Closed
Bug 1208994
Opened 9 years ago
Closed 9 years ago
Assertion failure: !cx->isExceptionPending(), at js/src/jsfriendapi.cpp:709 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | fixed |
People
(Reporter: decoder, Assigned: jonco)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
(deleted),
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 6256ec9113c1 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-extra-checks --ion-check-range-analysis):
function oomTest(f) {
var i = 1;
do {
try {
oomAtAllocation(i);
f();
} catch (e) {
more = resetOOMFailure();
}
i++;
} while(more);
}
evaluate(`
oomTest(() => getBacktrace({args: oomTest[load+1], locals: true, thisprops: true}));
`);
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000b6e4e6 in FormatFrame (showThisProps=true, showLocals=true, showArgs=false, num=0, buf=0x0, iter=..., cx=0x7ffff6907000) at js/src/jsfriendapi.cpp:709
#0 0x0000000000b6e4e6 in FormatFrame (showThisProps=true, showLocals=true, showArgs=false, num=0, buf=0x0, iter=..., cx=0x7ffff6907000) at js/src/jsfriendapi.cpp:709
#1 JS::FormatStackDump (cx=cx@entry=0x7ffff6907000, buf=buf@entry=0x0, showArgs=false, showLocals=true, showThisProps=true) at js/src/jsfriendapi.cpp:908
#2 0x00000000005ffd4e in GetBacktrace (cx=0x7ffff6907000, argc=<optimized out>, vp=0x7ffff47fc270) at js/src/builtin/TestingFunctions.cpp:2058
#3 0x0000000000705f32 in js::CallJSNative (cx=0x7ffff6907000, native=0x5ffd00 <GetBacktrace(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#4 0x00000000006fb163 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:768
#5 0x00000000006ece29 in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:3072
#6 0x00000000006fa95b in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:709
#7 0x00000000006fb23f in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:786
#8 0x00000000006ece29 in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:3072
#9 0x00000000006fa95b in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:709
#10 0x00000000007009d4 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907000, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, evalInFrame=evalInFrame@entry=..., result=result@entry=0x7ffff47fc0a8) at js/src/vm/Interpreter.cpp:983
#11 0x0000000000700d29 in js::Execute (cx=cx@entry=0x7ffff6907000, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x7ffff47fc0a8) at js/src/vm/Interpreter.cpp:1018
#12 0x0000000000b650db in ExecuteScript (cx=cx@entry=0x7ffff6907000, scope=..., script=..., rval=0x7ffff47fc0a8) at js/src/jsapi.cpp:4379
#13 0x0000000000b651cf in JS_ExecuteScript (cx=cx@entry=0x7ffff6907000, scriptArg=..., scriptArg@entry=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4404
#14 0x0000000000487150 in Evaluate (cx=0x7ffff6907000, argc=<optimized out>, vp=0x7ffff47fc0a8) at js/src/shell/js.cpp:1239
#15 0x0000000000705f32 in js::CallJSNative (cx=0x7ffff6907000, native=0x486b60 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#16 0x00000000006fb163 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:768
#17 0x00000000006ece29 in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:3072
#18 0x00000000006fa95b in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:709
#19 0x00000000007009d4 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907000, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:983
#20 0x0000000000700d29 in js::Execute (cx=cx@entry=0x7ffff6907000, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:1018
#21 0x0000000000b650db in ExecuteScript (cx=cx@entry=0x7ffff6907000, scope=..., script=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4379
#22 0x0000000000b651fb in JS_ExecuteScript (cx=cx@entry=0x7ffff6907000, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4410
#23 0x00000000004288cb in RunFile (compileOnly=false, file=0x7ffff699ac00, filename=0x7fffffffdffb "min.js", cx=0x7ffff6907000) at js/src/shell/js.cpp:462
#24 Process (cx=cx@entry=0x7ffff6907000, filename=0x7fffffffdffb "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:580
#25 0x0000000000477324 in ProcessArgs (op=0x7fffffffda30, cx=0x7ffff6907000) at js/src/shell/js.cpp:5863
#26 Shell (envp=<optimized out>, op=0x7fffffffda30, cx=0x7ffff6907000) at js/src/shell/js.cpp:6161
#27 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6517
rax 0x0 0
rbx 0x0 0
rcx 0x7ffff6ca53cd 140737333842893
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffffb4e0 140737488336096
rsp 0x7fffffffad00 140737488334080
r8 0x7ffff7fe0780 140737354008448
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffffaac0 140737488333504
r11 0x7ffff6c27960 140737333328224
r12 0x7fffffffb520 140737488336160
r13 0x7fffffffaf50 140737488334672
r14 0x7ffff6907000 140737330049024
r15 0x7fffffffafe0 140737488334816
rip 0xb6e4e6 <JS::FormatStackDump(JSContext*, char*, bool, bool, bool)+4678>
=> 0xb6e4e6 <JS::FormatStackDump(JSContext*, char*, bool, bool, bool)+4678>: movl $0x2c5,0x0
0xb6e4f1 <JS::FormatStackDump(JSContext*, char*, bool, bool, bool)+4689>: callq 0x4974e0 <abort()>
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/a9f12b317316
user: Jon Coppeard
date: Wed Jul 01 18:53:04 2015 +0100
summary: Bug 1155618 - Don't retry memory allocation if we're simulating OOM r=terrence
This iteration took 195.111 seconds to run.
|
Assignee | |
Comment 2•9 years ago
|
||
This is another instance of the problem where functions templated with AllowGC value NoGC are expected not only not to GC but also to not throw an exception if they fail.
Assignee: nobody → jcoppeard
Attachment #8666774 -
Flags: review?(terrence)
|
||
Updated•9 years ago
|
Attachment #8666774 -
Flags: review?(terrence) → review+
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•