Closed Bug 1924279 Opened 4 months ago Closed 4 months ago

Assertion failure: cx->isExceptionPending() || cx->isPropagatingForcedReturn() || cx->hadUncatchableException(), at vm/Interpreter.cpp:439

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
133 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox131 --- unaffected
firefox132 --- unaffected
firefox133 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(2 files)

debug stack
6.21 KB, text/plain
Details
Bug 1924279 - Add missing ReportOutOfMemory call to selectforgc testing function. r?jonco!
48 bytes, text/x-phabricator-request
Details | Review
Attached file debug stack 
new Float32Array();
Reflect.construct(Float32Array, []);
oomTest(function() {
  selectforgc(new Float32Array());
});

(gdb) bt
#0  AssertExceptionResult (cx=cx@entry=0x7ffff6f36200) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:438
#1  0x00005555572cb21f in CallJSNative (cx=cx@entry=0x7ffff6f36200, native=<optimized out>, reason=reason@entry=js::CallReason::Call, args=...) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:532
#2  0x00005555572a3512 in js::InternalCallOrConstruct (cx=0x7ffff6f36200, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:623
#3  0x00005555572a4248 in InternalCall (cx=<optimized out>, args=..., reason=1490788512) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:690
#4  0x00005555572b345e in js::CallFromStack (cx=0x7ffff7a1ca60 <_IO_stdfile_2_lock>, args=..., reason=<optimized out>) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:695
#5  js::Interpret (cx=0x7ffff6f36200, state=...) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:3520
/snip

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/de8b96102f94
user:        Jan de Mooij
date:        Tue Oct 01 11:02:38 2024 +0000
summary:     Bug 1921780 - Improve exception handling assertions in the JS shell. r=arai

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev ef3ce232d62d.

Setting s-s just in case. Jan, is bug 1921780 a likely regressor?

Flags: sec-bounty?
Flags: needinfo?(jdemooij)

Likely just missing a ReportOutOfMemory call here: https://searchfox.org/mozilla-central/rev/d0c13bb2a9c3a9ab6f5eb5a23230161928b079d9/js/src/builtin/TestingFunctions.cpp#2681

This isn't security sensitive.

Set release status flags based on info from the regressing bug 1921780

status-firefox131: --- → unaffected
status-firefox132: --- → unaffected
status-firefox-esr128: --- → unaffected
Group: core-security → javascript-core-security
Group: javascript-core-security

This bug was introduced 12 years ago but we're now catching this with new assertions.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED

The bug goes back to bug 742570 from 2012.

I'm glad our new exception handling assertions are catching this.

Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f56a5945a2f0 Add missing ReportOutOfMemory call to selectforgc testing function. r=jonco
Severity: -- → S3
Priority: -- → P1

https://hg.mozilla.org/mozilla-central/rev/f56a5945a2f0

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
status-firefox133: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 133 Branch
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: