Open Bug 1850516 Opened 1 year ago Updated 1 year ago

Assertion failure: cx->isExceptionPending(), at js/src/shell/js.cpp:1434

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

People

(Reporter: lukas.bernhard, Unassigned)

References

(Blocks 2 open bugs)

Details

Steps to reproduce:

On git commit e7b8d13b7513b6fbd97d69e882d7faeed05309d0 the attached sample asserts in the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js

function f2() {
    function f4() {
        this.quit();
    }   
    f4();
}

Object.defineProperty(Uint8Array, Symbol.toPrimitive, { get: f2 }); 
const o18 = { 
    "stack": saveStack(),
    "cause": Uint8Array
};
const v15 = new Proxy(() => Uint8Array, {});
const t23 = bindToAsyncStack(v15, o18);
t23();

#0  0x000055555780119a in BoundToAsyncStack (cx=0x7ffff662e100, argc=0, vp=0x7ffff54e3090)
    at js/src/shell/js.cpp:1434
#1  0x00005555579d7a8c in CallJSNative (cx=0x7ffff662e100, 
    native=0x555557800dc0 <BoundToAsyncStack(JSContext*, unsigned int, JS::Value*)>, reason=js::CallReason::Call, 
    args=...) at js/src/vm/Interpreter.cpp:486
#2  0x00005555579ae923 in js::InternalCallOrConstruct (cx=0x7ffff662e100, args=..., construct=js::NO_CONSTRUCT, 
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:580
#3  0x00005555579af0a9 in InternalCall (cx=0x7ffff662e100, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:647
#4  0x00005555579aeee3 in js::CallFromStack (cx=0x7ffff662e100, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:652
#5  0x00005555579bd598 in js::Interpret (cx=0x7ffff662e100, state=...)
    at js/src/vm/Interpreter.cpp:3395
#6  0x00005555579ae2ff in MaybeEnterInterpreterTrampoline (cx=0x7ffff662e100, state=...)
    at js/src/vm/Interpreter.cpp:400
#7  0x00005555579adfc1 in js::RunScript (cx=0x7ffff662e100, state=...)
    at js/src/vm/Interpreter.cpp:458
#8  0x00005555579b04f1 in js::ExecuteKernel (cx=0x7ffff662e100, script=..., envChainArg=..., evalInFrame=..., result=...)
    at js/src/vm/Interpreter.cpp:845
#9  0x00005555579b0864 in js::Execute (cx=0x7ffff662e100, script=..., envChain=..., rval=...)
    at js/src/vm/Interpreter.cpp:877
#10 0x0000555557b71fff in ExecuteScript (cx=0x7ffff662e100, envChain=..., script=..., rval=...)
    at js/src/vm/CompilationAndEvaluation.cpp:494
#11 0x0000555557b72125 in JS_ExecuteScript (cx=0x7ffff662e100, scriptArg=...)
    at js/src/vm/CompilationAndEvaluation.cpp:518
#12 0x00005555578075ff in RunFile (cx=0x7ffff662e100, 
    filename=0x7ffff5507050 "../gecko-fuzzilli/modifiedStuff/crash_2023_08_29.js", file=0x7ffff766ac40, 
    compileMethod=CompileUtf8::DontInflate, compileOnly=false, fullParse=false)
    at js/src/shell/js.cpp:1099
#13 0x0000555557806e9c in Process (cx=0x7ffff662e100, 
    filename=0x7ffff5507050 "../gecko-fuzzilli/modifiedStuff/crash_2023_08_29.js", forceTTY=false, kind=FileScript)
    at js/src/shell/js.cpp:1679
#14 0x00005555577dffa7 in ProcessArgs (cx=0x7ffff662e100, op=0x7fffffffdd50)
    at js/src/shell/js.cpp:10740
#15 0x00005555577ce973 in Shell (cx=0x7ffff662e100, op=0x7fffffffdd50)
    at js/src/shell/js.cpp:10964
#16 0x00005555577c9716 in main (argc=3, argv=0x7fffffffdfb8) at js/src/shell/js.cpp:11396
Blocks: l11d-js-fuzzing
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Severity: -- → S3
Depends on: sm-runtime
Priority: -- → P3
Blocks: sm-runtime
No longer depends on: sm-runtime
You need to log in before you can comment on or make changes to this bug.