d0ce2 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
#15 0x7f27a38d0ce2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
#16 0x7f27a2e06936 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:378:10
#17 0x7f27b89a22e7 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#18 0x7f27b9714608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477:8
#19 0x7f27b92db162 in __clone /build/glibc-sMfBJT/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/bindings/ToJSValue.cpp:53:3 in mozilla::dom::ToJSValue(JSContext*, mozilla::ErrorResult&&, JS::MutableHandle<JS::Value>)
==1443836==ABORTING
|
Reporter | |
Comment 1•2 years ago
|
||
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220427213431-23768574eb6d.
The bug appears to have been introduced in the following build range:
Start: 11ecf2c5eb7b2e2c6461676ec28178ec5d2417e0 (20220421191935)
End: a440fb0e93f1f3b65c8b310466892aec98b14bf2 (20220421192030)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=11ecf2c5eb7b2e2c6461676ec28178ec5d2417e0&tochange=a440fb0e93f1f3b65c8b310466892aec98b14bf2
Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Comment 3•2 years ago
|
||
The fuzzers are hitting this issue quite frequently.
status-firefox101:
--- → affected
status-firefox102:
--- → affected
Flags: needinfo?(sefeng)
Regressed by: 1734997
|
|
||
Comment 4•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/Uck4neowL6c6q9-pt_nNSQ/index.html
|
||
Updated•2 years ago
|
Has Regression Range: --- → yes
|
|
||
Comment 5•2 years ago
|
||
Set release status flags based on info from the regressing bug 1734997
status-firefox100:
--- → unaffected
status-firefox-esr91:
--- → unaffected
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
Assignee | |
Comment 6•2 years ago
|
||
Nightly only feature, changing the flag accordingly.
|
|
||
Updated•2 years ago
|
|
|
Reporter | |
Updated•2 years ago
|
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][fuzzblocker]
|
|
Assignee | |
Comment 7•2 years ago
|
||
|
||
Updated•2 years ago
|
Assignee: nobody → sefeng
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•2 years ago
|
Flags: needinfo?(sefeng)
Pushed by sefeng@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a455f3c8c176 Avoid rejecting uncatchable exception in WebTask::Run r=smaug
|
||
Comment 9•2 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
|
|
||
Comment 10•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220809035717-8e1a65ad0c4d.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Status: RESOLVED → VERIFIED
Keywords: bugmon
You need to log in
before you can comment on or make changes to this bug.
Description
•