Closed Bug 1225078 Opened 9 years ago Closed 9 years ago

Assertion failure: cx->isExceptionPending(), at js/src/builtin/TestingFunctions.cpp:1169

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1219905
Tracking Flags:
Tracking Status
firefox45 --- affected

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect])

The following testcase crashes on mozilla-central revision a8ed7dd831d1 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks --baseline-eager --ion-check-range-analysis --ion-eager): var g = newGlobal(); oomTest(() => quit(g)); Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00000000007e91db in OOMTest (cx=0x7f33a0e06c00, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1169 #1 0x00000000009f3d32 in js::CallJSNative (cx=0x7f33a0e06c00, native=0x7e8e60 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #2 0x00000000009f0937 in js::Invoke (cx=cx@entry=0x7f33a0e06c00, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:394 #3 0x00000000009f1932 in js::Invoke (cx=cx@entry=0x7f33a0e06c00, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffa55672f8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:446 #4 0x0000000000c3b9bb in js::jit::DoCallFallback (cx=0x7f33a0e06c00, frame=0x7fffa5567338, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffa55672e8, res=...) at js/src/jit/BaselineIC.cpp:8748 #5 0x00007f33a2369f2f in ?? () [...] #26 0xfffc7f339df7cf40 in ?? () #27 0x00000000004c8a1a in malloc_mutex_unlock (mutex=0x8) at memory/mozjemalloc/jemalloc.c:1685 #28 arena_dalloc (ptr=<optimized out>, offset=<optimized out>) at memory/mozjemalloc/jemalloc.c:4720 Backtrace stopped: previous frame identical to this frame (corrupt stack?) rax 0x0 0 rbx 0x213 531 rcx 0x7f33a11bd88d 139859723016333 rdx 0x0 0 rsi 0x7f33a14929d0 139859725986256 rdi 0x7f33a14911c0 139859725980096 rbp 0x7fffa5566c80 140735967292544 rsp 0x7fffa5566ba0 140735967292320 r8 0x7f33a2502780 139859743221632 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7f33a148ebe0 139859725970400 r11 0x0 0 r12 0x7fffa5566c30 140735967292464 r13 0x3a991 240017 r14 0x7f33a0e06c00 139859719121920 r15 0x1b8901c 28872732 rip 0x7e91db <OOMTest(JSContext*, unsigned int, JS::Value*)+891> => 0x7e91db <OOMTest(JSContext*, unsigned int, JS::Value*)+891>: movl $0x491,0x0 0x7e91e6 <OOMTest(JSContext*, unsigned int, JS::Value*)+902>: callq 0x4aa760 <abort()>
No longer reproduces, fixed by bug 1219905.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.