991074 - Assertion failure: JS_IsExceptionPending(cx), at ./EventListenerBinding.cpp:24

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Olli Pettay [:smaug][bugs@pettay.fi]]

Load the test case for https://bugzilla.mozilla.org/show_bug.cgi?id=717488

Haven't yet looked at the code to see whether there is something security sensitive.

#0  0x00000034dc4bc98d in nanosleep () from /lib64/libc.so.6
#1  0x00000034dc4bc824 in sleep () from /lib64/libc.so.6
#2  0x00007fcc1960eefd in ah_crap_handler (signum=11) at /home/smaug/mozilla/hg/push-m-i/toolkit/xre/nsSigHandlers.cpp:88
#3  0x00007fcc1961d471 in nsProfileLock::FatalSignalHandler (signo=11, info=0x7fff31ddefb0, context=0x7fff31ddee80) at /home/smaug/mozilla/hg/push-m-i/profile/dirserviceprovider/src/nsProfileLock.cpp:185
#4  0x00007fcc1a6d909f in AsmJSFaultHandler (signum=11, info=0x7fff31ddefb0, context=0x7fff31ddee80) at /home/smaug/mozilla/hg/push-m-i/js/src/jit/AsmJSSignalHandlers.cpp:970
#5  <signal handler called>
#6  mozilla::dom::EventListener::HandleEvent (this=0x7fcbf869bdc0, cx=0x7fcc1ddf18c0, aThisVal=..., event=..., aRv=...) at ./EventListenerBinding.cpp:24
#7  0x00007fcc17ec555d in mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*> (this=0x7fcbf869bdc0, thisObjPtr=@0x7fff31ddf8f0: 0x7fcbfab55080, event=..., aRv=..., 
    aExceptionHandling=mozilla::dom::CallbackObject::eReportExceptions) at ../../dist/include/mozilla/dom/EventListenerBinding.h:53
#8  0x00007fcc17ebd436 in mozilla::EventListenerManager::HandleEventSubType (this=0x7fcbfab51840, aListener=0x7fcbfdf72638, aDOMEvent=0x7fcbe9d95d60, aCurrentTarget=0x7fcbfab55080)
    at /home/smaug/mozilla/hg/push-m-i/dom/events/EventListenerManager.cpp:952
#9  0x00007fcc17ebd796 in mozilla::EventListenerManager::HandleEventInternal (this=0x7fcbfab51840, aPresContext=0x0, aEvent=0x7fcbebc37640, aDOMEvent=0x7fff31ddfc88, aCurrentTarget=0x7fcbfab55080, 
    aEventStatus=0x7fff31ddfc90) at /home/smaug/mozilla/hg/push-m-i/dom/events/EventListenerManager.cpp:1016
#10 0x00007fcc17ed6299 in mozilla::EventListenerManager::HandleEvent (this=0x7fcbfab51840, aPresContext=0x0, aEvent=0x7fcbebc37640, aDOMEvent=0x7fff31ddfc88, aCurrentTarget=0x7fcbfab55080, 
    aEventStatus=0x7fff31ddfc90) at ../../dist/include/mozilla/EventListenerManager.h:327
#11 0x00007fcc17ec3f1f in mozilla::EventTargetChainItem::HandleEvent (this=0x7fcbf105b170, aVisitor=..., aCd=...) at /home/smaug/mozilla/hg/push-m-i/dom/events/EventDispatcher.cpp:196
#12 0x00007fcc17eb761b in mozilla::EventTargetChainItem::HandleEventTargetChain (aChain=..., aVisitor=..., aCallback=0x0, aCd=...) at /home/smaug/mozilla/hg/push-m-i/dom/events/EventDispatcher.cpp:265
#13 0x00007fcc17eb8f65 in mozilla::EventDispatcher::Dispatch (aTarget=0x7fcbebc28000, aPresContext=0x0, aEvent=0x7fcbebc37640, aDOMEvent=0x7fcbe9d95d60, aEventStatus=0x0, aCallback=0x0, aTargets=0x0)
    at /home/smaug/mozilla/hg/push-m-i/dom/events/EventDispatcher.cpp:597
#14 0x00007fcc17e9e678 in mozilla::EventDispatcher::DispatchDOMEvent (aTarget=0x7fcbebc28000, aEvent=0x0, aDOMEvent=0x7fcbe9d95d60, aPresContext=0x0, aEventStatus=0x0)
    at /home/smaug/mozilla/hg/push-m-i/dom/events/EventDispatcher.cpp:661
#15 0x00007fcc182cf121 in nsDocument::DispatchPageTransition (this=0x7fcbf89ed800, aDispatchTarget=0x7fcbebc28000, aType=..., aPersisted=false)
    at /home/smaug/mozilla/hg/push-m-i/content/base/src/nsDocument.cpp:8710
#16 0x00007fcc182cf4a6 in nsDocument::OnPageShow (this=0x7fcbf89ed800, aPersisted=false, aDispatchStartTarget=0x0) at /home/smaug/mozilla/hg/push-m-i/content/base/src/nsDocument.cpp:8778
#17 0x00007fcc18c8e43b in nsDocumentViewer::LoadComplete (this=0x7fcbe9d90bd0, aStatus=NS_OK) at /home/smaug/mozilla/hg/push-m-i/layout/base/nsDocumentViewer.cpp:1022
#18 0x00007fcc19326bb9 in nsDocShell::EndPageLoad (this=0x7fcbeb9a5400, aProgress=0x7fcbeb9a5428, aChannel=0x7fcbe9d909c0, aStatus=NS_OK) at /home/smaug/mozilla/hg/push-m-i/docshell/base/nsDocShell.cpp:6984
#19 0x00007fcc193250c4 in nsDocShell::OnStateChange (this=0x7fcbeb9a5400, aProgress=0x7fcbeb9a5428, aRequest=0x7fcbe9d909c0, aStateFlags=131088, aStatus=NS_OK)
    at /home/smaug/mozilla/hg/push-m-i/docshell/base/nsDocShell.cpp:6775
#20 0x00007fcc193254c5 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) (this=0x7fcbeb9a5560, aProgress=0x7fcbeb9a5428, aRequest=0x7fcbe9d909c0, 
    aStateFlags=131088, aStatus=NS_OK) at /home/smaug/mozilla/hg/push-m-i/docshell/base/nsDocShell.cpp:6781
#21 0x00007fcc16d9508a in nsDocLoader::DoFireOnStateChange (this=0x7fcbeb9a5400, aProgress=0x7fcbeb9a5428, aRequest=0x7fcbe9d909c0, aStateFlags=@0x7fff31de0d44: 131088, aStatus=NS_OK)
    at /home/smaug/mozilla/hg/push-m-i/uriloader/base/nsDocLoader.cpp:1329
#22 0x00007fcc16d94a9e in nsDocLoader::doStopDocumentLoad (this=0x7fcbeb9a5400, request=0x7fcbe9d909c0, aStatus=NS_OK) at /home/smaug/mozilla/hg/push-m-i/uriloader/base/nsDocLoader.cpp:863
#23 0x00007fcc16d9379b in nsDocLoader::DocLoaderIsEmpty (this=0x7fcbeb9a5400, aFlushLayout=true) at /home/smaug/mozilla/hg/push-m-i/uriloader/base/nsDocLoader.cpp:753
#24 0x00007fcc16d94579 in nsDocLoader::OnStopRequest (this=0x7fcbeb9a5400, aRequest=0x7fcbf7449280, aCtxt=0x0, aStatus=NS_OK) at /home/smaug/mozilla/hg/push-m-i/uriloader/base/nsDocLoader.cpp:637
#25 0x00007fcc16d948ed in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) (this=0x7fcbeb9a5408, aRequest=0x7fcbf7449280, aCtxt=0x0, aStatus=NS_OK)
    at Unified_cpp_uriloader_base0.cpp:640
#26 0x00007fcc1613d874 in nsLoadGroup::RemoveRequest (this=0x7fcbefd0a400, request=0x7fcbf7449280, ctxt=0x0, aStatus=NS_OK) at /home/smaug/mozilla/hg/push-m-i/netwerk/base/src/nsLoadGroup.cpp:689
#27 0x00007fcc182cee3a in nsDocument::DoUnblockOnload (this=0x7fcbf89ed800) at /home/smaug/mozilla/hg/push-m-i/content/base/src/nsDocument.cpp:8670
#28 0x00007fcc182cebf3 in nsDocument::UnblockOnload (this=0x7fcbf89ed800, aFireSync=true) at /home/smaug/mozilla/hg/push-m-i/content/base/src/nsDocument.cpp:8598
#29 0x00007fcc182be7b7 in nsDocument::DispatchContentLoadedEvents (this=0x7fcbf89ed800) at /home/smaug/mozilla/hg/push-m-i/content/base/src/nsDocument.cpp:4913
#30 0x00007fcc182f4548 in nsRunnableMethodImpl<void (nsDocument::*)(), void, true>::Run (this=0x7fcbf0d9ec40) at ../../../dist/include/nsThreadUtils.h:383
#31 0x00007fcc16025162 in nsThread::ProcessNextEvent (this=0x7fcc1dd16d40, mayWait=true, result=0x7fff31de16be) at /home/smaug/mozilla/hg/push-m-i/xpcom/threads/nsThread.cpp:694
#32 0x00007fcc15f1b168 in NS_ProcessNextEvent (thread=0x7fcc1dd16d40, mayWait=true) at /home/smaug/mozilla/hg/push-m-i/xpcom/glue/nsThreadUtils.cpp:263
#33 0x00007fcc184a16e1 in nsXMLHttpRequest::Send (this=0x7fcbeb9aa800, aVariant=0x0, aBody=...) at /home/smaug/mozilla/hg/push-m-i/content/base/src/nsXMLHttpRequest.cpp:2912

Comment 1

[Boris Zbarsky [:bzbarsky]]

This is lovely.  The testcase purposefully gets us close to the recursion limit, then runs some code.  So we end up hitting the recursion limit again, with this stack:

#0  js_ReportOverRecursed (maybecx=0x10068dc60) at jscntxt.cpp:433
#1  0x0000000102bda319 in js::CallJSPropertyOp (cx=0x10068dc60, op=0x1054b8500 <mozilla::dom::PageTransitionEventBinding::_addProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>)>, receiver={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5f525eb8}, id={<js::HandleBase<jsid>> = {<No data fields>}, ptr = 0x7fff5f5250d8}, vp={<js::MutableHandleBase<JS::Value>> = {<js::MutableValueOperations<JS::MutableHandle<JS::Value> >> = {<js::ValueOperations<JS::MutableHandle<JS::Value> >> = {<No data fields>}, <No data fields>}, <No data fields>}, ptr = 0x7fff5f525108}) at jscntxtinlines.h:307
#2  0x0000000102b3faea in CallAddPropertyHook (cxArg=0x10068dc60, clasp=0x109b11360, obj={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5f525eb8}, shape={<js::HandleBase<js::Shape *>> = {<No data fields>}, ptr = 0x7fff5f525328}, nominal={<js::HandleBase<JS::Value>> = {<js::ValueOperations<JS::Handle<JS::Value> >> = {<No data fields>}, <No data fields>}, ptr = 0x102e07050}) at jsobj.cpp:3584
#3  0x0000000102b3f681 in DefinePropertyOrElement (cx=0x10068dc60, obj={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5f525eb8}, id={<js::HandleBase<jsid>> = {<No data fields>}, ptr = 0x7fff5f525bf0}, getter=0x122e22940, setter=0x102a63600 <JS_StrictPropertyStub(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>)>, attrs=85, flags=0, value={<js::HandleBase<JS::Value>> = {<js::ValueOperations<JS::Handle<JS::Value> >> = {<No data fields>}, <No data fields>}, ptr = 0x102e07050}, callSetterAfterwards=false, setterIsStrict=false) at jsobj.cpp:3776
#4  0x0000000102b37eb0 in js::DefineNativeProperty (cx=0x10068dc60, obj={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5f525eb8}, id={<js::HandleBase<jsid>> = {<No data fields>}, ptr = 0x7fff5f525bf0}, value={<js::HandleBase<JS::Value>> = {<js::ValueOperations<JS::Handle<JS::Value> >> = {<No data fields>}, <No data fields>}, ptr = 0x102e07050}, getter=0x122e22940, setter=0x102a63600 <JS_StrictPropertyStub(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>)>, attrs=85, flags=0, defineHow=0) at jsobj.cpp:3861
#5  0x0000000102b3e37b in js::baseops::DefineGeneric (cx=0x10068dc60, obj={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5f525eb8}, id={<js::HandleBase<jsid>> = {<No data fields>}, ptr = 0x7fff5f525bf0}, value={<js::HandleBase<JS::Value>> = {<js::ValueOperations<JS::Handle<JS::Value> >> = {<No data fields>}, <No data fields>}, ptr = 0x102e07050}, getter=0x122e22940, setter=0, attrs=85) at jsobj.cpp:3482
#6  0x0000000102b3e522 in JSObject::defineGeneric (cx=0x10068dc60, obj={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5f525eb8}, id={<js::HandleBase<jsid>> = {<No data fields>}, ptr = 0x7fff5f525bf0}, value={<js::HandleBase<JS::Value>> = {<js::ValueOperations<JS::Handle<JS::Value> >> = {<No data fields>}, <No data fields>}, ptr = 0x102e07050}, getter=0x122e22940, setter=0, attrs=85) at jsobj.cpp:3497
#7  0x0000000102a6bca3 in DefinePropertyById (cx=0x10068dc60, obj={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5f525eb8}, id={<js::HandleBase<jsid>> = {<No data fields>}, ptr = 0x7fff5f525bf0}, value={<js::HandleBase<JS::Value>> = {<js::ValueOperations<JS::Handle<JS::Value> >> = {<No data fields>}, <No data fields>}, ptr = 0x102e07050}, get=@0x109b172d0, set=@0x109b172e0, attrs=85, flags=0) at jsapi.cpp:2968
#8  0x0000000102a6c525 in DefineProperty (cx=0x10068dc60, obj={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5f525eb8}, name=0x1088264c6 "isTrusted", value={<js::HandleBase<JS::Value>> = {<js::ValueOperations<JS::Handle<JS::Value> >> = {<No data fields>}, <No data fields>}, ptr = 0x102e07050}, getter=@0x109b172d0, setter=@0x109b172e0, attrs=77, flags=0) at jsapi.cpp:3017
#9  0x0000000102a6d2d5 in JS_DefineProperties (cx=0x10068dc60, obj={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5f525eb8}, ps=0x109b172c0) at jsapi.cpp:3177
#10 0x0000000105821bcd in mozilla::dom::Define (cx=0x10068dc60, obj={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5f525eb8}, spec=0x109b172c0) at BindingUtils.cpp:292
#11 0x0000000105823b42 in mozilla::dom::DefinePrefable<JSPropertySpec const> (cx=0x10068dc60, obj={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5f525eb8}, props=0x109dddf40) at BindingUtils.cpp:309
#12 0x000000010581380d in mozilla::dom::DefineUnforgeableAttributes (cx=0x10068dc60, obj={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x7fff5f525eb8}, props=0x109dddf40) at BindingUtils.cpp:321
#13 0x00000001054b8be3 in mozilla::dom::PageTransitionEventBinding::Wrap (aCx=0x10068dc60, aScope={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x120b96ce8}, aObject=0x10fb9beb0, aCache=0x10fb9beb8) at PageTransitionEventBinding.cpp:514
#14 0x00000001054eccf4 in mozilla::dom::PageTransitionEventBinding::Wrap<mozilla::dom::PageTransitionEvent> (aCx=0x10068dc60, aScope={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x120b96ce8}, aObject=0x10fb9beb0) at PageTransitionEventBinding.h:101
#15 0x00000001054ecc5d in mozilla::dom::PageTransitionEvent::WrapObject (this=0x10fb9beb0, aCx=0x10068dc60, aScope={<js::HandleBase<JSObject *>> = {<No data fields>}, ptr = 0x120b96ce8}) at GeneratedEventClasses.h:206

So basically while setting up the JS wrapper for the event and in particular while defining the "isTrusted" prop on the event the JS engine does a recursion check and it fails.  This does NOT set a pending exception because it's doing the silly JS_ReportErrorNumber thing that sets a pending exception only if JS_IsRunning (because it uses JS_ReportErrorNumber), and we're sadly not running yet.

So the assert is catching a real bug; sadly that bug is "SpiderMonkey's handling of exceptions sucks".  I think Bobby is working on that....

In the meantime, I suppose we could loosen up (read: remove) the assert.  The behavior will be kinda broken in the sense that our error reporting might be off, but we can live with that if we have to.

I don't think this is security-sensitive.

Comment 2

[Olli Pettay [:smaug][bugs@pettay.fi]]

Attachment: less asserts

Comment 3

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 8400845 [details] [diff] [review]
less asserts

I would much rather we left these as:

  MOZ_ASSERT(true && JS_IsExceptionPending(cx));

with a pointer to the bug to remove the "true" bit, which should depend on bug 981187.

r=me with that

Comment 4

[Olli Pettay [:smaug][bugs@pettay.fi]]

I assume s/&&/||/

Comment 5

[Boris Zbarsky [:bzbarsky]]

> I assume s/&&/||/

Er, yes.  ;)

Comment 6

[Olli Pettay [:smaug][bugs@pettay.fi]]

Attachment: Disable JS_IsExceptionPending(cx) assertions for now

Comment 7

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/479bf4aa1f97

Comment 8

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/479bf4aa1f97