Open
Bug 1926446
Opened 3 days ago
Updated 6 hours ago
Assertion failure: cx->isExceptionPending() || cx->isPropagatingForcedReturn() || cx->hadUncatchableException(), at vm/Interpreter.cpp:440
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
ASSIGNED
| Tracking | Status | |
|---|---|---|
| firefox-esr128 | --- | unaffected |
| firefox131 | --- | unaffected |
| firefox132 | --- | unaffected |
| firefox133 | --- | affected |
People
(Reporter: gkw, Assigned: jandem)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, reporter-external, testcase)
Attachments
(2 files)
streamCacheEntry(new ArrayBuffer()).getBuffer.apply(0, [0]);
439 MOZ_ASSERT(cx->isExceptionPending() || cx->isPropagatingForcedReturn() ||
(gdb) bt
#0 AssertExceptionResult (cx=cx@entry=0x7ffff6b39a00) at /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:439
#1 0x00005555572df6cf in CallJSNative (cx=cx@entry=0x7ffff6b39a00, native=<optimized out>, reason=reason@entry=js::CallReason::FunCall, args=...) at /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:533
#2 0x00005555572b7672 in js::InternalCallOrConstruct (cx=0x7ffff6b39a00, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::FunCall) at /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:624
#3 0x00005555572b83a8 in InternalCall (cx=<optimized out>, args=..., reason=1490834688, reason@entry=js::CallReason::FunCall) at /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:691
#4 0x00005555572b8599 in js::Call (cx=cx@entry=0x7ffff6b39a00, fval=fval@entry=..., thisv=..., args=..., rval=..., reason=reason@entry=js::CallReason::FunCall) at /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:723
#5 0x0000555557537fb5 in js::fun_apply (cx=cx@entry=0x7ffff6b39a00, argc=<optimized out>, vp=<optimized out>) at /home/yksubu/trees/mozilla-central/js/src/vm/JSFunction.cpp:1104
#6 0x00005555572df665 in CallJSNative (cx=cx@entry=0x7ffff6b39a00, native=0x555557537ba0 <js::fun_apply(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call, args=...) at /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:528
#7 0x00005555572b7672 in js::InternalCallOrConstruct (cx=0x7ffff6b39a00, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call) at /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:624
/snip
I'm going to guess that this is related to bug 1921780 again.
Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev c71b36339200.
Setting s-s just in case. Jan, did bug 1921780 likely expose the issue?
Flags: sec-bounty?
Flags: needinfo?(jdemooij)
|
||
Updated•3 days ago
|
Group: core-security → javascript-core-security
|
||
Comment 1•3 days ago
|
||
Set release status flags based on info from the regressing bug 1921780
status-firefox131:
--- → unaffected
status-firefox132:
--- → unaffected
status-firefox-esr128:
--- → unaffected
|
Assignee | |
Comment 2•7 hours ago
|
||
Just a problem with a testing function.
Group: javascript-core-security
|
|
Assignee | |
Comment 3•7 hours ago
|
||
|
||
Updated•7 hours ago
|
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•7 hours ago
|
Flags: needinfo?(jdemooij)
|
||
Updated•6 hours ago
|
Severity: -- → S4
Priority: -- → P1
You need to log in
before you can comment on or make changes to this bug.
Description
•