Closed Bug 1115246 Opened 10 years ago Closed 10 years ago

Assertion failure: !cx->isExceptionPending(), at jscntxtinlines.h

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla37
Tracking Flags:
Tracking Status
firefox37 --- affected

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:testComment=4])

Attachments

(2 files)

stack
(deleted), text/plain
Details
patch
(deleted), patch
jandem
: review+
Details | Diff | Splinter Review
var x = Object.toString() function z() { if (/x/) {} }; // Randomly chosen test: js/src/tests/ecma/GlobalObject/15.1-1-n.js // -- reduced away -- // Randomly chosen test: js/src/jit-test/tests/basic/testBug756919.js try { eval(` gcparam("maxBytes", gcparam("gcBytes") + 1); function f() { var y = ""; function g() {} f(); eval(); } f(); `) } catch (e) {}; // Randomly chosen test: js/src/jit-test/tests/basic/testMultipleArgumentsObjects.js try { load("a.js"); } catch (e) {} // Randomly chosen test: js/src/jit-test/tests/self-hosting/alternate-static-and-instance-array-extras.js // -- reduced away -- // Randomly chosen test: js/src/jit-test/tests/closures/incr-exit-3.js // -- reduced away -- and a.js is: function g() { x = arguments; function f(e, which) { var args = [x, arguments] return args[which][0] } m = [0, 0, 1] for (i = 0; i < 3; i++) { m[i] = f("f", m[i]) } return m.toString() } assertEq(g(), ",,f") asserts js debug shell on m-c changeset b17e7747d3fb with --fuzzing-safe --no-threads --no-ion at Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are: http://hg.mozilla.org/mozilla-central/file/b17e7747d3fb/js/src/tests/ecma/GlobalObject/15.1-1-n.js http://hg.mozilla.org/mozilla-central/file/b17e7747d3fb/js/src/jit-test/tests/basic/testBug756919.js http://hg.mozilla.org/mozilla-central/file/b17e7747d3fb/js/src/jit-test/tests/basic/testMultipleArgumentsObjects.js http://hg.mozilla.org/mozilla-central/file/b17e7747d3fb/js/src/jit-test/tests/self-hosting/alternate-static-and-instance-array-extras.js http://hg.mozilla.org/mozilla-central/file/b17e7747d3fb/js/src/jit-test/tests/closures/incr-exit-3.js autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/9605a571ca8a user: Brian Hackett date: Tue Aug 19 22:25:37 2014 -0800 summary: Bug 934450 - Allow objects to have copy on write elements, r=billm,jandem. Brian, not sure if bug 934450 is the actual regressor here. Thoughts?
Flags: needinfo?(bhackett1024)
Attached file stack (deleted) —
(lldb) bt 5 * thread #1: tid = 0x98eab, 0x00000001006311ce js-dbg-opt-64-dm-nsprBuild-darwin-b17e7747d3fb`js::Invoke(cx=<unavailable>, args=<unavailable>, construct=<unavailable>) + 1262 at Interpreter.cpp:471, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000001006311ce js-dbg-opt-64-dm-nsprBuild-darwin-b17e7747d3fb`js::Invoke(cx=<unavailable>, args=<unavailable>, construct=<unavailable>) + 1262 at Interpreter.cpp:471 frame #1: 0x000000010064dfe0 js-dbg-opt-64-dm-nsprBuild-darwin-b17e7747d3fb`Interpret(cx=<unavailable>, state=<unavailable>) + 43632 at Interpreter.cpp:2561 frame #2: 0x0000000100643549 js-dbg-opt-64-dm-nsprBuild-darwin-b17e7747d3fb`js::RunScript(cx=0x0000000101b149e0, state=0x00007fff5fbff178) + 345 at Interpreter.cpp:452 frame #3: 0x000000010062c66d js-dbg-opt-64-dm-nsprBuild-darwin-b17e7747d3fb`js::ExecuteKernel(cx=0x0000000101b149e0, scopeChainArg=0x0000000101e5d060, thisv=<unavailable>, type=<unavailable>, result=<unavailable>, script=<unavailable>, evalInFrame=<unavailable>) + 925 at Interpreter.cpp:661 frame #4: 0x00000001006562c1 js-dbg-opt-64-dm-nsprBuild-darwin-b17e7747d3fb`js::Execute(cx=0x0000000101b149e0, scopeChainArg=<unavailable>, rval=0x0000000000000000, script=<unavailable>) + 433 at Interpreter.cpp:697 (lldb)
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
var x = Object.toString() function z() { if (/x/) {} }; // Randomly chosen test: js/src/tests/ecma/GlobalObject/15.1-1-n.js // -- reduced away -- // Randomly chosen test: js/src/jit-test/tests/basic/testBug756919.js try { eval(` gcparam("maxBytes", gcparam("gcBytes") + 1); function f() { var y = ""; function g() {} f(); eval(); } f(); `) } catch (e) {}; // Randomly chosen test: js/src/jit-test/tests/basic/testMultipleArgumentsObjects.js evaluate(` function g() { x = arguments; function f(e, which) { var args = [x, arguments]; return args[which][0] } m = [0, 0, 1]; for (i = 0; i < 3; i++) { m[i] = f("f", m[i]) } return m.toString() } assertEq(g(), ",,f") `, { compileAndGo: true }) // Randomly chosen test: js/src/jit-test/tests/self-hosting/alternate-static-and-instance-array-extras.js // -- reduced away -- // Randomly chosen test: js/src/jit-test/tests/closures/incr-exit-3.js // -- reduced away -- asserts js debug shell on m-c changeset b17e7747d3fb with --fuzzing-safe --no-threads --no-ion at Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h. This now has the load function removed. Thanks to :decoder for his help.
Whiteboard: [jsbugmon:] → [jsbugmon:update,testComment=4]
Whiteboard: [jsbugmon:update,testComment=4] → [jsbugmon:testComment=4]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Attached patch patch (deleted) — Splinter Review
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8541856 - Flags: review?(jdemooij)
Attachment #8541856 - Flags: review?(jdemooij) → review+
Helped to land this: https://hg.mozilla.org/integration/mozilla-inbound/rev/9878f361d7f7
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla37
Flags: in-testsuite?
Over IRC: 16:39 glandium: gkw, KWierso|sheriffduty: fwiw, that build error means that running xpcshell with MOZ_STARTUP_CACHE doesn't work properly 16:39 gkw: glandium: I see. Thanks!
https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=9878f361d7f7 has other failures. Oops.
Flags: needinfo?(bhackett1024)
Target Milestone: mozilla37 → ---
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #11) > https://treeherder.mozilla.org/#/jobs?repo=mozilla- > inbound&revision=9878f361d7f7 > > has other failures. Oops. More precisely, it broke everything bug Cpp unit tests.
(In reply to Mike Hommey [:glandium] (out from Dec 31 to Jan 5 incl.) from comment #12) > More precisely, it broke everything bug Cpp unit tests. s/everything bug/everything but/
Hmm, getConstantValue would also return false if it wasn't allowed to convert nested objects. This patch fixes this case by returning a magic value in such cases, so the return value is used consistently. https://hg.mozilla.org/integration/mozilla-inbound/rev/60bccc6ddd08
Flags: needinfo?(bhackett1024)
https://hg.mozilla.org/mozilla-central/rev/60bccc6ddd08
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Summary: Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h → Assertion failure: !cx->isExceptionPending(), at jscntxtinlines.h
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: