Closed Bug 1782496 Opened 2 years ago Closed 2 years ago

Assertion failure: module->status() != ModuleStatus::Linking && module->status() != ModuleStatus::Evaluating, at vm/Modules.cpp:1050

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
105 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox103 --- unaffected
firefox104 --- fixed
firefox105 --- verified

People

(Reporter: decoder, Assigned: jonco)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

Detailed Crash Information
(deleted), text/plain
Details
Testcase
(deleted), text/plain
Details
Bug 1782496 - Handle uncatchable exceptions during module evaluation r?yulia
(deleted), text/x-phabricator-request
diannaS
: approval-mozilla-beta+
Details

The following testcase crashes on mozilla-central revision 20220801-4cf66fe9deb6 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

setInterruptCallback(function() {
    a();
})
function a() {
    import("javascript:null")
    interruptIf(true)
}
a();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556f7c1c2 in js::ModuleLink(JSContext*, JS::Handle<js::ModuleObject*>) ()
#1  0x0000555556f7bebc in JS::ModuleLink(JSContext*, JS::Handle<JSObject*>) ()
#2  0x0000555556b8357f in js::shell::ModuleLoader::loadAndExecute(JSContext*, JS::Handle<JSString*>, JS::MutableHandle<JS::Value>) ()
#3  0x0000555556b860c0 in js::shell::ModuleLoader::tryDynamicImport(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#4  0x0000555556b85e7c in js::shell::ModuleLoader::doDynamicImport(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSObject*>, JS::Handle<JSObject*>) ()
#5  0x0000555556b85a4b in js::shell::ModuleLoader::DynamicImportDelayFulfilled(JSContext*, unsigned int, JS::Value*) ()
#6  0x0000555556d38aa8 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#7  0x0000555556d381d8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#8  0x0000555556d39913 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#9  0x0000555556da525d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#10 0x000055555700cc47 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) ()
#11 0x0000555556d38aa8 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#12 0x0000555556d381d8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#13 0x0000555556d39913 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#14 0x0000555556e4595b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) ()
#15 0x0000555556f10e2c in js::InternalJobQueue::runJobs(JSContext*) ()
#16 0x0000555556f108c6 in js::RunJobs(JSContext*) ()
#17 0x0000555556bb75c8 in RunShellJobs(JSContext*) ()
#18 0x0000555556b97272 in Shell(JSContext*, js::cli::OptionParser*) ()
#19 0x0000555556b8f944 in main ()
rax	0x555555837649	93824995259977
rbx	0x7ffff602a100	140737320755456
rcx	0x555558295928	93825039685928
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffc110	140737488339216
rsp	0x7fffffffc090	140737488339088
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7fffffffc1b0	140737488339376
r13	0x7fffffffc228	140737488339496
r14	0x7fffffffc170	140737488339312
r15	0x7fffffffc170	140737488339312
rip	0x555556f7c1c2 <js::ModuleLink(JSContext*, JS::Handle<js::ModuleObject*>)+562>
=> 0x555556f7c1c2 <_ZN2js10ModuleLinkEP9JSContextN2JS6HandleIPNS_12ModuleObjectEEE+562>:	movl   $0x41a,0x0
   0x555556f7c1cd <_ZN2js10ModuleLinkEP9JSContextN2JS6HandleIPNS_12ModuleObjectEEE+573>:	callq  0x555556c28070 <abort>
Attached file Detailed Crash Information (deleted) —
Attached file Testcase (deleted) —

This makes sure we still set the module state to evaluated when there's an
uncatchable exception. The module's error will be set to undefined, which is
not great but it will probably never be used in this case.

Assignee: nobody → jcoppeard
Status: NEW → ASSIGNED

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220801153341-bc1d41e88ae3.
The bug appears to have been introduced in the following build range:

Start: dbc1511287371ccf1ab171af71832ac1629f0342 (20220704181728)
End: 0cacfd0aec5df141fce767aef04cf6f4215fed76 (20220704184218)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=dbc1511287371ccf1ab171af71832ac1629f0342&tochange=0cacfd0aec5df141fce767aef04cf6f4215fed76

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9226460a36d8 Handle uncatchable exceptions during module evaluation r=yulia

Setting regressed_by field after analyzing regression range found by bugmon.

Regressed by: 1774454

Set release status flags based on info from the regressing bug 1774454

status-firefox103: --- → unaffected
status-firefox104: --- → affected
status-firefox-esr102: --- → unaffected
status-firefox-esr91: --- → unaffected

https://hg.mozilla.org/mozilla-central/rev/9226460a36d8

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox105: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220802160254-f788858ac268.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox105: fixedverified
Keywords: bugmon
Flags: in-testsuite+

Is there a user-facing impact here which would justify backport consideration?

Flags: needinfo?(jcoppeard)

Comment on attachment 9287967 [details]
Bug 1782496 - Handle uncatchable exceptions during module evaluation r?yulia

Beta/Release Uplift Approval Request

  • User impact if declined: Possible crash.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is a simple change, it's covered by tests and it's baked on central for 6 days.
  • String changes made/needed:
  • Is Android affected?: Yes
Flags: needinfo?(jcoppeard)
Attachment #9287967 - Flags: approval-mozilla-beta?

Comment on attachment 9287967 [details]
Bug 1782496 - Handle uncatchable exceptions during module evaluation r?yulia

Approved for 104.0b8

Attachment #9287967 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Regressions: 1802479
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: