Closed Bug 1108826 Opened 10 years ago Closed 10 years ago

Assertion failure: !cx->asJSContext()->isExceptionPending(), at frontend/BytecodeCompiler.cpp

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1108824
Tracking Flags:
Tracking Status
firefox37 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

stack
5.97 KB, text/plain
Details
// Randomly chosen test: js/src/jit-test/tests/jaeger/bug670885.js // -- reduced away -- // Randomly chosen test: js/src/jit-test/tests/bug793385.js try { gcparam("maxBytes", gcparam("gcBytes") + 1); function f() { f() } assertEq(f(), null) } catch (e) {} // Randomly chosen test: js/src/tests/js1_5/Regress/regress-230216-1.js (function() { try { x } catch (e) {} })() + ' ' eval('') // jsfunfuzz // -- reduced away -- asserts js debug shell on m-i changeset 917fafd942ae with --fuzzing-safe --no-threads --no-ion at Assertion failure: !cx->asJSContext()->isExceptionPending(), at frontend/BytecodeCompiler.cpp. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-inbound/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are: http://hg.mozilla.org/mozilla-central/file/917fafd942ae/js/src/jit-test/tests/jaeger/bug670885.js http://hg.mozilla.org/mozilla-central/file/917fafd942ae/js/src/jit-test/tests/bug793385.js http://hg.mozilla.org/mozilla-central/file/917fafd942ae/js/src/tests/js1_5/Regress/regress-230216-1.js autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/eae28492fdc6 user: Terrence Cole date: Thu Dec 04 09:41:12 2014 -0800 summary: Bug 1100493 - Call js_ReportOutOfMemory on all failure paths in refillFreeList; r=jorendorff Terrence, is bug 1100493 a likely regressor?
Flags: needinfo?(terrence)
Attached file stack
(lldb) bt 5 * thread #1: tid = 0x5ede22, 0x0000000100136f29 js-dbg-opt-64-dm-nsprBuild-darwin-917fafd942ae`js::frontend::CompileScript(js::ExclusiveContext*, js::LifoAlloc*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JSString*, unsigned int, js::SourceCompressionTask*) [inlined] js::NativeObject::getSlot(this=<unavailable>, slot=<unavailable>) const + 28 at NativeObject.h:742, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x0000000100136f29 js-dbg-opt-64-dm-nsprBuild-darwin-917fafd942ae`js::frontend::CompileScript(js::ExclusiveContext*, js::LifoAlloc*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JSString*, unsigned int, js::SourceCompressionTask*) [inlined] js::NativeObject::getSlot(this=<unavailable>, slot=<unavailable>) const + 28 at NativeObject.h:742 frame #1: 0x0000000100136f0d js-dbg-opt-64-dm-nsprBuild-darwin-917fafd942ae`js::frontend::CompileScript(js::ExclusiveContext*, js::LifoAlloc*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JSString*, unsigned int, js::SourceCompressionTask*) [inlined] js::NativeObject::getReservedSlot(this=<unavailable>, index=<unavailable>) const at NativeObject.h:845 frame #2: 0x0000000100136f0d js-dbg-opt-64-dm-nsprBuild-darwin-917fafd942ae`js::frontend::CompileScript(js::ExclusiveContext*, js::LifoAlloc*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JSString*, unsigned int, js::SourceCompressionTask*) [inlined] js::ScriptSourceObject::source(this=0x0000000101f023e8, this=<unavailable>) const at jsscript.h:706 frame #3: 0x0000000100136f0d js-dbg-opt-64-dm-nsprBuild-darwin-917fafd942ae`js::frontend::CompileScript(cx=<unavailable>, alloc=<unavailable>, options=<unavailable>, srcBuf=<unavailable>, source_=<unavailable>, staticLevel=<unavailable>, extraSct=<unavailable>, scopeChain=<unavailable>, evalCaller=<unavailable>) + 5181 at BytecodeCompiler.cpp:249 frame #4: 0x000000010009c738 js-dbg-opt-64-dm-nsprBuild-darwin-917fafd942ae`EvalKernel(cx=0x0000000101f023d0, args=0x00007fff5fbfe8f0, evalType=DIRECT_EVAL, caller=(ptr_ = 4345635889), pc=<unavailable>, scopeobj=<unavailable>) + 2536 at Eval.cpp:328 (lldb)
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(terrence)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: