Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:238 with OOM and serialize

RESOLVED FIXED in Firefox 47

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Assigned: jonco)

Tracking

(Blocks: 2 bugs, {assertion, regression, testcase})

Trunk
mozilla47
ARM
Linux
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox47 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision b2a3dc4b161f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --fuzzing-safe --thread-count=2):

var t = {};
oomTest(() => serialize(t));



Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x08680e7e in js::CallJSNative (cx=0xf7174020, native=0x86c8fe0 <Serialize(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:238
#1  0x0867dbf6 in js::Invoke (cx=0xf7174020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475
#2  0x0866d3ba in Interpret (cx=cx@entry=0xf7174020, state=...) at js/src/vm/Interpreter.cpp:2799
#3  0x0867d91f in js::RunScript (cx=cx@entry=0xf7174020, state=...) at js/src/vm/Interpreter.cpp:425
#4  0x0867dcae in js::Invoke (cx=0xf7174020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:493
#5  0x0867e7be in js::Invoke (cx=cx@entry=0xf7174020, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:527
#6  0x084d7928 in JS_CallFunction (cx=cx@entry=0xf7174020, obj=..., fun=fun@entry=..., args=..., rval=rval@entry=...) at js/src/jsapi.cpp:2849
#7  0x086a732a in OOMTest (cx=0xf7174020, argc=1, vp=0xf4e110d8) at js/src/builtin/TestingFunctions.cpp:1203
#8  0x08680d6a in js::CallJSNative (cx=0xf7174020, native=0x86a7030 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#34 main (argc=5, argv=0xffac8424, envp=0xffac843c) at js/src/shell/js.cpp:7051
eax	0x0	0
ebx	0x9817158	159478104
ecx	0xf756988c	-145319796
edx	0x0	0
esi	0xf4e11138	-186576584
edi	0xf7174020	-149471200
ebp	0xffac5f48	4289486664
esp	0xffac5f00	4289486592
eip	0x8680e7e <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+558>
=> 0x8680e7e <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+558>:	movl   $0xee,0x0
   0x8680e88 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+568>:	call   0x80f8e00 <abort()>

Updated

2 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

2 years ago
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781".
The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1
Created attachment 8715390 [details]
OOM_VERBOSE=1 stack from m-c rev f2f8fc172f4c

Jon, not sure if this is related to bug 1241731?
Flags: needinfo?(nicolas.b.pierron)
Flags: needinfo?(nicolas.b.pierron) → needinfo?(jcoppeard)
(Assignee)

Updated

2 years ago
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
(Assignee)

Comment 3

2 years ago
Created attachment 8715888 [details] [diff] [review]
bug1245520-structured-clone

Not related to the previous bug.  It's just a missing return value check.
Attachment #8715888 - Flags: review?(sphink)
Attachment #8715888 - Flags: review?(sphink) → review+

Comment 5

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/8feaeb75199c
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox47: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in before you can comment on or make changes to this bug.