Closed Bug 1325551 Opened 8 years ago Closed 8 years ago

Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:242

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla54
Tracking Flags:
Tracking Status
firefox51 --- wontfix
firefox52 --- wontfix
firefox-esr52 --- wontfix
firefox53 --- wontfix
firefox54 --- fixed

People

(Reporter: gkw, Assigned: jonco)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(4 files)

Detailed Crash Information
(deleted), text/plain
Details
bug1325551-sourceMap-oom
(deleted), patch
jimb
: review+
Details | Diff | Splinter Review
bug1325551-scriptSource-must-use
(deleted), patch
jimb
: review+
Details | Diff | Splinter Review
OOM_VERBOSE=1 stack from m-c rev 57ac9f63fc69
(deleted), text/plain
Details
The following testcase crashes on mozilla-central revision 7083c0d30e75 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): // jsfunfuzz-generated oomTest(function() { // Adapted from randomly chosen test: js/src/jit-test/tests/debug/Source-sourceMapURL-deprecated.js let g = newGlobal(); let dbg = new Debugger; let gw = dbg.addDebuggee(g); g.eval("function f(){}"); gw.makeDebuggeeValue(g.f).script.source.sourceMapURL = 'a'; }); Backtrace: 0 js-dbg-64-dm-clang-darwin-7083c0d30e75 0x0000000102318e87 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 183 (jscntxtinlines.h:242) 1 js-dbg-64-dm-clang-darwin-7083c0d30e75 0x0000000102318a46 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 598 (Interpreter.cpp:457) 2 js-dbg-64-dm-clang-darwin-7083c0d30e75 0x000000010231a1da js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) + 330 (Interpreter.cpp:521) 3 js-dbg-64-dm-clang-darwin-7083c0d30e75 0x000000010235dbf1 js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) + 1873 (NativeObject.cpp:2437) 4 js-dbg-64-dm-clang-darwin-7083c0d30e75 0x000000010230ed24 Interpret(JSContext*, js::RunState&) + 29524 (Interpreter.cpp:259) /snip For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/548a09b1a4e6 user: Jon Coppeard date: Tue Nov 10 09:44:52 2015 +0000 summary: Bug 1215063 - Add os.path.isAbsolute() and as.path.join() shell utilities r=sfink Jon, not sure if bug 1215063 is the real regressor, is it?
Blocks: 1215063
Flags: needinfo?(jcoppeard)
I doubt it. (lldb) r Process 5761 launched: './default-build/shell' (x86_64) Assertion failure: !cx->isExceptionPending(), at /Users/jon/work/dev/js/src/jscntxtinlines.h:242 Process 5761 stopped * thread #1: js::CallJSNative at jscntxtinlines.h:242 Stop reason = EXC_BAD_ACCESS (code=1, address=0x0) 0: js::CallJSNative at jscntxtinlines.h:242 239 bool ok = native(cx, args.length(), args.base()); 240 if (ok) { 241 assertSameCompartment(cx, args.rval()); -> 242 MOZ_ASSERT_IF(!alreadyThrowing, !cx->isExceptionPending()); 243 } 244 return ok; 245 } (lldb) p native (js::Native) $0 = 0x0000000100979b10 (shell`DebuggerSource_setSourceMapURL(JSContext*, unsigned int, JS::Value*) at Debugger.cpp:7160) (lldb) p alreadyThrowing (bool) $1 = false (lldb) p cx->isExceptionPending() (bool) $2 = true Looks like DebuggerSource_setSourceMapURL is returning true but with an exception pending.
Flags: needinfo?(jcoppeard)
Attached patch bug1325551-sourceMap-oom (deleted) — Splinter Review
Just need to check the return value of ScriptSource::setSourceMap.
Assignee: nobody → jcoppeard
Attachment #8823589 - Flags: review?(jimb)
Add MOZ_MUST_USE to ScriptSource class in appropriate places and fix the other issue this showed up.
Attachment #8823591 - Flags: review?(jimb)
Oops, forgot to attach the OOM_VERBOSE=1 stack.
Priority: -- → P1
Attachment #8823589 - Flags: review?(jimb) → review+
Comment on attachment 8823591 [details] [diff] [review] bug1325551-scriptSource-must-use Review of attachment 8823591 [details] [diff] [review]: ----------------------------------------------------------------- Looks good, except for the two search-and-replace stumbles. ::: js/src/jsscript.h @@ +513,5 @@ > > void addSizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf, > JS::ScriptSourceInfo* info) const; > > + MOZ_MUST_USE MOZ_MUST_USE bool setSource(ExclusiveContext* cx, This is a search-and-replace error, right? @@ +520,3 @@ > void setSource(SharedImmutableTwoByteString&& string); > > + MOZ_MUST_USE MOZ_MUST_USE bool setCompressedSource(ExclusiveContext* cx, Here as well.
Attachment #8823591 - Flags: review?(jimb) → review+
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/086495e41690 Check return value of ScriptSource::setSourceMapURL r=jimb https://hg.mozilla.org/integration/mozilla-inbound/rev/2e232a53e2db Add MOZ_MUST_USE to ScriptSource r=jimb
https://hg.mozilla.org/mozilla-central/rev/086495e41690 https://hg.mozilla.org/mozilla-central/rev/2e232a53e2db
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox54: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Blocks: 1074745
No longer blocks: 1215063
Jon says on IRC that this is rare enough in practice that it can ride the trains.
status-firefox51: --- → wontfix
status-firefox52: --- → wontfix
status-firefox53: affectedwontfix
status-firefox-esr52: --- → wontfix
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: