Closed
Bug 812747
Opened 12 years ago
Closed 11 years ago
"Assertion failure: !cx->isExceptionPending()" with Proxy
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox19 | - | --- |
People
(Reporter: jruderman, Unassigned)
References
Details
(Keywords: assertion, testcase, Whiteboard: [fuzzblocker:isExceptionPending])
Attachments
(3 files)
Assertion failure: !cx->isExceptionPending(), at js/src/jsinterp.cpp:3804 I'm guessing this is a JavaScript Engine bug (despite DOM stuff in the testcase) because the stack is js/src/ from #17 up.
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [fuzzblocker:isExceptionPending]
|
|
Reporter | |
Comment 1•12 years ago
|
||
|
||
Updated•12 years ago
|
tracking-firefox19:
--- → ?
|
||
Comment 2•12 years ago
|
||
Yeah, IsDuckTypedErrorObject didn't realize that HasProperty can call back into JS now.
tracking-firefox19:
? → ---
|
|
||
Updated•12 years ago
|
tracking-firefox19:
--- → ?
|
||
Comment 3•12 years ago
|
||
Why HasProperty asserts while GetProperty doesn't?
|
|
||
Comment 4•12 years ago
|
||
Because the proxy in the test case only has a 'has' trap that throws.
|
|
||
Comment 5•12 years ago
|
||
'has' trap is not a essence. Even Proxy is not essential because this testcase crashes at js_ReportUncaughtException.
|
||
Comment 6•12 years ago
|
||
What user impact does this bug have? Was this testcase reduced from a popular website? Or do we expect it to affect websites?
|
|
||
Comment 7•12 years ago
|
||
Cannot reproduce on release builds because this is an assertion failure.
|
|
Reporter | |
Comment 8•12 years ago
|
||
This testcase was reduced from something the fuzzer dreamed up.
|
|
||
Comment 9•12 years ago
|
||
In release builds the failure would manifest by random calls from JS silently terminating the JS execution without actually throwing an exception the web page can catch.
|
|
||
Comment 10•12 years ago
|
||
I thought js_ReportUncaughtException will be called only when the web page didn't catch the exception. Is it wrong?
|
|
Reporter | |
Comment 11•12 years ago
|
||
"random" in what way?
|
|
||
Comment 12•12 years ago
|
||
"random" in the sense that it's impossible for the page author to predict which call will fail. Basically, the first one after someone doesn't report (via returning false) a pending exception...
> I thought js_ReportUncaughtException will be called only when the web page didn't catch
> the exception. Is it wrong?
That's probably right; the problems start when an exception is pending but never thrown because a false return is swallowed.|
|
||
Comment 13•12 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #12) > > I thought js_ReportUncaughtException will be called only when the web page didn't catch > > the exception. Is it wrong? > > That's probably right; the problems start when an exception is pending but > never thrown because a false return is swallowed. Even if the exception is thrown, it will not be visible from the Web page anyway. So I think this bug will not affect websites. Could you write a Web-visible STR?
|
|
||
Comment 14•12 years ago
|
||
I haven't looked into the code carefully enough. Does it currently guarantee that if it set an exception on the JSContext it will return false? If not, then it's definitely web-visible.
|
|
||
Comment 15•12 years ago
|
||
Not enough known user impact to warrant tracking for release. We'd accept a low-risk uplift, however.
|
|
Reporter | |
Comment 16•11 years ago
|
||
WFM on mozilla-central
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•