Assertion failure: !cx->asJSContext()->isExceptionPending(), at js/src/frontend/BytecodeCompiler.cpp:561 with Debugger

RESOLVED FIXED in Firefox 49

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Assigned: efaust)

Tracking

(Blocks: 2 bugs, {assertion, regression, testcase})

Trunk
mozilla49
x86_64
Linux
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox47 wontfix, firefox48 wontfix, firefox49 fixed)

Details

(Whiteboard: [jsbugmon:])

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision b6acf4d4fc20 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager):

var g = newGlobal();
var dbg = new Debugger(g);
dbg.onNewScript = function (s) {
  log += dbg.findScripts({ source: s.source }).length;
}
log = "";
oomTest(() => {
    var static  = newGlobal();
    g.eval("(function() {})()");
});



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000bf38ed in BytecodeCompiler::compileScript (this=this@entry=0x7fffffff9e80, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:561
#0  0x0000000000bf38ed in BytecodeCompiler::compileScript (this=this@entry=0x7fffffff9e80, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:561
#1  0x0000000000bf3a53 in js::frontend::CompileScript (cx=cx@entry=0x7ffff6907800, alloc=<optimized out>, scopeChain=scopeChain@entry=..., enclosingStaticScope=..., enclosingStaticScope@entry=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=0x7ffff7e819c0, extraSct=extraSct@entry=0x0, sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:738
#2  0x00000000005e7210 in EvalKernel (cx=cx@entry=0x7ffff6907800, args=..., evalType=evalType@entry=INDIRECT_EVAL, caller=..., scopeobj=scopeobj@entry=..., pc=pc@entry=0x0) at js/src/builtin/Eval.cpp:319
#3  0x00000000005e75ab in js::IndirectEval (cx=0x7ffff6907800, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Eval.cpp:421
#4  0x0000000000abb9e2 in js::CallJSNative (cx=0x7ffff6907800, native=0x5e74d0 <js::IndirectEval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#5  0x0000000000ab8b11 in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:478
#6  0x0000000000ab962c in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=<optimized out>, argv=0x7fffffffb838, rval=...) at js/src/vm/Interpreter.cpp:530
#7  0x00000000009a5987 in js::DirectProxyHandler::call (this=this@entry=0x1c36ff0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff6907800, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77
#8  0x00000000009aaae2 in js::CrossCompartmentWrapper::call (this=0x1c36ff0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff6907800, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289
#9  0x00000000009a9aba in js::Proxy::call (cx=0x7ffff6907800, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:391
#10 0x00000000009a9b8a in js::proxy_Call (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:683
#11 0x0000000000abb9e2 in js::CallJSNative (cx=0x7ffff6907800, native=0x9a9ae0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#12 0x0000000000ab8dca in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:466
#13 0x0000000000ab962c in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=<optimized out>, argv=0x7fffffffbb18, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:530
#14 0x0000000000805fc7 in js::jit::InvokeFunction (cx=0x7ffff6907800, obj=..., constructing=<optimized out>, argc=<optimized out>, argv=<optimized out>, rval=...) at js/src/jit/VMFunctions.cpp:104
#15 0x00007ffff7ff062f in ?? ()
#16 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffff9ab0	140737488329392
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffff9e60	140737488330336
rsp	0x7fffffff99c0	140737488329152
r8	0x7ffff7fdf7c0	140737354004416
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7ffff6f76be0	140737336798176
r11	0x0	0
r12	0x7fffffff9a30	140737488329264
r13	0x7fffffff9e80	140737488330368
r14	0x7fffffff9a10	140737488329232
r15	0x7ffff698a240	140737330586176
rip	0xbf38ed <BytecodeCompiler::compileScript(JS::Handle<JSObject*>, JS::Handle<JSScript*>)+2157>
=> 0xbf38ed <BytecodeCompiler::compileScript(JS::Handle<JSObject*>, JS::Handle<JSScript*>)+2157>:	movl   $0x231,0x0
   0xbf38f8 <BytecodeCompiler::compileScript(JS::Handle<JSObject*>, JS::Handle<JSScript*>)+2168>:	callq  0x4a6f30 <abort()>

Updated

2 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]

Comment 1

2 years ago
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Updated

2 years ago
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Created attachment 8731911 [details]
OOM_VERBOSE=1 stack from m-c rev b6acf4d4fc20

Setting needinfo? from our Debugger gurus Jim and Nick since Debugger is on the OOM_VERBOSE stack.
Flags: needinfo?(nfitzgerald)
Flags: needinfo?(jimb)

Comment 3

2 years ago
I can reproduce this assertion.
Assignee: nobody → jimb
Flags: needinfo?(jimb)
Thanks, Jim!
Flags: needinfo?(nfitzgerald)
(Assignee)

Comment 5

2 years ago
Created attachment 8747327 [details] [diff] [review]
Fix

Add a nullcheck in the debugger to make the oomTest boom go away.
Assignee: jimb → efaustbmo
Status: NEW → ASSIGNED
Attachment #8747327 - Flags: review?(shu)
(Assignee)

Comment 6

2 years ago
Not worth uplifting a simple OOM. WONTFIX 47, 48.
status-firefox47: affected → wontfix
status-firefox48: --- → wontfix
status-firefox49: --- → affected

Updated

2 years ago
Attachment #8747327 - Flags: review?(shu) → review+

Comment 8

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/038ba23ecf52
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox49: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
Depends on: 1272835
You need to log in before you can comment on or make changes to this bug.