Closed
Bug 1930808
Opened 3 months ago
Closed 3 months ago
Assertion failure: cx->isExceptionPending() || cx->isPropagatingForcedReturn() || cx->hadUncatchableException(), at vm/Interpreter.cpp:440
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
134 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr128 | --- | unaffected |
| firefox132 | --- | unaffected |
| firefox133 | --- | wontfix |
| firefox134 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, reporter-external, testcase)
Attachments
(2 files)
new WebAssembly.Tag({ parameters: [] });
oomTest(function () {
new WebAssembly.Tag({ parameters: [] });
});
439 MOZ_ASSERT(cx->isExceptionPending() || cx->isPropagatingForcedReturn() ||
(gdb) bt
#0 AssertExceptionResult (cx=cx@entry=0x7ffff6f36200) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:439
#1 0x000055555727067f in CallJSNative (cx=cx@entry=0x7ffff6f36200, native=native@entry=0x555558705a00 <js::WasmTagObject::construct(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call, args=...) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:537
#2 0x000055555727a32d in CallJSNativeConstructor (cx=cx@entry=0x7ffff6f36200, native=0x555558705a00 <js::WasmTagObject::construct(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:550
#3 0x0000555557249fb2 in InternalConstruct (cx=cx@entry=0x7ffff6f36200, args=..., reason=reason@entry=js::CallReason::Call) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:756
#4 0x000055555725852f in js::ConstructFromStack (cx=0x7ffff6f36200, args=..., reason=<optimized out>) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:803
#5 js::Interpret (cx=0x7ffff6f36200, state=...) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:3314
/snip
I'm going to guess that this is related to bug 1921780 again.
Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev aef84d293121.
Setting s-s just in case. Jan, did bug 1921780 likely expose the issue?
Flags: sec-bounty?
Flags: needinfo?(jdemooij)
|
||
Comment 1•3 months ago
|
||
Set release status flags based on info from the regressing bug 1921780
status-firefox132:
--- → unaffected
status-firefox133:
--- → affected
status-firefox-esr128:
--- → unaffected
|
||
Updated•3 months ago
|
Group: core-security → javascript-core-security
|
Assignee | |
Comment 2•3 months ago
|
||
A few minor OOM bugs.
Group: javascript-core-security
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 3•3 months ago
|
||
|
||
Updated•3 months ago
|
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
|
||
Updated•3 months ago
|
Severity: -- → S3
Priority: -- → P1
|
|
||
Updated•3 months ago
|
Severity: S3 → S4
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/432337e20786
Add some ReportOutOfMemory calls to WasmTagObject::construct. r=rhunt
|
||
Updated•3 months ago
|
|
||
Comment 5•3 months ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → 134 Branch
|
|
||
Comment 6•3 months ago
|
||
The patch landed in nightly and beta is affected.
:jandem, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox133towontfix.
For more information, please visit BugBot documentation.
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Updated•3 months ago
|
Flags: needinfo?(jdemooij)
|
||
Updated•3 months ago
|
Flags: sec-bounty? → sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•