1923389 - Assertion failure: cx->isExceptionPending() || cx->isPropagatingForcedReturn() || cx->hadUncatchableException(), at js/src/vm/Interpreter.cpp:439

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P3)

Description

[Nils Bars]

Steps to reproduce:

Version: 488d81581a9142d532bf814efa60564ff11599ca
Flags:

js --fuzzing-safe <test-case>

Test case:

a = principal = this
newGlobal(a).createMappedArrayBuffer(a)

Actual results:

Assertion failure: cx->isExceptionPending() || cx->isPropagatingForcedReturn() || cx->hadUncatchableException(), at js/src/vm/Interpreter.cpp:439
#0 0x557a3675a1a9 in AssertExceptionResult(JSContext*) js/src/vm/Interpreter.cpp:438:3
#1 0x557a3675b5cf in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:532:5
#2 0x557a3675a7af in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) js/src/vm/Interpreter.cpp:623:12
#3 0x557a367729a4 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) js/src/vm/Interpreter.cpp:695:10
#4 0x557a367729a4 in js::Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:3520:16
#5 0x557a367595e0 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:497:13
#6 0x557a3675e991 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:888:13
#7 0x557a3675f19c in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:921:10
#8 0x557a369aa479 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) js/src/vm/CompilationAndEvaluation.cpp:495:10
#9 0x557a369aa6f7 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) js/src/vm/CompilationAndEvaluation.cpp:519:10
#10 0x557a366c31be in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) js/src/shell/js.cpp:1316:10
#11 0x557a366c2525 in Process(JSContext*, char const*, bool, FileKind) js/src/shell/js.cpp
#12 0x557a3667d53e in ProcessArgs(JSContext*, js::cli::OptionParser*) js/src/shell/js.cpp:11417:10
#13 0x557a3667d53e in Shell(JSContext*, js::cli::OptionParser*) js/src/shell/js.cpp:11669:12
#14 0x557a366747bd in main js/src/shell/js.cpp:12226:12
#15 0x7fa32b430d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#16 0x7fa32b430e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#17 0x557a3663dda8 in _start (reproducebuild/dist/bin/js+0x1c3bda8) (BuildId: 62459495c6e31cf3b7e66d4f41a060e5)

Comment 1

[Matthew Gaudet (he/him) [:mgaudet]]

Suspect this is a small thing to fix from Bug 1921780 and likely not security sensitive.

Ni? self to take a peek in a bit.

Comment 2

[Matthew Gaudet (he/him) [:mgaudet]]

So what's happening here is that js::shell::ResolvePath is invoking DescribeScriptedCaller, which is returning false (indicating it can't find a scripted frame) -- side note: That API really needs to be redesigned.

I'm going to put together a putative patch, but it's definitely gently gross.

This is shell only though so un-hiding.

Comment 3

[Matthew Gaudet (he/him) [:mgaudet]]

Attachment: Bug 1923389 - Change error handling for ResolvePath w.r.t hidden frames r?sfink

Comment 4

[Pulsebot]

Pushed by mgaudet@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1cab9805167f
Change error handling for ResolvePath w.r.t hidden frames r=sfink

Comment 5

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/1cab9805167f