Closed
Bug 1794288
Opened 2 years ago
Closed 2 years ago
Assertion failure: !cx->isExceptionPending(), at vm/JSContext-inl.h:252
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
107 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox105 | --- | unaffected |
| firefox106 | --- | unaffected |
| firefox107 | --- | fixed |
People
(Reporter: gkw, Assigned: arai)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: regression, testcase)
Attachments
(1 file)
let x = '"";'
function g() {
Function.apply(null, arguments);
}
oomTest(function(){
function f() {};
f(g(x + "function h() { return; 0; };"));
})
(gdb) bt
#0 js::CheckForInterrupt (cx=0x7ffff6c2c800) at /home/skygentoo/trees/mozilla-central/js/src/vm/JSContext-inl.h:252
#1 0x0000555556cb578c in Interpret (cx=0x7ffff7c60a40 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6c2c800, state=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:2318
#2 0x0000555556cb43a8 in js::RunScript (cx=cx@entry=0x7ffff6c2c800, state=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:431
#3 0x0000555556cc6478 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6c2c800, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=reason@entry=4294946592) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:579
#4 0x0000555556cc712e in InternalCall (cx=0x7ffff7c60a40 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6c2c800, args=..., reason=1479529056, reason@entry=js::CallReason::Call) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:614
#5 0x0000555556cc7322 in js::Call (cx=0x7ffff6c2c800, fval=fval@entry=..., thisv=thisv@entry=..., args=..., rval=..., reason=reason@entry=js::CallReason::Call) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:646
#6 0x000055555778293f in js::jit::InvokeFunction (cx=0x7ffff7c60a40 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6c2c800, obj=obj@entry=..., constructing=<optimized out>, ignoresReturnValue=false, argc=argc@entry=1, argv=argv@entry=0x7fffffffb130, rval=...) at /home/skygentoo/trees/mozilla-central/js/src/jit/VMFunctions.cpp:525
#7 0x0000555557782e17 in js::jit::InvokeFromInterpreterStub (cx=0x7ffff6c2c800, frame=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/jit/VMFunctions.cpp:549
#8 0x0000303dfbaa29b0 in ?? ()
#9 0x0000007000000012 in ?? ()
#10 0x00007fffffffb108 in ?? ()
#11 0x00007fffffffb140 in ?? ()
#12 0x00000000000000fc in ?? ()
#13 0x00007fffffffb150 in ?? ()
#14 0x0000303dfbad08bb in ?? ()
#15 0x0000000000000022 in ?? ()
#16 0x000013fa3ad019e8 in ?? ()
#17 0xfff9800000000000 in ?? ()
#18 0xfff9800000000000 in ?? ()
#19 0x00007fffffffb1d0 in ?? ()
#20 0x00007ffff6ac80d0 in ?? ()
#21 0x00007fffffffb1d0 in ?? ()
#22 0x0000303dfbac6e76 in ?? ()
#23 0x0000000000000001 in ?? ()
#24 0xfff9800000000000 in ?? ()
#25 0xfff9800000000000 in ?? ()
#26 0xfffe13fa3ad019e8 in ?? ()
#27 0xfffe13fa3ad019e8 in ?? ()
#28 0x000016876ef660b0 in ?? ()
#29 0x00007ffff6c3b4a4 in ?? ()
#30 0x00007ffff6b7bd20 in ?? ()
#31 0x000016876ef3f038 in ?? ()
#32 0x00007ffff6b7bce0 in ?? ()
#33 0x00007fffffffb600 in ?? ()
#34 0x00007ffff6c2c800 in ?? ()
#35 0x0000006800000002 in ?? ()
#36 0x000055555727bc71 in js::CheckContextLocal::check (this=0x7ffff6c3b4a4) at /home/skygentoo/trees/mozilla-central/js/src/threading/ProtectedData.cpp:62
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb)
Regression range, see the changeset related to bug 1786494:
328ec7d3e3ba0b8fd25100ac900ef1452be91f71 - bad
5210028e71376a2fbfde05d6b380d46c32f1f185 - crashes on startup
86a890c4b6fa9c4fbeb59fcc5a1d07ec4908a370 - crashes on startup
ca77d788facb35eefd631d09130ee6418f2c6288 - crashes on startup
d8a24b7bd7d8bc2a07378c6873e258b7293f5737 - crashes on startup
dd22e38e5474858d632da65954503838ff34dd9f - crashes on startup
c0fbf5e9476b488009e3c1131bc993e164b6550e - good
Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh /home/skygentoo/trees/mozilla-central/js/src/configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev 81578db6bf89.
Setting s-s just-in-case again. Arai-san, is bug 1786494 a likely regressor?
Flags: sec-bounty?
Flags: needinfo?(arai.unmht)
|
||
Comment 1•2 years ago
|
||
Set release status flags based on info from the regressing bug 1786494
status-firefox105:
--- → unaffected
status-firefox106:
--- → unaffected
status-firefox-esr102:
--- → unaffected
|
||
Updated•2 years ago
|
Group: core-security → javascript-core-security
|
Assignee | |
Comment 2•2 years ago
|
||
Thank you!
Yes, this is caused by bug 1786494 patch.
The details are the following:
- A warning is thrown for
0;afterreturn;in the function - OOM happens during reporting warning
- the OOM sets the
OffThreadFrontendErrors.outOfMemoryflag, and pending exception is set to JSContext - error during reporting warning is ignored, and that results in inconsistency
Then, I cannot think of this results in security sensitive issue.
The pending exception will be caught by other unrelated place that checks cx->isExceptionPending(), and it will be treated as OOM immediately before that check.
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Flags: needinfo?(arai.unmht)
|
|
Assignee | |
Comment 3•2 years ago
|
||
|
||
Updated•2 years ago
|
Group: javascript-core-security
Flags: sec-bounty?
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
Attachment #9297928 -
Attachment description: Bug 1794288 - Ignore OOM during reporting warning. r?bthrall! → Bug 1794288 - Handle OOM during reporting warning. r?bthrall!
Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/c093d03ce4f0
Handle OOM during reporting warning. r=bthrall
|
||
Comment 6•2 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 107 Branch
|
Reporter | |
Updated•11 months ago
|
Blocks: gkw-js-fuzzing
You need to log in
before you can comment on or make changes to this bug.
Description
•