Closed Bug 1966657 Opened 5 months ago Closed 5 months ago

Assertion failure: !JS_IsExceptionPending(cx_), at vm/JSContext.h:1112 and various other similar asserts

Tracking

()

Status:

VERIFIED FIXED

Milestone:

140 Branch

Tracking Flags:

Tracking

Status

firefox-esr115

---

unaffected

firefox-esr128

---

unaffected

firefox138

---

unaffected

firefox139

---

unaffected

firefox140

---

verified

People

(Reporter: decoder, Assigned: yulia)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])

Attachments

(3 files, 1 obsolete file)

Detailed Crash Information 5 months ago Christian Holler (:decoder) 3.10 KB, text/plain		Details
Testcase 5 months ago Christian Holler (:decoder) 79 bytes, text/plain		Details
WIP: Bug 1966657: Don't run shell jobs in WorkerMain unless ExecuteScript succeeded 5 months ago Iain Ireland [:iain] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 1966657: Only run shell jobs if JS_ExecuteScript returns true; r=iain 5 months ago Yulia Startsev [:yulia] OOO until July 2026 48 bytes, text/x-phabricator-request		Details \| Review

Christian Holler (:decoder)

Reporter

Description

•

5 months ago

The following testcase crashes on mozilla-central revision 20250515-907a3d528f5e (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

evalInWorker(`
  a = {
    then() {
      b
    }
  }
  Promise.any([a])
  c
`)

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555557268afa in js::LookupNameNoGC(JSContext*, js::PropertyName*, JSObject*, js::NativeObject**, js::PropertyResult*) ()
#1  0x000055555706dbd6 in bool js::GetEnvironmentName<(js::GetNameMode)0>(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) ()
#2  0x0000555557053771 in js::Interpret(JSContext*, js::RunState&) ()
#3  0x000055555703f112 in js::RunScript(JSContext*, js::RunState&) ()
#4  0x000055555703fbe6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#5  0x000055555704115c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#6  0x0000555557341ab1 in PromiseResolveThenableJob(JSContext*, unsigned int, JS::Value*) ()
#7  0x00005555570404b5 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#8  0x000055555703fbc0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#9  0x000055555704115c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#10 0x000055555716c70c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) ()
#11 0x000055555723fac5 in js::InternalJobQueue::runJobs(JSContext*) ()
#12 0x000055555723f334 in js::RunJobs(JSContext*) ()
#13 0x0000555556eea748 in RunShellJobs(JSContext*) ()
#14 0x0000555556f142f5 in WorkerMain(mozilla::UniquePtr<WorkerInput, JS::DeletePolicy<WorkerInput> >) ()
#15 0x0000555556f1489a in js::detail::ThreadTrampoline<void (&)(mozilla::UniquePtr<WorkerInput, JS::DeletePolicy<WorkerInput> >), mozilla::UniquePtr<WorkerInput, JS::DeletePolicy<WorkerInput> > >::Start(void*) ()
#16 0x0000555556f6cedd in set_alt_signal_stack_and_start(PthreadCreateParams*) ()
#17 0x00007ffff7bfa609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#18 0x00007ffff7b1f353 in clone () from /lib/x86_64-linux-gnu/libc.so.6
rax	0x0	0
rbx	0x7ffff463e800	140737293576192
rcx	0x458	1112
rdx	0x1	1
rsi	0x0	0
rdi	0x7ffff7bee7d0	140737349871568
rbp	0x7ffff4fa4d90	140737303432592
rsp	0x7ffff4fa4d10	140737303432464
r8	0x0	0
r9	0x3	3
r10	0x0	0
r11	0x0	0
r12	0x7ffff4fa4da8	140737303432616
r13	0x7ffff463e800	140737293576192
r14	0x21994b808040	36942280425536
r15	0x27ba2c404c80	43680559811712
rip	0x555557268afa <js::LookupNameNoGC(JSContext*, js::PropertyName*, JSObject*, js::NativeObject**, js::PropertyResult*)+1850>
=> 0x555557268afa <_ZN2js14LookupNameNoGCEP9JSContextPNS_12PropertyNameEP8JSObjectPPNS_12NativeObjectEPNS_14PropertyResultE+1850>:	mov    %rcx,(%rax)
   0x555557268afd <_ZN2js14LookupNameNoGCEP9JSContextPNS_12PropertyNameEP8JSObjectPPNS_12NativeObjectEPNS_14PropertyResultE+1853>:	callq  0x555556f59c10 <abort>

I am seeing a massive amount of these asserts, in all sorts of places, all with "isExceptionPending" in some way. Marking as fuzzblocker.

