Closed Bug 1243410 Opened 8 years ago Closed 8 years ago

Assertion failure: cx->isExceptionPending() (Thunk execution failed but no exception was raised - missing call to js::ReportOutOfMemory()?), at js/src/builtin/TestingFunctions.cpp:1217

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox47 --- affected

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect,ignore]) 

The following testcase crashes on mozilla-central revision c0ba5835ca48 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --ion-eager):

oomTest(() => {
    try {
        for (; 0 < 1; i++) throw "foo";
    } catch (e) {
        Function("switch (/x/) {}")() = 0;
    }
});



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x086a38bd in OOMTest (cx=0xf7a84020, argc=1, vp=0xffffbca0) at js/src/builtin/TestingFunctions.cpp:1215
#0  0x086a38bd in OOMTest (cx=0xf7a84020, argc=1, vp=0xffffbca0) at js/src/builtin/TestingFunctions.cpp:1215
#1  0x0867d2aa in js::CallJSNative (cx=0xf7a84020, native=0x86a3570 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#2  0x0867a216 in js::Invoke (cx=0xf7a84020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475
#3  0x0867ad9e in js::Invoke (cx=cx@entry=0xf7a84020, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0xf45ffee0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:527
#4  0x0824bf35 in js::jit::DoCallFallback (cx=cx@entry=0xf7a84020, frame=frame@entry=0xf45fff10, stub_=stub_@entry=0xf7ab7050, argc=argc@entry=1, vp=vp@entry=0xf45ffed0, res=res@entry=...) at js/src/jit/BaselineIC.cpp:6113
#5  0x084bfabe in js::jit::Simulator::softwareInterrupt (this=0xf7a83000, instr=0xf41d8344) at js/src/jit/arm/Simulator-arm.cpp:2360
#6  0x084bfcf6 in js::jit::Simulator::decodeType7 (this=0xf7a83000, instr=0xf41d8344) at js/src/jit/arm/Simulator-arm.cpp:3482
#7  0x084bdcd5 in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a83000, instr=instr@entry=0xf41d8344) at js/src/jit/arm/Simulator-arm.cpp:4404
#8  0x084c1b14 in execute<false> (this=0xf7a83000) at js/src/jit/arm/Simulator-arm.cpp:4459
#9  js::jit::Simulator::callInternal (this=this@entry=0xf7a83000, entry=entry@entry=0xf7fc8a70 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4547
#10 0x084c2035 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc8a70 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4630
#11 0x0822c2d6 in EnterBaseline (cx=cx@entry=0xf7a84020, data=...) at js/src/jit/BaselineJIT.cpp:147
#12 0x082379f5 in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a84020, state=...) at js/src/jit/BaselineJIT.cpp:185
#13 0x08679fe8 in js::RunScript (cx=cx@entry=0xf7a84020, state=...) at js/src/vm/Interpreter.cpp:415
#14 0x0867b98b in js::ExecuteKernel (cx=cx@entry=0xf7a84020, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:680
#15 0x0867bc42 in js::Execute (cx=cx@entry=0xf7a84020, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:713
#16 0x084d472c in ExecuteScript (cx=cx@entry=0xf7a84020, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4356
#17 0x084d4906 in JS_ExecuteScript (cx=cx@entry=0xf7a84020, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4389
#18 0x0806c67c in RunFile (compileOnly=false, file=<optimized out>, filename=0xffffcea3 "test.js", cx=0xf7a84020) at js/src/shell/js.cpp:521
#19 Process (cx=cx@entry=0xf7a84020, filename=0xffffcea3 "test.js", forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:746
#20 0x080d284d in ProcessArgs (op=0xffffcb60, cx=0xf7a84020) at js/src/shell/js.cpp:6310
#21 Shell (envp=<optimized out>, op=0xffffcb60, cx=0xf7a84020) at js/src/shell/js.cpp:6632
#22 main (argc=3, argv=0xffffccb4, envp=0xffffccc4) at js/src/shell/js.cpp:6999
eax	0x0	0
ebx	0x9810158	159449432
ecx	0xf7e3b88c	-136071028
edx	0x0	0
esi	0xf7a84020	-139968480
edi	0xf4d7	62679
ebp	0xffffbb48	4294949704
esp	0xffffbac0	4294949568
eip	0x86a38bd <OOMTest(JSContext*, unsigned int, JS::Value*)+845>
=> 0x86a38bd <OOMTest(JSContext*, unsigned int, JS::Value*)+845>:	movl   $0x4c1,0x0
   0x86a38c7 <OOMTest(JSContext*, unsigned int, JS::Value*)+855>:	call   0x80f8560 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 2b73b0a4d52b).
decoder, does this reproduce with --fuzzing-safe?  This test is (hopefully) disabled in that case.
Flags: needinfo?(choller)
I double-checked and in fact it does not reproduce with --fuzzing-safe. It must have been that the reducer removed this flag somewhere and some other issue changed to this one while reducing.
Flags: needinfo?(choller)
Closing as that assertion is not valid for arbitrary code passed to oomTest.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.