1885680 - Assertion failure: status == JS::ExceptionStatus::Throwing, at vm/JSContext.cpp:329

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[lukas.bernhard]

Steps to reproduce:

On git commit 04f7743d94691fa24212fb43099f9d84c3bfc890 the attached sample asserts in the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js

const v1 = newGlobal();
v1.enableShellAllocationMetadataBuilder();
function f3() {
    const v5 = v1.load;
    v5.toString = f3; 
    return v5(v5);
}
f3();

#0  0x0000555557da4f73 in JSContext::onOverRecursed (this=0x7ffff7639100)
    at js/src/vm/JSContext.cpp:329
#1  0x0000555557da4ffa in js::ReportOverRecursed (maybecx=0x7ffff7639100)
    at js/src/vm/JSContext.cpp:343
#2  0x0000555557ab5739 in js::AutoCheckRecursionLimit::check (this=0x7fffffdfc54f,
    cx=0x7ffff7639100)
    at obj-x86_64-pc-linux-gnu/dist/include/js/friend/StackLimits.h:223
#3  0x0000555557e88e9c in CallJSAddPropertyOp (cx=0x7ffff7639100,
    op=0x555557b088a0 <array_addProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>)>, obj=..., id=..., v=...)
    at js/src/vm/NativeObject.cpp:1213
#4  0x0000555557e7d2dc in CallAddPropertyHook (cx=0x7ffff7639100, obj=..., id=..., value=...)
    at js/src/vm/NativeObject.cpp:1227
#5  0x0000555557e7f3d6 in AddOrChangeProperty<(IsAddOrChange)0> (cx=0x7ffff7639100, obj=...,
    id=..., desc=..., existing=0x0) at js/src/vm/NativeObject.cpp:1438
#6  0x0000555557e7dc3d in js::NativeDefineProperty (cx=0x7ffff7639100, obj=..., id=..., desc_=...,
    result=...) at js/src/vm/NativeObject.cpp:1695
#7  0x0000555557dc2a00 in js::DefineDataProperty (cx=0x7ffff7639100, obj=..., id=..., value=...,
    attrs=0, result=...) at js/src/vm/JSObject.cpp:2087
#8  0x0000555557db3cf2 in js::DefineDataProperty (cx=0x7ffff7639100, obj=..., id=..., value=...,
    attrs=0) at js/src/vm/JSObject.cpp:2107
#9  0x0000555557dc3ab7 in DefineFunctionFromSpec (cx=0x7ffff7639100, obj=...,
    fs=0x555559c51470 <array_methods>) at js/src/vm/JSObject.cpp:2265
#10 0x0000555557dc3820 in js::DefineFunctions (cx=0x7ffff7639100, obj=...,
    fs=0x555559c51470 <array_methods>) at js/src/vm/JSObject.cpp:2271
#11 0x0000555557f623f8 in JS_DefineFunctions (cx=0x7ffff7639100, obj=...,
    fs=0x555559c51470 <array_methods>)
    at js/src/vm/PropertyAndElement.cpp:954
#12 0x0000555557d1bd1e in js::GlobalObject::resolveConstructor (cx=0x7ffff7639100, global=...,
    key=JSProto_Array, mode=js::GlobalObject::IfClassIsDisabled::Throw)
    at js/src/vm/GlobalObject.cpp:394
#13 0x0000555557931557 in js::GlobalObject::ensureConstructor (cx=0x7ffff7639100, global=...,
    key=JSProto_Array) at js/src/vm/GlobalObject.h:344
#14 0x0000555557b2b317 in js::GlobalObject::getOrCreateArrayPrototype (cx=0x7ffff7639100,
    global=...) at js/src/vm/GlobalObject.h:521
#15 0x0000555557aeff5c in js::GlobalObject::createArrayShapeWithDefaultProto (cx=0x7ffff7639100)
    at js/src/builtin/Array.cpp:5074
#16 0x0000555557b39d6a in js::GlobalObject::getArrayShapeWithDefaultProto (cx=0x7ffff7639100)
    at js/src/vm/GlobalObject.h:1073
#17 0x0000555557af043d in NewArray<0u> (cx=0x7ffff7639100, length=0, newKind=js::GenericObject, 
    site=0x0) at js/src/builtin/Array.cpp:5093
#18 0x0000555557af03dd in js::NewDenseEmptyArray (cx=0x7ffff7639100)
    at js/src/builtin/Array.cpp:5193
#19 0x00005555581b854c in ShellAllocationMetadataBuilder::build (
    this=0x555559c65740 <ShellAllocationMetadataBuilder::metadataBuilder>, cx=0x7ffff7639100, 
    oomUnsafe=...) at js/src/builtin/TestingFunctions.cpp:4825
#20 0x0000555557f65c35 in JS::Realm::setNewObjectMetadata (this=0x7ffff5780300, cx=0x7ffff7639100, 
    obj=...) at js/src/vm/Realm.cpp:381
#21 0x0000555557a6c14f in js::SetNewObjectMetadata<js::NativeObject> (cx=0x7ffff7639100, 
    obj=0x808f843e1e8) at js/src/vm/JSObject-inl.h:199
#22 0x0000555557a73783 in js::NativeObject::create (cx=0x7ffff7639100, 
    kind=js::gc::AllocKind::OBJECT8_BACKGROUND, heap=js::gc::Heap::Tenured, shape=..., site=0x0)
    at js/src/vm/NativeObject-inl.h:517
#23 0x0000555557db9ea7 in NewObject (cx=0x7ffff7639100, 
    clasp=0x555559c5aef0 <js::ErrorObject::classes>, proto=...,
    kind=js::gc::AllocKind::OBJECT8_BACKGROUND, newKind=js::GenericObject, objFlags=...)
    at js/src/vm/JSObject.cpp:769
#24 0x0000555557db9ac0 in js::NewObjectWithGivenTaggedProto (cx=0x7ffff7639100,
    clasp=0x555559c5aef0 <js::ErrorObject::classes>, proto=...,
    allocKind=js::gc::AllocKind::OBJECT8, newKind=js::GenericObject, objFlags=...)
    at js/src/vm/JSObject.cpp:781
#25 0x0000555557953175 in js::NewObjectWithGivenTaggedProto<(js::NewObjectKind)0> (
    cx=0x7ffff7639100, clasp=0x555559c5aef0 <js::ErrorObject::classes>, proto=..., objFlags=...)
    at js/src/vm/JSObject-inl.h:370
#26 0x0000555557d10c2a in js::NewObjectWithGivenProto (cx=0x7ffff7639100,
    clasp=0x555559c5aef0 <js::ErrorObject::classes>, proto=...)
    at js/src/vm/JSObject-inl.h:396
#27 0x0000555557d02e8d in js::ErrorObject::create (cx=0x7ffff7639100, errorType=JSEXN_ERR,
    stack=..., fileName=..., sourceId=2, lineNumber=6, columnNumber=..., report=..., message=...,
    cause=..., protoArg=...) at js/src/vm/ErrorObject.cpp:549
#28 0x00005555582eaa03 in js::ErrorToException (cx=0x7ffff7639100, reportp=0x7fffffdfdf80,
    callback=0x5555578a8cc0 <js::shell::my_GetErrorMessage(void*, unsigned int)>, userRef=0x0)
    at js/src/jsexn.cpp:356
#29 0x0000555557d06fb9 in ReportError (cx=0x7ffff7639100, reportp=0x7fffffdfdf80,
    callback=0x5555578a8cc0 <js::shell::my_GetErrorMessage(void*, unsigned int)>, userRef=0x0)
    at js/src/vm/ErrorReporting.cpp:173
#30 0x0000555557d06cd0 in js::ReportErrorNumberVA (cx=0x7ffff7639100, isWarning=js::IsWarning::No,
    callback=0x5555578a8cc0 <js::shell::my_GetErrorMessage(void*, unsigned int)>, userRef=0x0,
    errorNumber=10, argumentsType=js::ArgumentsAreASCII, ap=0x7fffffdfe100)
    at js/src/vm/ErrorReporting.cpp:487
#31 0x00005555582aeaf5 in JS_ReportErrorNumberASCIIVA (cx=0x7ffff7639100,
    errorCallback=0x5555578a8cc0 <js::shell::my_GetErrorMessage(void*, unsigned int)>,
    userRef=0x0, errorNumber=10, ap=0x7fffffdfe100)
    at js/src/jsapi.cpp:3781
#32 0x000055555829b7eb in JS_ReportErrorNumberASCII (cx=0x7ffff7639100,
    errorCallback=0x5555578a8cc0 <js::shell::my_GetErrorMessage(void*, unsigned int)>,
    userRef=0x0, errorNumber=10) at js/src/jsapi.cpp:3771
#33 0x00005555578dd59c in LoadScript (cx=0x7ffff7639100, argc=1, vp=0x7fffffdfe300,
    scriptRelative=false) at js/src/shell/js.cpp:2197
#34 0x00005555578c5775 in Load (cx=0x7ffff7639100, argc=1, vp=0x7fffffdfe300)
    at js/src/shell/js.cpp:2234
#35 0x000019c2fe869dfa in ?? ()
#36 0x0000000000000000 in ?? ()

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This does not reproduce with the latest debug js shell from FTP (2015-10-21) but reproduces with m-c rev a5887514ddfb (Feb 2022) as Assertion failure: maybecx->status == JS::ExceptionStatus::Throwing, at vm/JSContext.cpp:335.

I'm going to take a guess - enableShellAllocationMetadataBuilder seemed to have been added around or before 2015, and since :jimb no longer works on this area, I'll set a needinfo? on Arai-san and Jan to take a look.

Comment 2

[Tooru Fujisawa [:arai]]

This is over-recursion while reporting over-recursion, due to the metadata builder callback for the error object for the first over-recursion.
We should disable the allocation metadata builder when reporting over-recursion.

Comment 3

[Tooru Fujisawa [:arai]]

Attachment: Bug 1885680 - Suppress AllocationMetadataBuilder when throwing over-recursion. r?jandem!

Comment 4

[Pulsebot]

Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/e3903928d166
Suppress AllocationMetadataBuilder when throwing over-recursion. r=jandem

Comment 5

[Narcis Beleuzu [:NarcisB]]

https://hg.mozilla.org/mozilla-central/rev/e3903928d166