Found while fuzzing m-c 20230211-b6bf621975fb (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Assertion failure: !aArgument.IsUncatchableException() (Doesn't make sense to convert uncatchable exception to a JS value!), at /builds/worker/checkouts/gecko/dom/bindings/ToJSValue.cpp:55

#0 0x7fde7d389f4f in mozilla::dom::ToJSValue(JSContext*, mozilla::ErrorResult&&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/dom/bindings/ToJSValue.cpp:53:3
#1 0x7fde7a216a4a in void mozilla::dom::Promise::MaybeSomething<mozilla::ErrorResult>(mozilla::ErrorResult&&, void (mozilla::dom::Promise::*)(JSContext*, JS::Handle<JS::Value>)) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:423:10
#2 0x7fde7ef694b3 in MaybeReject /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:116:5
#3 0x7fde7ef694b3 in mozilla::dom::Promise::CreateRejectedWithErrorResult(nsIGlobalObject*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/promise/Promise.cpp:1063:18
#4 0x7fde7efbe767 in PromisifyAlgorithm<(lambda at /builds/worker/checkouts/gecko/dom/streams/TransformerCallbackHelpers.cpp:94:7)> /builds/worker/checkouts/gecko/dom/streams/StreamUtils.h:39:12
#5 0x7fde7efbe767 in mozilla::dom::TransformerAlgorithmsWrapper::TransformCallback(JSContext*, JS::Handle<JS::Value>, mozilla::dom::TransformStreamDefaultController&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/TransformerCallbackHelpers.cpp:92:10
#6 0x7fde7efb86e5 in mozilla::dom::TransformStreamDefaultControllerPerformTransform(JSContext*, mozilla::dom::TransformStreamDefaultController*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/TransformStream.cpp:176:19
#7 0x7fde7efb39c1 in mozilla::dom::TransformStreamUnderlyingSinkAlgorithms::WriteCallback(JSContext*, JS::Handle<JS::Value>, mozilla::dom::WritableStreamDefaultController&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/TransformStream.cpp:303:12
#8 0x7fde7efca0c5 in WritableStreamDefaultControllerProcessWrite /builds/worker/checkouts/gecko/dom/streams/WritableStreamDefaultController.cpp:311:19
#9 0x7fde7efca0c5 in mozilla::dom::streams_abstract::WritableStreamDefaultControllerAdvanceQueueIfNeeded(JSContext*, mozilla::dom::WritableStreamDefaultController*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/WritableStreamDefaultController.cpp:429:3
#10 0x7fde7efca43f in mozilla::dom::streams_abstract::WritableStreamDefaultControllerWrite(JSContext*, mozilla::dom::WritableStreamDefaultController*, JS::Handle<JS::Value>, double, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/WritableStreamDefaultController.cpp:489:3
#11 0x7fde7efcbeb0 in mozilla::dom::streams_abstract::WritableStreamDefaultWriterWrite(JSContext*, mozilla::dom::WritableStreamDefaultWriter*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/WritableStreamDefaultWriter.cpp:334:3
#12 0x7fde7efa2f89 in mozilla::dom::PipeToPump::OnReadFulfilled(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/ReadableStreamPipeTo.cpp:605:7
#13 0x7fde7efaf785 in mozilla::dom::PipeToReadRequest::ChunkSteps(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/ReadableStreamPipeTo.cpp:637:17
#14 0x7fde7ef8ef76 in mozilla::dom::streams_abstract::ReadableStreamFulfillReadRequest(JSContext*, mozilla::dom::ReadableStream*, JS::Handle<JS::Value>, bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/ReadableStream.cpp:618:16
#15 0x7fde7ef907df in mozilla::dom::streams_abstract::ReadableByteStreamControllerEnqueue(JSContext*, mozilla::dom::ReadableByteStreamController*, JS::Handle<JSObject*>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/ReadableByteStreamController.cpp:901:7
#16 0x7fde7ef99a0d in mozilla::dom::ReadableStream::EnqueueNative(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/streams/ReadableStream.cpp:1245:3
#17 0x7fde7baeac3e in mozilla::dom::BodyStream::EnqueueChunkWithSizeIntoStream(JSContext*, mozilla::dom::ReadableStream*, unsigned long, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/BodyStream.cpp:416:12
#18 0x7fde7baeb0aa in mozilla::dom::BodyStream::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/dom/base/BodyStream.cpp:467:3
#19 0x7fde7a072c91 in mozilla::NonBlockingAsyncInputStream::RunAsyncWaitCallback(mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable*, already_AddRefed<nsIInputStreamCallback>) /builds/worker/checkouts/gecko/xpcom/io/NonBlockingAsyncInputStream.cpp:383:13
#20 0x7fde7a071edf in mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable::Run() /builds/worker/checkouts/gecko/xpcom/io/NonBlockingAsyncInputStream.cpp:33:14
#21 0x7fde7eef5bd9 in mozilla::dom::(anonymous namespace)::ExternalRunnableWrapper::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:201:37
#22 0x7fde7eee7a0e in mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377:12
#23 0x7fde7a0f9622 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1233:16
#24 0x7fde7a0ff9ad in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#25 0x7fde7eed5d94 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3276:7
#26 0x7fde7eebcc4d in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2043:42
#27 0x7fde7a0f9622 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1233:16
#28 0x7fde7a0ff9ad in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#29 0x7fde7ad5378a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#30 0x7fde7ac73fc8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#31 0x7fde7ac73ed1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#32 0x7fde7ac73ed1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#33 0x7fde7a0f49c7 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#34 0x7fde8d2e7c86 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#35 0x7fde8db90b42 in start_thread nptl/pthread_create.c:442:8
#36 0x7fde8dc229ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Verified bug as reproducible on mozilla-central 20230310043207-5e19883ea716.
The bug appears to have been introduced in the following build range:

Start: 279b2c645e5304b99b27cce3a5e8e4efa2f1ae4c (20221217021211)
End: 4f78238d4673be434f4eeff99eb515f31baf6630 (20221217164420)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=279b2c645e5304b99b27cce3a5e8e4efa2f1ae4c&tochange=4f78238d4673be434f4eeff99eb515f31baf6630

I don't think the range in comment #1 has any patch that can affect desktop behavior as all of the them are about backouts, test changes, etc.

Based on comment #1, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:saschanaz, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit auto_nag documentation.

The problem has been there since TextEncoderStream (and TransformerAlgorithmsWrapper) is implemented.

Set release status flags based on info from the regressing bug 1486949

https://hg.mozilla.org/mozilla-central/rev/703562db4aa2

The patch landed in nightly and beta is affected.
:saschanaz, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox112 to wontfix.

For more information, please visit auto_nag documentation.

Comment on attachment 9323178 [details]
Bug 1821563 - Do not create a promise from an uncatchable exception r=smaug,mgaudet

Beta/Release Uplift Approval Request

• User impact if declined: A crash may happen when a worker is terminated while using text encoder.
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): This allows uncatchable exceptions to be propagated from TextEncodingStream via ErrorResult, just as it traditionally has been.
• String changes made/needed:
• Is Android affected?: Yes

Unable to reproduce bug 1821563 using build mozilla-central 20230211094336-b6bf621975fb. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Hey Jason, can the bot be retriggered by the testcase in https://hg.mozilla.org/mozilla-central/rev/703562db4aa2 ? That one should be more stable to repro.

Edit: of course only if it's any worth to do that.

Verified bug as fixed on rev mozilla-central 20230316092607-7954e1671be3.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Thanks!

Comment on attachment 9323178 [details]
Bug 1821563 - Do not create a promise from an uncatchable exception r=smaug,mgaudet

Approved for 112.0b4

https://hg.mozilla.org/releases/mozilla-beta/rev/e4d945ff95b3