Closed Bug 1932934 Opened 7 months ago Closed 7 months ago

Assertion failure: cx->isExceptionPending() || cx->isPropagatingForcedReturn() || cx->hadUncatchableException(), at vm/Interpreter.cpp:440

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
All
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
135 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox132 --- unaffected
firefox133 --- wontfix
firefox134 --- wontfix
firefox135 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(2 files)

debug stack
6.18 KB, text/plain
Details
Bug 1932934 - Fix some OOM bugs in the JSON modules code. r?jonco!
48 bytes, text/x-phabricator-request
Details | Review
Attached file debug stack 
oomTest(function () {
  parseModule("{}", "", "json");
});

(gdb) bt
#0  AssertExceptionResult (cx=cx@entry=0x7ffff6f36200) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:439
#1  0x0000555557287eef in CallJSNative (cx=cx@entry=0x7ffff6f36200, native=<optimized out>, reason=reason@entry=js::CallReason::Call, args=...) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:537
#2  0x000055555725e4a2 in js::InternalCallOrConstruct (cx=0x7ffff6f36200, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:628
#3  0x000055555725f1d8 in InternalCall (cx=<optimized out>, args=..., reason=1490636128) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:695
#4  0x000055555726fdbc in js::CallFromStack (cx=0x7ffff7a1ca60 <_IO_stdfile_2_lock>, args=..., reason=<optimized out>) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:700
#5  js::Interpret (cx=0x7ffff6f36200, state=...) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:3329
/snip

I'm going to guess that this is related to bug 1921780 again.

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev d50cbcf0ded7.

Setting s-s just in case. Jan, did bug 1921780 likely expose the issue?

Flags: sec-bounty?
Flags: needinfo?(jdemooij)
Group: core-security → javascript-core-security

Set release status flags based on info from the regressing bug 1921780

status-firefox132: --- → unaffected
status-firefox133: --- → affected
status-firefox-esr128: --- → unaffected

Various OOM bugs in the new JSON modules code.

(Results in either a nullptr dereference or it incorrectly throws an uncatchable exception that terminates execution. The latter is now caught by the assertions added in bug 1921780.)

Assignee: nobody → jdemooij
Group: javascript-core-security
Status: NEW → ASSIGNED
status-firefox133: affectedwontfix
status-firefox134: affectedwontfix

Drive-by change to use RootedVector<Value> for a stack-allocated vector because
it has some inline space and we append just one item.

Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e58c116fb1ab Fix some OOM bugs in the JSON modules code. r=jonco

https://hg.mozilla.org/mozilla-central/rev/e58c116fb1ab

Status: ASSIGNED → RESOLVED
Closed: 7 months ago
status-firefox135: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 135 Branch
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: