Closed Bug 1261342 Opened 8 years ago Closed 8 years ago

Assertion failure: !JS_IsExceptionPending(cx), at js/src/jsexn.h:144 with OOM and Debugger

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1254123

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update]) 

The following testcase crashes on mozilla-central revision bccb11375f2a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks --ion-check-range-analysis --ion-offthread-compile=off --baseline-eager):

dbg = new Debugger;
dbg.onNewGlobalObject = function() ERROR();
oomTest(function() newGlobal());
function ERROR() {
    throw new Error;
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000675404 in ~AutoAssertNoPendingException (this=<synthetic pointer>, __in_chrg=<optimized out>) at js/src/jsexn.h:144
#0  0x0000000000675404 in ~AutoAssertNoPendingException (this=<synthetic pointer>, __in_chrg=<optimized out>) at js/src/jsexn.h:144
#1  js::jit::GetPropIRGenerator::tryAttachStub (this=this@entry=0x7fffffffa6a0, writer=...) at js/src/jit/CacheIR.cpp:67
#2  0x00000000007f254b in js::jit::DoGetPropFallback (cx=0x7ffff6908800, payload=<optimized out>, stub_=<optimized out>, val=..., res=...) at js/src/jit/SharedIC.cpp:2860
#3  0x00007ffff7fec06b in ?? ()
[...]
#24 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffa710	140737488332560
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffa450	140737488331856
rsp	0x7fffffffa3d0	140737488331728
r8	0x7ffff7fdf7c0	140737354004416
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7ffff6f76be0	140737336798176
r11	0x0	0
r12	0x7fffffffa6a0	140737488332448
r13	0x7fffffffa3f0	140737488331760
r14	0x7ffff6908800	140737330055168
r15	0x1	1
rip	0x675404 <js::jit::GetPropIRGenerator::tryAttachStub(mozilla::Maybe<js::jit::CacheIRWriter>&)+580>
=> 0x675404 <js::jit::GetPropIRGenerator::tryAttachStub(mozilla::Maybe<js::jit::CacheIRWriter>&)+580>:	movl   $0x90,0x0
   0x67540f <js::jit::GetPropIRGenerator::tryAttachStub(mozilla::Maybe<js::jit::CacheIRWriter>&)+591>:	callq  0x4aa040 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160317020419" and the hash "7067e2812c2616061ce4328d0e97da4a3dd48387".
The "bad" changeset has the timestamp "20160317022913" and the hash "83b0a247a47f1135a80454a9bd88c8f4c092a5d8".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=7067e2812c2616061ce4328d0e97da4a3dd48387&tochange=83b0a247a47f1135a80454a9bd88c8f4c092a5d8
Setting needinfo as per comment 1: bug 1255352 sounds like a legit culprit.
Flags: needinfo?(jdemooij)
(In reply to Benjamin Bouvier [:bbouvier] from comment #2)
> Setting needinfo as per comment 1: bug 1255352 sounds like a legit culprit.

It just exposed this one. The bug is in ErrorReport::init -> ErrorFromException.

I'll get back to this in a bit.
I just fixed this bug. It's a dupe of bug 1254123.
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox48: affected → ---
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.