Closed Bug 1923408 Opened 4 months ago Closed 4 months ago

Assertion failure: cx->isExceptionPending() || cx->isPropagatingForcedReturn() || cx->hadUncatchableException(), at vm/Interpreter.cpp:439

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
133 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox131 --- unaffected
firefox132 --- unaffected
firefox133 --- fixed

People

(Reporter: gkw, Assigned: arai)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(5 files)

debug stack
5.15 KB, text/plain
Details
Bug 1923408 - Part 1: Do not early-return on sprinter OOM in bytecode utils. r?nbp!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1923408 - Part 2: Do not call reportOutOfMemory in LCovRealm::lookupOrAdd. r?nbp!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1923408 - Part 3: Remove unused JSONPrinter::outOfMemory method. r?nbp!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1923408 - Part 4: Rename GenericPrinter::reportOutOfMemory to setPendingOutOfMemory to avoid misuse. r?nbp!
48 bytes, text/x-phabricator-request
Details | Review
Attached file debug stack 
[99999999999999, 99999, -9999, 9999999999, -9999] < -999999999n;
oomTest(disassemble);

(gdb) bt
#0  AssertExceptionResult (cx=cx@entry=0x7ffff6f36200) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:438
#1  0x00005555572c850f in CallJSNative (cx=cx@entry=0x7ffff6f36200, native=<optimized out>, reason=reason@entry=js::CallReason::Call, args=...) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:532
#2  0x00005555572a0712 in js::InternalCallOrConstruct (cx=0x7ffff6f36200, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:623
#3  0x00005555572a1448 in InternalCall (cx=<optimized out>, args=..., reason=1490758960, reason@entry=js::CallReason::Call) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:690
#4  0x00005555572a1639 in js::Call (cx=cx@entry=0x7ffff6f36200, fval=fval@entry=..., thisv=thisv@entry=..., args=..., rval=rval@entry=..., reason=reason@entry=js::CallReason::Call) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:722
#5  0x0000555557426793 in JS_CallFunction (cx=0x7ffff6f36200, obj=..., fun=..., args=..., rval=rval@entry=...) at /home/i32g7900a/trees/mozilla-central/js/src/vm/CallAndConstruct.cpp:74
/snip

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/de8b96102f94
user:        Jan de Mooij
date:        Tue Oct 01 11:02:38 2024 +0000
summary:     Bug 1921780 - Improve exception handling assertions in the JS shell. r=arai

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 0546d4eb6429.

Setting s-s just in case. Jan, is bug 1921780 a likely regressor?

Flags: sec-bounty?
Flags: needinfo?(jdemooij)
Group: core-security → javascript-core-security

Set release status flags based on info from the regressing bug 1921780

status-firefox131: --- → unaffected
status-firefox132: --- → unaffected
status-firefox-esr128: --- → unaffected

Likely an exception handling bug in the disassemble testing function that's now caught by the assertions added in bug 1921780.

I'll take a look tomorrow.

arai, can you take this one? I think there's an exception handling issue under DisassembleToSprinter.

Flags: needinfo?(jdemooij) → needinfo?(arai.unmht)
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Flags: needinfo?(arai.unmht)

The OOM inside Sprinter shouldn't trigger immediate error mode return, but
the OOM should be forwarded to JSContext by release method.

LCovRealm::lookupOrAdd's error mode immediately results in ReportOutOfMemory(cx)
in the consumer, and there's no need to note the OOM on the printer.

The "report" in the method name is misleading that it immediately reports OOM
to the JSContext.

Did this turn out to have security impact? Looking at the patches it doesn't look like it

Flags: needinfo?(arai.unmht)

This has no security impact.

Flags: needinfo?(arai.unmht)
Group: javascript-core-security
Pushed by arai_a@mac.com: https://hg.mozilla.org/integration/autoland/rev/71c4abc6148a Part 1: Do not early-return on sprinter OOM in bytecode utils. r=nbp https://hg.mozilla.org/integration/autoland/rev/77cd73366575 Part 2: Do not call reportOutOfMemory in LCovRealm::lookupOrAdd. r=nbp https://hg.mozilla.org/integration/autoland/rev/6996e70d758f Part 3: Remove unused JSONPrinter::outOfMemory method. r=nbp https://hg.mozilla.org/integration/autoland/rev/d3f37b22f7bd Part 4: Rename GenericPrinter::reportOutOfMemory to setPendingOutOfMemory to avoid misuse. r=nbp
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: