Closed Bug 1263884 Opened 9 years ago Closed 9 years ago

Assertion failure: !cx->isExceptionPending(), at js/src/builtin/TestingFunctions.cpp:1316 with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla48
Tracking Flags:
Tracking Status
firefox48 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

OOM_VERBOSE=1 stack from m-c rev 8630367f5e3f
(deleted), text/plain
Details
bug1263884-shape-table-oom
(deleted), patch
jandem
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --baseline-eager --ion-offthread-compile=off): oomTest(function() { eval(` var argObj = function () { return arguments }() for (var p in argObj); delete argObj.callee; `); }); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000bdaff0 in OOMTest (cx=0x7ffff6908800, argc=<optimized out>, vp=0x7fffffffcbb8) at js/src/builtin/TestingFunctions.cpp:1316 #0 0x0000000000bdaff0 in OOMTest (cx=0x7ffff6908800, argc=<optimized out>, vp=0x7fffffffcbb8) at js/src/builtin/TestingFunctions.cpp:1316 #1 0x0000000000a908c2 in js::CallJSNative (cx=0x7ffff6908800, native=0xbda990 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #2 0x0000000000a8cdc7 in js::Invoke (cx=cx@entry=0x7ffff6908800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:476 #3 0x00000000006172f1 in js::jit::DoCallFallback (cx=0x7ffff6908800, frame=0x7fffffffcc08, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffcbb8, res=...) at js/src/jit/BaselineIC.cpp:6115 #4 0x00007ffff7ff1a1f in ?? () [...] #30 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x8c9 2249 rcx 0x7ffff6ca588d 140737333844109 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffc6e0 140737488340704 rsp 0x7fffffffc610 140737488340496 r8 0x7ffff7fdf7c0 140737354004416 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffc3d0 140737488339920 r11 0x7ffff6c27ee0 140737333329632 r12 0x1c041c0 29376960 r13 0x1c7df78 29876088 r14 0x2b71fd 2847229 r15 0x7ffff6908800 140737330055168 rip 0xbdaff0 <OOMTest(JSContext*, unsigned int, JS::Value*)+1632> => 0xbdaff0 <OOMTest(JSContext*, unsigned int, JS::Value*)+1632>: movl $0x524,0x0 0xbdaffb <OOMTest(JSContext*, unsigned int, JS::Value*)+1643>: callq 0x4ab6f0 <abort()>
Since js::DeletePropertyJit is on the stack, setting needinfo? from Jan and Jon as a start.
Flags: needinfo?(jdemooij)
Flags: needinfo?(jcoppeard)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attached patch bug1263884-shape-table-oom (deleted) — Splinter Review
Make ShapeTable::change not report OOM and report in the caller where it's required.
Flags: needinfo?(jdemooij)
Attachment #8741812 - Flags: review?(jdemooij)
Comment on attachment 8741812 [details] [diff] [review] bug1263884-shape-table-oom Review of attachment 8741812 [details] [diff] [review]: ----------------------------------------------------------------- LGTM.
Attachment #8741812 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/77279d5587f2
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox48: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: