Closed
Bug 1296661
Opened 8 years ago
Closed 8 years ago
Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:238 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla52
People
(Reporter: decoder, Assigned: jonco)
References
(Blocks 2 open bugs)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:])
Attachments
(1 file)
(deleted),
patch
|
n.nethercote
:
review+
gchang
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 0502bd9e025e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off): lfLogBuffer = ` { } opts = new Proxy({loc: false}, {}) (Reflect.parse("0", opts)) `.split('\n') lfCodeBuffer = "" while (true) { line = lfLogBuffer.shift() loadFile(lfCodeBuffer) lfCodeBuffer += line + "\n" } function loadFile(lfVarx) oomTest(function() { eval(lfVarx) }) Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000ac41b7 in js::CallJSNative (cx=0x7ffff692d000, native=0xc3af60 <reflect_parse(JSContext*, uint32_t, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:238 #0 0x0000000000ac41b7 in js::CallJSNative (cx=0x7ffff692d000, native=0xc3af60 <reflect_parse(JSContext*, uint32_t, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:238 #1 0x0000000000abafa5 in js::InternalCallOrConstruct (cx=0x7ffff692d000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:453 #2 0x0000000000ab0f0d in CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:504 #3 Interpret (cx=0x7ffff692d000, state=...) at js/src/vm/Interpreter.cpp:2881 #4 0x0000000000abadbe in js::RunScript (cx=0x7ffff692d000, state=...) at js/src/vm/Interpreter.cpp:399 #5 0x0000000000ac1602 in js::ExecuteKernel (cx=0x7ffff692d000, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffcd10) at js/src/vm/Interpreter.cpp:679 #6 0x00000000009fc861 in EvalKernel (cx=cx@entry=0x7ffff692d000, v=..., v@entry=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., scopeobj=..., scopeobj@entry=..., pc=<optimized out>, vp=vp@entry=...) at js/src/builtin/Eval.cpp:334 #7 0x00000000009fd381 in js::DirectEval (cx=0x7ffff692d000, v=..., vp=vp@entry=...) at js/src/builtin/Eval.cpp:451 #8 0x0000000000deb792 in js::jit::DoCallFallback (cx=0x7ffff692d000, frame=0x7fffffffcda8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffcd58, res=...) at js/src/jit/BaselineIC.cpp:5966 #9 0x00007ffff7e4f08a in ?? () [...] #41 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x0 0 rcx 0x7ffff6ca588d 140737333844109 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffb870 140737488337008 rsp 0x7fffffffb820 140737488336928 r8 0x7ffff7fe77c0 140737354037184 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffb5e0 140737488336352 r11 0x7ffff6c27ee0 140737333329632 r12 0x7fffef3541d8 140737206632920 r13 0x7fffffffb830 140737488336944 r14 0x7fffffffbc80 140737488338048 r15 0x7ffff692d000 140737330204672 rip 0xac41b7 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+695> => 0xac41b7 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+695>: movl $0xee,0x0 0xac41c2 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+706>: callq 0x4bca20 <abort()>
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
Comment 1•8 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Updated•8 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/9c365490d4ce user: Jon Coppeard date: Tue Oct 13 13:37:07 2015 +0100 summary: Bug 1212469 - Make oomTest() into a shell function r=nbp Jon, this might go back prior to this changeset, I'm seemingly unable to get an OOM_VERBOSE stack, though I could reproduce the issue on m-c rev f0e6cc636021. Do you think you might be able to take a look? I found that this is hiding other issues e.g. bug 1305197 by chance.
Flags: needinfo?(jcoppeard)
Assignee | ||
Comment 3•8 years ago
|
||
The bug is caused by not checking the return value of defineProperty in NodeBuilder::setNodeLoc. I fixed this and added MOZ_MUST_USE everywhere in this file, although it didn't catch any more bugs.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8794775 -
Flags: review?(n.nethercote)
Comment 4•8 years ago
|
||
Comment on attachment 8794775 [details] [diff] [review] bug1296661-reflect-oom Review of attachment 8794775 [details] [diff] [review]: ----------------------------------------------------------------- All hail MOZ_MUST_USE. ::: js/src/builtin/ReflectParse.cpp @@ +746,1 @@ > return true; The second return is now unreachable. Please remove it.
Attachment #8794775 -
Flags: review?(n.nethercote) → review+
Updated•8 years ago
|
Blocks: use-nodiscard
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/aaa9737db07e Use MOZ_MUST_USE in Reflect.parse implementation r=njn
Comment 6•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/aaa9737db07e
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox52:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Jon, do you mind backporting this to other branches, at least to mozilla-aurora? Thanks!
Flags: needinfo?(jcoppeard)
Assignee | ||
Comment 8•8 years ago
|
||
Comment on attachment 8794775 [details] [diff] [review] bug1296661-reflect-oom Approval Request Comment [Feature/regressing bug #]: Bug 569487. [User impact if declined]: Reflect.parse returns the wrong result on OOM. [Describe test coverage new/current, TreeHerder]: On m-c since 28th September. [Risks and why]: Low [String/UUID change made/needed]: None
Flags: needinfo?(jcoppeard)
Attachment #8794775 -
Flags: approval-mozilla-aurora?
Comment 9•8 years ago
|
||
Comment on attachment 8794775 [details] [diff] [review] bug1296661-reflect-oom Fix an assertion error related to javascript. Take it in 51 aurora.
Attachment #8794775 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 10•8 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-aurora/rev/fb559cc346a9
You need to log in
before you can comment on or make changes to this bug.
Description
•