Closed
Bug 1226896
Opened 9 years ago
Closed 9 years ago
Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla45
Tracking | Status | |
---|---|---|
firefox45 | --- | fixed |
People
(Reporter: gkw, Assigned: jonco)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
7.14 KB,
text/plain
|
Details | |
3.20 KB,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
// Adapted from randomly chosen test: js/src/jit-test/tests/coverage/bug1214548.js oomTest(() => { var g = newGlobal(); g.eval("(function() {})()"); }); asserts js debug shell on m-c changeset 0b2b0570777f with --fuzzing-safe --no-threads --no-ion --no-baseline -D at Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 0b2b0570777f autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/9c365490d4ce user: Jon Coppeard date: Tue Oct 13 13:37:07 2015 +0100 summary: Bug 1212469 - Make oomTest() into a shell function r=nbp Jon, is bug 1212469 a likely regressor? (I removed oomTest but it didn't seem to reproduce)
Flags: needinfo?(jcoppeard)
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x43fa09, 0x0000000100688942 js-dbg-64-dm-darwin-0b2b0570777f`js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [inlined] js::CallJSNative(cx=<unavailable>, native=<unavailable>)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 219 at jscntxtinlines.h:238, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x0000000100688942 js-dbg-64-dm-darwin-0b2b0570777f`js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [inlined] js::CallJSNative(cx=<unavailable>, native=<unavailable>)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 219 at jscntxtinlines.h:238 frame #1: 0x0000000100688867 js-dbg-64-dm-darwin-0b2b0570777f`js::Invoke(cx=<unavailable>, args=<unavailable>, construct=<unavailable>) + 1063 at Interpreter.cpp:396 frame #2: 0x00000001006ad54b js-dbg-64-dm-darwin-0b2b0570777f`js::Invoke(cx=0x0000000102c69400, thisv=0x0000000102f7c148, fval=<unavailable>, argc=<unavailable>, argv=<unavailable>, rval=<unavailable>) + 555 at Interpreter.cpp:460 frame #3: 0x00000001005f11e2 js-dbg-64-dm-darwin-0b2b0570777f`js::DirectProxyHandler::call(this=<unavailable>, cx=0x0000000102c69400, proxy=<unavailable>, args=0x00007fff5fbfdd18) const + 130 at DirectProxyHandler.cpp:77 frame #4: 0x00000001005e8da3 js-dbg-64-dm-darwin-0b2b0570777f`js::CrossCompartmentWrapper::call(this=0x0000000101725898, cx=0x0000000102c69400, wrapper=<unavailable>, args=0x00007fff5fbfdd18) const + 403 at CrossCompartmentWrapper.cpp:289 (lldb)
Assignee | ||
Comment 2•9 years ago
|
||
Not related to oomTest() but to script counts.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Assignee | ||
Comment 3•9 years ago
|
||
Patch to fix OOM handling related to initialising script counts data structures.
Attachment #8691312 -
Flags: review?(nicolas.b.pierron)
Assignee | ||
Updated•9 years ago
|
Comment 4•9 years ago
|
||
Comment on attachment 8691312 [details] [diff] [review] bug1226896-script-count-oom Review of attachment 8691312 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit-test/tests/gc/bug-1226896.js @@ +1,1 @@ > +// |jit-test| --dump-bytecode Use --ion-pgo=on , as we probably don't want to spew output at the end of the test. ::: js/src/jsscript.cpp @@ +1382,2 @@ > js_delete(map); > + ReportOutOfMemory(cx); Note, that script count is for the moment optional and thus any failure can be made silent if we want to.
Attachment #8691312 -
Flags: review?(nicolas.b.pierron) → review+
Comment 6•9 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/ae0f0b8d2d06
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in
before you can comment on or make changes to this bug.
Description
•