Christian Holler (:decoder)

Reporter

Comment 1

•

5 months ago

Attached file Detailed Crash Information — Details

Christian Holler (:decoder)

Reporter

Comment 2

•

5 months ago

Attached file Testcase — Details

Christian Holler (:decoder)

Reporter

Updated

•

5 months ago

Attachment #9487988 - Attachment filename: s.undefined → test.js

Bugmon [:jkratzer for issues]

Comment 3

•

5 months ago

Verified bug as reproducible on mozilla-central 20250515084440-907a3d528f5e.
The bug appears to have been introduced in the following build range:

Start: c542d5f7eb5f9679132aca26973e1c44b9df9fca (20250513094746)
End: 51eb71b80c66cb6ed436ad34b425fb4dfd4339cf (20250513100724)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c542d5f7eb5f9679132aca26973e1c44b9df9fca&tochange=51eb71b80c66cb6ed436ad34b425fb4dfd4339cf

Whiteboard: [bugmon:update,bisect][fuzzblocker] → [bugmon:update,bisected,confirmed][fuzzblocker]

Iain Ireland [:iain]

Comment 4

•

5 months ago

I'm going to guess that it was probably this patch.

André Bargull [:anba]

Comment 5

•

5 months ago

Or part 14 when RunShellJobs was added after JS_ExecuteScript in WorkerMain, even when JS_ExecuteScript returned false.

Donal Meehan [:dmeehan]

Updated

•

5 months ago

status-firefox138: --- → unaffected

status-firefox139: --- → unaffected

status-firefox-esr115: --- → unaffected

status-firefox-esr128: --- → unaffected

Regressed by: 1467846

BugBot [:suhaib / :marco/ :calixte]

Comment 6

•

5 months ago

:yulia, since you are the author of the regressor, bug 1467846, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(ystartsev)

Iain Ireland [:iain]

Comment 7

•

5 months ago

Attached file WIP: Bug 1966657: Don't run shell jobs in WorkerMain unless ExecuteScript succeeded (obsolete) — Details

Yulia Startsev [:yulia] OOO until July 2026

Assignee

Comment 8

•

5 months ago

Attached file Bug 1966657: Only run shell jobs if JS_ExecuteScript returns true; r=iain — Details

Phabricator Automation

Updated

•

5 months ago

Assignee: nobody → ystartsev

Status: NEW → ASSIGNED

Yulia Startsev [:yulia] OOO until July 2026

Assignee

Updated

•

5 months ago

Flags: needinfo?(ystartsev)

Steven DeTar [:sdetar]

Updated

•

5 months ago

Severity: -- → S3

Priority: -- → P1

Pulsebot

Comment 9

•

5 months ago

Pushed by ystartsev@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0cf73230aa69 Only run shell jobs if JS_ExecuteScript returns true; r=iain

Sandor Molnar[:smolnar]

Comment 10

•

5 months ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/0cf73230aa69

Status: ASSIGNED → RESOLVED

Closed: 5 months ago

status-firefox140: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → 140 Branch

Bugmon [:jkratzer for issues]

Comment 11

•

5 months ago

Verified bug as fixed on rev mozilla-central 20250522154927-814af0869083.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED

status-firefox140: fixed → verified

Keywords: bugmon

Phabricator Automation

Updated

•

4 months ago

Attachment #9488323 - Attachment is obsolete: true

Iain Ireland [:iain]

Updated

•

4 months ago

Duplicate of this bug: 1971067

You need to log in before you can comment on or make changes to this bug.