Closed Bug 1261329 Opened 9 years ago Closed 9 years ago

Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:238 with dissrc and OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla48
Tracking Flags:
Tracking Status
firefox48 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

bug1261329-dissrc-oom
10.66 KB, patch
efaust
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision bccb11375f2a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off): print = function() {} function k() dissrc(print); function j() k(); function h() j(); function f() h(); f(); oomTest(() => f()) Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000a9a708 in js::CallJSNative (cx=0x7ffff6908800, native=0x497970 <DisassWithSrc(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:238 #0 0x0000000000a9a708 in js::CallJSNative (cx=0x7ffff6908800, native=0x497970 <DisassWithSrc(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:238 #1 0x0000000000a96b67 in js::Invoke (cx=cx@entry=0x7ffff6908800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:476 #2 0x0000000000a876c9 in Interpret (cx=cx@entry=0x7ffff6908800, state=...) at js/src/vm/Interpreter.cpp:2807 #3 0x0000000000a968e8 in js::RunScript (cx=cx@entry=0x7ffff6908800, state=...) at js/src/vm/Interpreter.cpp:426 #4 0x0000000000a96bb9 in js::Invoke (cx=cx@entry=0x7ffff6908800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:494 #5 0x0000000000a981d9 in js::Invoke (cx=cx@entry=0x7ffff6908800, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:528 #6 0x00000000008d08b4 in JS_CallFunction (cx=cx@entry=0x7ffff6908800, obj=..., fun=..., fun@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2865 #7 0x0000000000bdda79 in OOMTest (cx=0x7ffff6908800, argc=<optimized out>, vp=0x7ffff457d090) at js/src/builtin/TestingFunctions.cpp:1304 #8 0x0000000000a9a582 in js::CallJSNative (cx=0x7ffff6908800, native=0xbdd690 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...] #20 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7443 rax 0x0 0 rbx 0x7ffff6908800 140737330055168 rcx 0x7ffff6ca588d 140737333844109 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffc0b0 140737488339120 rsp 0x7fffffffc050 140737488339024 r8 0x7ffff7fdf7c0 140737354004416 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffbe10 140737488338448 r11 0x7ffff6c27ee0 140737333329632 r12 0x7ffff457d2f0 140737292784368 r13 0x0 0 r14 0x7fffffffc070 140737488339056 r15 0x497970 4815216 rip 0xa9a708 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+680> => 0xa9a708 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+680>: movl $0xee,0x0 0xa9a713 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+691>: callq 0x4aa040 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781". The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1
Setting needinfo as per comment 1.
Flags: needinfo?(jcoppeard)
Patch to make callers of Sprint() in the dissrc function check the return code.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8742383 - Flags: review?(efaustbmo)
Comment on attachment 8742383 [details] [diff] [review] bug1261329-dissrc-oom Review of attachment 8742383 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsopcode.cpp @@ +878,5 @@ > > case JOF_ATOM: { > RootedValue v(cx, StringValue(script->getAtom(GET_UINT32_INDEX(pc)))); > JSAutoByteString bytes; > + if (!ToDisassemblySource(cx, v, &bytes) || Sprint(sp, " %s", bytes.ptr()) == -1) I would prefer to do this and the one below as two ifs, or add a little helper. Two distinct fallible operations in one condition always makes me feel squirmy. @@ +908,2 @@ > return 0; > + ; nit: stray semicolon
Attachment #8742383 - Flags: review?(efaustbmo) → review+
https://hg.mozilla.org/mozilla-central/rev/d6655d9a086b
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox48: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: