Closed
Bug 1236525
Opened 9 years ago
Closed 9 years ago
Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:238 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla46
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | fixed |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
7.77 KB,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision d7a0ad85d9fb (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe):
e => 2;
oomTest(function() newGlobal({}));
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000a9b3c8 in js::CallJSNative (cx=0x7ffff6907800, native=0x495840 <NewGlobal(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:238
#0 0x0000000000a9b3c8 in js::CallJSNative (cx=0x7ffff6907800, native=0x495840 <NewGlobal(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:238
#1 0x0000000000a938c7 in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:460
#2 0x0000000000a8411a in Interpret (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:2786
#3 0x0000000000a93667 in js::RunScript (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:407
#4 0x0000000000a9398c in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:478
#5 0x0000000000a94569 in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:512
#6 0x00000000008c8fc4 in JS_CallFunction (cx=cx@entry=0x7ffff6907800, obj=..., fun=..., fun@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2832
#7 0x0000000000a4ba6e in OOMTest (cx=0x7ffff6907800, argc=<optimized out>, vp=0x7ffff312c0a0) at js/src/builtin/TestingFunctions.cpp:1165
[...]
#20 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6885
rax 0x0 0
rbx 0x7ffff6907800 140737330051072
rcx 0x7ffff6ca53cd 140737333842893
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffffc2b0 140737488339632
rsp 0x7fffffffc250 140737488339536
r8 0x7ffff7fe0780 140737354008448
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffffc010 140737488338960
r11 0x7ffff6c27960 140737333328224
r12 0x7ffff312c128 140737271480616
r13 0x0 0
r14 0x7fffffffc270 140737488339568
r15 0x495840 4806720
rip 0xa9b3c8 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+680>
=> 0xa9b3c8 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+680>: movl $0xee,0x0
0xa9b3d3 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+691>: callq 0x4a4a90 <abort()>
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/3d5156fda2df
user: Zibi Braniecki
date: Thu Dec 31 14:45:52 2015 -0800
summary: Bug 1216150 - Implement ECMA 402 DateTimeFormat formatToParts. r=waldo
This iteration took 269.715 seconds to run.
I followed the instructions in:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Hacking_Tips#How_to_debug_oomTest%28%29_failures
and got the attached stack.
Waldo, is bug 1216150 a likely regressor?
Blocks: 1216150
Flags: needinfo?(jwalden+bmo)
|
||
Comment 5•9 years ago
|
||
Bah. In a failure case, we were returning *true* instead of false. Looks like it must have been a typo introduced into bug 1216150's patch at some point during rebasing. :-( Obvious fix landed.
Flags: needinfo?(jwalden+bmo)
|
||
Comment 6•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in
before you can comment on or make changes to this bug.
Description
•