Closed Bug 1900930 Opened 1 year ago Closed 1 year ago

Assertion failure: mMightHaveUnreportedJSException (Why didn't you tell us you planned to throw a JS exception?), at /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:661

Categories

(Core :: DOM: Bindings (WebIDL), defect, P2)

Product:
Core
Component:
DOM: Bindings (WebIDL)
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
131 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- wontfix
firefox127 --- wontfix
firefox128 --- wontfix
firefox129 --- wontfix
firefox130 --- wontfix
firefox131 --- fixed

People

(Reporter: tsmith, Assigned: peterv)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase)

Attachments

(7 files)

testcase.html
112 bytes, text/html
Details
Bug 1900930 - Remove ENSURE_SUCCESS_VOID. r?#dom-core!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1900930 - Make ENSURE_SUCCESS call WouldReportJSException. r?#dom-core!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1900930 - Make nsProfiler use TypedArrayCreator. r?#dom-core!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1900930 - Add WouldReportJSException() calls. r?#dom-core!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1900930 - Use IgnoreErrors() from ArrayBuffer::Create in StreamFilter::FireEvent. r?#dom-core!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1900930 - Call MightThrowJSException() in TypedArray::CreateCommon. r?#dom-core!
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20240405-68ef8d3216be (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d  --cpu x86 --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

This has been reported by fuzzers running 32 bit and 64 bit builds, it is much more common on 32 bit builds. I have only been able to reproduce the issue with a 32 bit build.

Assertion failure: mMightHaveUnreportedJSException (Why didn't you tell us you planned to throw a JS exception?), at /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:661

#0 0xe80a592e in mozilla::binding_danger::TErrorResult<mozilla::binding_danger::JustSuppressCleanupPolicy>::StealExceptionFromJSContext(JSContext*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:660:3
#1 0xe82377ac in CreateCommon /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:783:11
#2 0xe82377ac in Create /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:741:12
#3 0xe82377ac in mozilla::dom::ImageData::Constructor(mozilla::dom::GlobalObject const&, unsigned int, unsigned int, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/ImageData.cpp:62:7
#4 0xe72b6c22 in mozilla::dom::ImageData_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/./ImageDataBinding.cpp:368:59
#5 0xe80afc45 in mozilla::dom::InterfaceObjectJSNative(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:763:10
#6 0xeb93b693 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:481:13
#7 0xeb9668a7 in CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:497:8
#8 0xeb93cb67 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:703:14
#9 0xeb94a6d2 in ConstructFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:750:10
#10 0xeb94a6d2 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3175:16
#11 0xeb93ac28 in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:10
#12 0xeb93a783 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:453:13
#13 0xeb93b161 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:607:13
#14 0xeb93c279 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:642:10
#15 0xeb93c472 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:674:8
#16 0xeba48dd3 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:119:10
#17 0xe7e23b3b in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventListenerBinding.cpp:62:8
#18 0xe86d2c61 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#19 0xe86d27de in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1330:43
#20 0xe86d393e in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1653:12
#21 0xe86d315f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1550:35
#22 0xe86c6eea in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:365:17
#23 0xe86c6659 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:606:16
#24 0xe86c8ff6 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1221:11
#25 0xeaafc6df in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1030:7
#26 0xeaf9cf47 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6245:13
#27 0xeaf9c37f in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5638:7
#28 0xeaf9dfe9 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#29 0xe5b4faa6 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1356:3
#30 0xe5b4f197 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:962:14
#31 0xe5b4d661 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:784:9
#32 0xe5b4e711 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:667:5
#33 0xeafd4620 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13721:23
#34 0xeafd47ab in non-virtual thunk to nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#35 0xe4d9e326 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:632:22
#36 0xe4d9f471 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:536:10
#37 0xe6d8f972 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11728:18
#38 0xe6d59d06 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11666:9
#39 0xe6d760b6 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8152:3
#40 0xe6e325c5 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#41 0xe6e325c5 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#42 0xe6e325c5 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#43 0xe6e325c5 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#44 0xe6e325c5 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#45 0xe6e325c5 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#46 0xe6e325c5 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#47 0xe4b6bd85 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16
#48 0xe4b61618 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26
#49 0xe4b5fc9f in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15
#50 0xe4b60182 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36
#51 0xe4b6f6ec in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:37
#52 0xe4b6f6ec in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#53 0xe4b84721 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#54 0xe4b8bb1a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#55 0xe584b2f3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#56 0xe575e3be in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#57 0xe575e2ba in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#58 0xe575e2ba in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#59 0xea691b86 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#60 0xea74d528 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
#61 0xeb7244e4 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
#62 0xe584c360 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#63 0xe575e3be in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#64 0xe575e2ba in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#65 0xe575e2ba in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#66 0xeb723d4e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
#67 0xeb732d21 in mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:71:12
#68 0x5e60aecc in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#69 0x5e60aecc in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:18
#70 0xf4821518  (/lib/i386-linux-gnu/libc.so.6+0x21518) (BuildId: 559bcd138c06a98975421c680491f5666816aef2)
#71 0xf48215f2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x215f2) (BuildId: 559bcd138c06a98975421c680491f5666816aef2)
#72 0x5e5dc030 in _start (/home/user/workspace/browsers/linux32-m-c-20240605162721-fuzzing-debug/firefox-bin+0x5c030) (BuildId: e3d21bc5284467d658ee5182ec0eeadb9653f851)
Flags: in-testsuite?

The severity field is not set for this bug.
:lsalzman, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(lsalzman)
Severity: -- → S4
Flags: needinfo?(lsalzman)
Severity: S4 → --
Component: Graphics: Canvas2D → DOM: Bindings (WebIDL)
Keywords: regression
Regressed by: CVE-2023-6866

Set release status flags based on info from the regressing bug 1849037

:peterv, since you are the author of the regressor, bug 1849037, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox127: --- → affected
status-firefox129: --- → affected
status-firefox-esr115: --- → unaffected
Flags: needinfo?(peterv)

ENSURE_SUCCESS_VOID is problematic, because it's unclear if the ErrorResult is
passed in from a caller, and so we don't know if exceptions would have to be
suppressed or not.

Assignee: nobody → peterv
Status: NEW → ASSIGNED

Making ENSURE_SUCCESS return the result of StealNSResult() ensures that
exceptions in the ErrorResult are deal with. We can then signal that through
WouldReportJSException.

Using TypedArrayCreator avoids use of ErrorResult completely (and the need to
call MightThrowJSException/WouldReportJSException).

TypedArray::Create will put exceptions on the ErrorResult, so signal that we're
dealing with them in various callsites.

Slightly simpler (and avoids calling WouldReportJSException).

Flags: needinfo?(peterv)
Severity: -- → S3
Priority: -- → P2
Duplicate of this bug: 1900927

There are some r+ patches which didn't land and no activity in this bug for 2 weeks.
:peterv, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit BugBot documentation.

Flags: needinfo?(rob)
Flags: needinfo?(peterv)
Flags: needinfo?(rob)
Pushed by pvanderbeken@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2d3f52edb98a Remove ENSURE_SUCCESS_VOID. r=dom-core,edgar https://hg.mozilla.org/integration/autoland/rev/c89109c12d59 Make ENSURE_SUCCESS call WouldReportJSException. r=dom-core,win-reviewers,emilio,gstoll,edgar https://hg.mozilla.org/integration/autoland/rev/23ab72aa4589 Make nsProfiler use TypedArrayCreator. r=dom-core,profiler-reviewers,farre,canaltinova https://hg.mozilla.org/integration/autoland/rev/36695bae43ed Add WouldReportJSException() calls. r=dom-core,farre https://hg.mozilla.org/integration/autoland/rev/638842494167 Use IgnoreErrors() from ArrayBuffer::Create in StreamFilter::FireEvent. r=dom-core,extension-reviewers,robwu,farre https://hg.mozilla.org/integration/autoland/rev/5234a13894b2 Call MightThrowJSException() in TypedArray::CreateCommon. r=dom-core,farre

Backed out for causing xpcshell assertion failures in ErrorResult.h.

Pushed by pvanderbeken@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1b303850645e Remove ENSURE_SUCCESS_VOID. r=dom-core,edgar https://hg.mozilla.org/integration/autoland/rev/1f2b38777dcb Make ENSURE_SUCCESS call WouldReportJSException. r=dom-core,win-reviewers,emilio,gstoll,edgar https://hg.mozilla.org/integration/autoland/rev/fd3d40b3182d Make nsProfiler use TypedArrayCreator. r=dom-core,profiler-reviewers,farre,canaltinova https://hg.mozilla.org/integration/autoland/rev/86fc4b9e58c5 Add WouldReportJSException() calls. r=dom-core,farre,necko-reviewers,kershaw

Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.

status-firefox130: --- → affected

The patch landed in nightly and beta is affected.
:peterv, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox130 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(peterv)
status-firefox130: affectedwontfix
Flags: needinfo?(peterv)
Pushed by pvanderbeken@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e24c76cd43c7 Use IgnoreErrors() from ArrayBuffer::Create in StreamFilter::FireEvent. r=dom-core,extension-reviewers,robwu,farre https://hg.mozilla.org/integration/autoland/rev/6b1f845b8955 Call MightThrowJSException() in TypedArray::CreateCommon. r=dom-core,farre
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: