1930117 - Assertion failure: cx->isExceptionPending() || cx->isPropagatingForcedReturn() || cx->hadUncatchableException(), at vm/Interpreter.cpp:440

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: debug stack

var x = {};
function f(y, z) {
  if (!Object.hasOwn(x, y)) {
    m = undefined;
    if (z === 1) {
      m = { n: [] };
    }
    if (typeof z === "object" && Object.getOwnPropertyNames(z)[0] < 1) {
      m = new (function () {})();
      m.n = [0];
    }
    if (m == null) {
      return (function () {
        Object.defineProperty(x, 0, { __proto__: null, function() {} });
      })();
    }
    Object.defineProperty(x, y, { __proto__: null });
  }
  m.n[0];
}
f();
f();
f();
f();
f();
f();
f();
f("", 1);
f({}, [1]);
f();
for (
  let i = 4;
  (function () {
    f("3", 1);
    return i--;
  })();
) {}
oomTest(function () {
  Object.defineProperty();
});

(gdb) bt
#0  AssertExceptionResult (cx=cx@entry=0x7ffff6b36200) at /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:439
#1  0x0000555557244ba5 in js::RunScript (cx=cx@entry=0x7ffff6b36200, state=...) at /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:504
#2  0x0000555557245605 in js::InternalCallOrConstruct (cx=0x7ffff6b36200, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call) at /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:660
#3  0x0000555557246458 in InternalCall (cx=<optimized out>, args=..., reason=1490442944, reason@entry=js::CallReason::Call) at /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:695
#4  0x0000555557246649 in js::Call (cx=cx@entry=0x7ffff6b36200, fval=fval@entry=..., thisv=thisv@entry=..., args=..., rval=rval@entry=..., reason=reason@entry=js::CallReason::Call) at /home/yksubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:727
#5  0x00005555573ce053 in JS_CallFunction (cx=0x7ffff6b36200, obj=..., fun=..., args=..., rval=rval@entry=...) at /home/yksubu/trees/mozilla-central/js/src/vm/CallAndConstruct.cpp:74
/snip

I'm going to guess that this is related to bug 1921780 again.

Run with --fuzzing-safe --no-threads --fast-warmup --inlining-entry-threshold=8, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 3e6134136fe6.

Setting s-s just in case. Jan, did bug 1921780 likely expose the issue?

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1921780

Comment 2

[Jan de Mooij [:jandem]]

Thanks Gary. This is a missing ReportOutOfMemory call in ShapeListObject::create.

Comment 3

[Jan de Mooij [:jandem]]

Attachment: Bug 1930117 - Report OOM in ShapeListObject::create if registerObjectWithWeakPointers fails. r?jonco!

Comment 4

[Pulsebot]

Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/785316e29787
Report OOM in ShapeListObject::create if registerObjectWithWeakPointers fails. r=jonco

Comment 5

[agoloman]

https://hg.mozilla.org/mozilla-central/rev/785316e29787

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:jandem, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox133 to wontfix.

For more information, please visit BugBot documentation.