Closed Bug 1771858 Opened 2 years ago Closed 2 years ago

Crash [@ js::AsyncModuleExecutionFulfilled] or Assertion failure: cx->isExceptionPending(), at builtin/ModuleObject.cpp:2271

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
104 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- wontfix
firefox101 --- wontfix
firefox102 --- wontfix
firefox103 --- wontfix
firefox104 --- verified

People

(Reporter: decoder, Assigned: dminor)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Crash Data

Attachments

(3 files)

Detailed Crash Information
1.87 KB, text/plain
Details
Testcase
162 bytes, text/plain
Details
Bug 1771858 - Handle interrupt in AsyncModuleExecutionFulfilled; r=jonco!
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20220531-e6db23e10c7b (opt build, run with --fuzzing-safe --ion-offthread-compile=off):

b = parseModule("await 10");
b.declarationInstantiation();
b.evaluation();
setInterruptCallback(function() {
  c();
});
function c() {
  interruptIf(true);
}
c();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000055555575c0d8 in js::AsyncModuleExecutionFulfilled(JSContext*, JS::Handle<js::ModuleObject*>) ()
#1  0x000055555575bf1b in js::AsyncModuleExecutionFulfilledHandler(JSContext*, unsigned int, JS::Value*) ()
#2  0x0000555555cb01d0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#3  0x00005555560a8925 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) ()
#4  0x0000555555cb01d0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#5  0x0000555555ce61a5 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) ()
#6  0x000055555578efa1 in js::InternalJobQueue::runJobs(JSContext*) ()
#7  0x0000555555fe1137 in RunShellJobs(JSContext*) ()
#8  0x0000555555fd31c9 in main ()
rax	0x0	0
rbx	0x7fffffffc690	140737488340624
rcx	0x7fffffffc628	140737488340520
rdx	0x7fffffffc578	140737488340344
rsi	0x0	0
rdi	0xfff8800000000000	-2111062325329920
rbp	0x7fffffffc670	140737488340592
rsp	0x7fffffffc5d0	140737488340432
r8	0x0	0
r9	0x1	1
r10	0x26b	619
r11	0xfff9800000000000	-1829587348619264
r12	0xfff9800000000000	-1829587348619264
r13	0x7ffff6022300	140737320723200
r14	0x7fffffffc620	140737488340512
r15	0x7ffff6022318	140737320723224
rip	0x55555575c0d8 <js::AsyncModuleExecutionFulfilled(JSContext*, JS::Handle<js::ModuleObject*>)+344>
=> 0x55555575c0d8 <_ZN2js29AsyncModuleExecutionFulfilledEP9JSContextN2JS6HandleIPNS_12ModuleObjectEEE+344>:	mov    0x10(%rax),%rax
   0x55555575c0dc <_ZN2js29AsyncModuleExecutionFulfilledEP9JSContextN2JS6HandleIPNS_12ModuleObjectEEE+348>:	mov    -0x4(%rax),%edx

This could be the same bug as 1771090, but the assert is different, it crashes and there is no OOM involved from what I can see. Though the interrupt could have a similar effect.

Attached file Testcase 

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220531040928-e6db23e10c7b.

The bug appears to have been introduced in the following build range:




Start: fef56f826d6496a73b1235abb1aaeae6dbb27f13 (20210817125524)

End: 0242c80e23928675d6c9d2748c9fe90df80b0aaa (20210817131624)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=fef56f826d6496a73b1235abb1aaeae6dbb27f13&tochange=0242c80e23928675d6c9d2748c9fe90df80b0aaa




Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Regressed by: 1725621

    
    

    
  
At first glance, I think this is similar to Bug 1771090, but not the exact same problem.


Assignee: nobody → dminor
Priority: -- → P3
Has Regression Range: --- → yes

    
    

    
  


  
In AsyncModuleExecutionFulfilled, it's possible that the call to GatherAsyncParentCompletions

will fail if we are interrupted. The current code assumes that this is only reachable as a

result of an OOM. This changes the assertion to an if statement to handle being interrupted.



    
  
Status: NEW → ASSIGNED

    
    

    
  
Pushed by dminor@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3280722e69ed
Handle interrupt in AsyncModuleExecutionFulfilled; r=jonco

    
    

    
  
The problem is with with the new test added here. I'm not sure why, I'll try to reproduce it locally.


Flags: needinfo?(dminor)

    
    

    
  
The test needs to run in debug, otherwise the error condition does not occur, and we end up with an infinite recursion.



    
    

    
  
If an overrecursion is expected, you could add // |jit-test| error: InternalError as first line of the test file.



    
    

    
  
Set release status flags based on info from the regressing bug 1725621



          status-firefox101:
          --- → affected

          status-firefox102:
          --- → affected

          status-firefox-esr91:
          --- → unaffected

    
    

    
  
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.

:dminor, could you have a look please?

If you still have some work to do, you can add an action "Plan Changes" in Phabricator.

For more information, please visit auto_nag documentation.


Flags: needinfo?(jcoppeard)
Flags: needinfo?(dminor)

    
    

    
  
I still need to figure out why the test doesn't have a consistent result on different platforms, for some platforms it's overrecursion, for others it terminates with a signal.


Flags: needinfo?(jcoppeard)
Flags: needinfo?(dminor)

    
    

    
  
Setting 103 to Won't Fix, but :dminor are you planning on fixing this for 104?



          status-firefox103:
          affectedwontfix

          status-firefox104:
          --- → affected
Flags: needinfo?(dminor)

    
    

    
  
Yes, sorry for the delay. I'll look at this today.


Flags: needinfo?(dminor)

    
    

    
  
Pushed by dminor@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b30d65d0e2ee
Handle interrupt in AsyncModuleExecutionFulfilled; r=jonco

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/b30d65d0e2ee


Status: ASSIGNED → RESOLVED
Closed: 2 years ago

          status-firefox104:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 104 Branch

    
    

    
  
Bugmon Analysis

Verified bug as fixed on rev mozilla-central 20220706094022-fc7fbf3a78e0.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox104:
          fixedverified
Keywords: bugmon

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: