Closed Bug 1922620 Opened 5 months ago Closed 5 months ago

Assertion failure: cx->isExceptionPending() || cx->isPropagatingForcedReturn() || cx->hadUncatchableException(), at js/src/vm/Interpreter.cpp:440

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
133 Branch
Tracking Flags:
Tracking Status
firefox133 --- fixed

People

(Reporter: sm-bugs, Assigned: jandem)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1922620 - Fix disnative testing function to not return false without reporting an exception. r?arai!
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

Version: 7e0ae4372c52b8183d1178132dd6493edb576738

Command line:

js --fuzzing-safe <test-case>

Test case:

try {
  for (; (() => {
         function a() {
           function b() { return a }
           c = b()
           try {
             disnative(b)
           } catch {
             async function d() {}
             d().finally(c)
           }
         } a()
       })();)
    ;
} catch {
}

Actual results:

This has been initially observed as Assertion failure: IsGCThingValidAfterMovingGC(t), at js/src/gc/Marking-inl.h:230, but the test case now raises the following error:

Assertion failure: cx->isExceptionPending() || cx->isPropagatingForcedReturn() || cx->hadUncatchableException(), at js/src/vm/Interpreter.cpp:440
     #0 0x559e6754914e in AssertExceptionResult(JSContext*) /js/src/vm/Interpreter.cpp:438:3
    #1 0x559e6754a56f in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:533:5
    #2 0x559e6754974f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:624:12
    #3 0x559e68404d93 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /js/src/jit/BaselineIC.cpp:1677:10
    #4 0x676780abd5e  (<unknown module>)
Blocks: 1903968
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Version: Firefox 130 → Trunk
Summary: Assertion failure: IsGCThingValidAfterMovingGC(t), at js/src/gc/Marking-inl.h:230 → Assertion failure: cx->isExceptionPending() || cx->isPropagatingForcedReturn() || cx->hadUncatchableException(), at js/src/vm/Interpreter.cpp:440
Group: core-security → javascript-core-security

The new assertion was added in bug 1921780 and should be harmless. Could be an issue with the disnative shell function.

The GC assertion is probably more serious though. Did you see that with the test case here or with a different test?

I'll take a look next week.

Flags: needinfo?(jdemooij)

This test case triggered the GC assertion during fuzzing, but this was probably due to the GC state from previous test cases.

This is a problem with the disnative shell function that's now caught by the assertions added in bug 1921780 \o/. Setting "Depends On" because "Regressed By" feels wrong since it's not really a regression.

Assignee: nobody → jdemooij
Group: javascript-core-security
Status: NEW → ASSIGNED
Depends on: 1921780
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/600475b93fe9 Fix disnative testing function to not return false without reporting an exception. r=arai

https://hg.mozilla.org/mozilla-central/rev/600475b93fe9

Status: ASSIGNED → RESOLVED
Closed: 5 months ago
status-firefox133: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 133 Branch
Regressions: 1924062
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: