Assertion failure: cx->isExceptionPending() || cx->isPropagatingForcedReturn() || cx->hadUncatchableException(), at vm/Interpreter.cpp:440
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr128 | --- | unaffected |
| firefox132 | --- | unaffected |
| firefox133 | --- | wontfix |
| firefox134 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, reporter-external, testcase)
Attachments
(2 files)
class C {};
oomTest(function() { readline(C); });
439 MOZ_ASSERT(cx->isExceptionPending() || cx->isPropagatingForcedReturn() ||
(gdb) bt
#0 AssertExceptionResult (cx=cx@entry=0x7ffff6f36200) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:439
#1 0x00005555572e6fcf in CallJSNative (cx=cx@entry=0x7ffff6f36200, native=<optimized out>, reason=reason@entry=js::CallReason::Call, args=...) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:533
#2 0x00005555572bef72 in js::InternalCallOrConstruct (cx=0x7ffff6f36200, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:624
#3 0x00005555572bfca8 in InternalCall (cx=<optimized out>, args=..., reason=1490897008) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:691
#4 0x00005555572cee85 in js::CallFromStack (cx=0x7ffff7a1ca60 <_IO_stdfile_2_lock>, args=..., reason=<optimized out>) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:696
#5 js::Interpret (cx=0x7ffff6f36200, state=...) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:3326
/snip
I'm going to guess that this is related to bug 1921780 again.
Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev b584d7d6324f.
Setting s-s just in case. Jan, did bug 1921780 likely expose the issue?
|
||
Comment 1•4 months ago
|
||
Set release status flags based on info from the regressing bug 1921780
|
Assignee | |
Comment 2•4 months ago
|
||
The issue is that the readline JS shell function uses JS_malloc, and JS_malloc and JS_realloc don't report OOM because they use the cx->maybe_* allocation functions. Maybe we should change that because it's different from how other JSAPI functions work.
This bug isn't security-sensitive.
|
||
Updated•4 months ago
|
|
|
||
Comment 3•4 months ago
|
||
:willyelm could this be triaged for severity? (pinging as triage owner)
Next week is the final week of beta for Fx133. Is there any user-facing impact of this?
|
||
Comment 4•4 months ago
|
||
This only affects shell functions. There is no user-facing impact.
|
|
||
Updated•4 months ago
|
|
|
Assignee | |
Comment 5•3 months ago
|
||
Use MakeScopeExit to free the buffer automatically before returning.
Also add missing OOM-reporting. At some point we should consider changing these JSAPI
functions to report OOM, but for now this just fixes readline to unblock fuzzing.
No test case because readline is hard to test with a jit-test.
|
||
Updated•3 months ago
|
|
|
Assignee | |
Updated•3 months ago
|
|
||
Comment 7•3 months ago
|
||
| bugherder | ||
|
||
Updated•3 months ago
|
Description
•