If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:238 with OOM and disassemble

RESOLVED FIXED in Firefox 44

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Assigned: evilpie)

Tracking

(Blocks: 2 bugs, {assertion, regression, testcase})

Trunk
mozilla44
x86_64
Linux
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox42 affected, firefox44 fixed)

Details

(Whiteboard: [fuzzblocker] [jsbugmon:update,ignore])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision c95ebeebbc5d (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-eager min.js):

oomAfterAllocations(50);
function f1() {
    var v;
};
dis(f1);


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000006b7783 in js::CallJSNative (cx=0x7ffff69831c0, native=0x48d950 <Disassemble(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:238
#0  0x00000000006b7783 in js::CallJSNative (cx=0x7ffff69831c0, native=0x48d950 <Disassemble(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:238
#1  0x00000000006a3d42 in js::Invoke (cx=cx@entry=0x7ffff69831c0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:720
#2  0x00000000006a59e6 in js::Invoke (cx=cx@entry=0x7ffff69831c0, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffd8f8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:775
#3  0x00000000008d364a in js::jit::DoCallFallback (cx=0x7ffff69831c0, frame=0x7fffffffd938, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffd8e8, res=...) at js/src/jit/BaselineIC.cpp:9859
#4  0x00007ffff7e54bdf in ?? ()
[...]
#31 0x00007ffff69b8078 in ?? ()
#32 0x0000000000987bf4 in ~ReentrancyGuard (this=0x8, __in_chrg=<optimized out>) at ../../dist/include/mozilla/ReentrancyGuard.h:44
#33 mozilla::VectorBase<js::jit::MPhi*, 0ul, js::SystemAllocPolicy, js::Vector<js::jit::MPhi*, 0ul, js::SystemAllocPolicy> >::~VectorBase (this=0x7fffffffd938, __in_chrg=<optimized out>) at ../../dist/include/mozilla/Vector.h:756
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
rax	0x0	0
rbx	0x7ffff69831c0	140737330557376
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffd250	140737488343632
rsp	0x7fffffffd200	140737488343552
r8	0x7ffff7fe8780	140737354041216
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffcfc0	140737488342976
r11	0x7ffff6c27ee0	140737333329632
r12	0x7fffffffd468	140737488344168
r13	0x0	0
r14	0x7fffffffd210	140737488343568
r15	0x48d950	4774224
rip	0x6b7783 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+643>
=> 0x6b7783 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+643>:	movl   $0xee,0x0
   0x6b778e <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+654>:	callq  0x4997a0 <abort()>


This could be a shell-only bug with the disassemble function.
(Reporter)

Updated

2 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 1

2 years ago
This needs fixing. I can't triage the other isExceptionPending asserts easily with this in the way.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,bisect][fuzzblocker]

Updated

2 years ago
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]

Updated

2 years ago
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]

Comment 2

2 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 6457f01e4bcb).
(Assignee)

Updated

2 years ago
Assignee: nobody → evilpies
(Assignee)

Comment 3

2 years ago
Created attachment 8670174 [details] [diff] [review]
bug-1188390
Attachment #8670174 - Flags: review?(hv1989)
Attachment #8670174 - Flags: review?(hv1989) → review+

Comment 4

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/7b42a0a9aca5
https://hg.mozilla.org/mozilla-central/rev/7b42a0a9aca5
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.