1850516 - Assertion failure: cx->isExceptionPending(), at js/src/shell/js.cpp:1434

Status: RESOLVED DUPLICATE of bug 1883828

(Core :: JavaScript Engine, defect, P3)

Description

[lukas.bernhard]

Steps to reproduce:

On git commit e7b8d13b7513b6fbd97d69e882d7faeed05309d0 the attached sample asserts in the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js

function f2() {
    function f4() {
        this.quit();
    }   
    f4();
}

Object.defineProperty(Uint8Array, Symbol.toPrimitive, { get: f2 }); 
const o18 = { 
    "stack": saveStack(),
    "cause": Uint8Array
};
const v15 = new Proxy(() => Uint8Array, {});
const t23 = bindToAsyncStack(v15, o18);
t23();

#0  0x000055555780119a in BoundToAsyncStack (cx=0x7ffff662e100, argc=0, vp=0x7ffff54e3090)
    at js/src/shell/js.cpp:1434
#1  0x00005555579d7a8c in CallJSNative (cx=0x7ffff662e100, 
    native=0x555557800dc0 <BoundToAsyncStack(JSContext*, unsigned int, JS::Value*)>, reason=js::CallReason::Call, 
    args=...) at js/src/vm/Interpreter.cpp:486
#2  0x00005555579ae923 in js::InternalCallOrConstruct (cx=0x7ffff662e100, args=..., construct=js::NO_CONSTRUCT, 
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:580
#3  0x00005555579af0a9 in InternalCall (cx=0x7ffff662e100, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:647
#4  0x00005555579aeee3 in js::CallFromStack (cx=0x7ffff662e100, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:652
#5  0x00005555579bd598 in js::Interpret (cx=0x7ffff662e100, state=...)
    at js/src/vm/Interpreter.cpp:3395
#6  0x00005555579ae2ff in MaybeEnterInterpreterTrampoline (cx=0x7ffff662e100, state=...)
    at js/src/vm/Interpreter.cpp:400
#7  0x00005555579adfc1 in js::RunScript (cx=0x7ffff662e100, state=...)
    at js/src/vm/Interpreter.cpp:458
#8  0x00005555579b04f1 in js::ExecuteKernel (cx=0x7ffff662e100, script=..., envChainArg=..., evalInFrame=..., result=...)
    at js/src/vm/Interpreter.cpp:845
#9  0x00005555579b0864 in js::Execute (cx=0x7ffff662e100, script=..., envChain=..., rval=...)
    at js/src/vm/Interpreter.cpp:877
#10 0x0000555557b71fff in ExecuteScript (cx=0x7ffff662e100, envChain=..., script=..., rval=...)
    at js/src/vm/CompilationAndEvaluation.cpp:494
#11 0x0000555557b72125 in JS_ExecuteScript (cx=0x7ffff662e100, scriptArg=...)
    at js/src/vm/CompilationAndEvaluation.cpp:518
#12 0x00005555578075ff in RunFile (cx=0x7ffff662e100, 
    filename=0x7ffff5507050 "../gecko-fuzzilli/modifiedStuff/crash_2023_08_29.js", file=0x7ffff766ac40, 
    compileMethod=CompileUtf8::DontInflate, compileOnly=false, fullParse=false)
    at js/src/shell/js.cpp:1099
#13 0x0000555557806e9c in Process (cx=0x7ffff662e100, 
    filename=0x7ffff5507050 "../gecko-fuzzilli/modifiedStuff/crash_2023_08_29.js", forceTTY=false, kind=FileScript)
    at js/src/shell/js.cpp:1679
#14 0x00005555577dffa7 in ProcessArgs (cx=0x7ffff662e100, op=0x7fffffffdd50)
    at js/src/shell/js.cpp:10740
#15 0x00005555577ce973 in Shell (cx=0x7ffff662e100, op=0x7fffffffdd50)
    at js/src/shell/js.cpp:10964
#16 0x00005555577c9716 in main (argc=3, argv=0x7fffffffdfb8) at js/src/shell/js.cpp:11396

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This does not reproduce with the latest debug js shell from FTP (2015-10-21) but reproduces with m-c rev a5887514ddfb (Feb 2022).

I'm going to take a guess that since bindToAsyncStack was added by :jimb in m-c rev 4ca86bbdc409 (bug 1438121, Mar 2018) that he might be a good place to start.

Jim, any ideas what's going on here? (Please also see bug 1883828)

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Moving needinfo? to Jan since Jim I heard is no longer working on JS stuff.

Comment 3

[Jan de Mooij [:jandem]]

Looks like the same issue as bug 1883828 so duping forward.