Closed Bug 1263871 Opened 4 years ago Closed 4 years ago

Assertion failure: !cx->asJSContext()->isExceptionPending(), at js/src/frontend/BytecodeCompiler.cpp:617 with OOM

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe):

lfLogBuffer = `this[''] = function() {}`;
loadFile(lfLogBuffer);
loadFile(lfLogBuffer);
function loadFile(lfVarx) 
  oomTest(function() parseModule(lfVarx))



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000c16472 in BytecodeCompiler::compileModule (this=this@entry=0x7fffffffafd0) at js/src/frontend/BytecodeCompiler.cpp:617
#0  0x0000000000c16472 in BytecodeCompiler::compileModule (this=this@entry=0x7fffffffafd0) at js/src/frontend/BytecodeCompiler.cpp:617
#1  0x0000000000c16775 in js::frontend::CompileModule (cx=cx@entry=0x7ffff6908800, optionsInput=..., srcBuf=..., alloc=<optimized out>, alloc@entry=0x0, sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:784
#2  0x0000000000495b40 in ParseModule (cx=0x7ffff6908800, argc=<optimized out>, vp=0x7fffffffc178) at js/src/shell/js.cpp:3594
#3  0x00007ffff7fcfa38 in ?? ()
#4  0x00007ffff7e667c0 in ?? ()
#5  0x00007fffffffc150 in ?? ()
#6  0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffa8e0	140737488333024
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffaec0	140737488334528
rsp	0x7fffffffa8a0	140737488332960
r8	0x7ffff7fdf7c0	140737354004416
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffa660	140737488332384
r11	0x7ffff6c27ee0	140737333329632
r12	0x7fffffffa900	140737488333056
r13	0x7fffffffa8f0	140737488333040
r14	0x7ffff698b020	140737330589728
r15	0x7fffffffafd0	140737488334800
rip	0xc16472 <BytecodeCompiler::compileModule()+1490>
=> 0xc16472 <BytecodeCompiler::compileModule()+1490>:	movl   $0x269,0x0
   0xc1647d <BytecodeCompiler::compileModule()+1501>:	callq  0x4ab6f0 <abort()>
Backtrace for simulated OOM that precedes the crash:

* thread #1:  js_failedAllocBreakpoint at Utility.h:108
Stop reason = breakpoint 1.1
  * 0:  js_failedAllocBreakpoint at Utility.h:108
    1:  js::oom::ShouldFailWithOOM at Utility.h:154
    2:  js_malloc at Utility.h:236
    3:  js::Sprinter::init at Printer.cpp:113
    4:  js::QuoteString at Printer.cpp:380
    5:  (anonymous namespace)::NameResolver::appendPropertyReference at NameFunctions.cpp:51
    6:  (anonymous namespace)::NameResolver::nameExpression at NameFunctions.cpp:74
    7:  (anonymous namespace)::NameResolver::resolveFun at NameFunctions.cpp:215
    8:  (anonymous namespace)::NameResolver::resolve at NameFunctions.cpp:343
    9:  (anonymous namespace)::NameResolver::resolve at NameFunctions.cpp:457
    10:  (anonymous namespace)::NameResolver::resolve at NameFunctions.cpp:425
    11:  (anonymous namespace)::NameResolver::resolve at NameFunctions.cpp:686
    12:  (anonymous namespace)::NameResolver::resolve at NameFunctions.cpp:790
    13:  js::frontend::NameFunctions at NameFunctions.cpp:823
    14:  BytecodeCompiler::compileModule at BytecodeCompiler.cpp:588
    15:  js::frontend::CompileModule at BytecodeCompiler.cpp:784
    16:  ParseModule at js.cpp:3594
Patch to name the nameFunction method discriminate between an error condition and simply not finding a name for the function.
Assignee: nobody → jcoppeard
Attachment #8740397 - Flags: review?(shu)
Comment on attachment 8740397 [details] [diff] [review]
bug1263871-name-function-oom

Review of attachment 8740397 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/frontend/NameFunctions.cpp
@@ +109,1 @@
>               */

That comment doesn't apply at all anymore, right? We separated out failure to the return value only.
Attachment #8740397 - Flags: review?(shu) → review+
https://hg.mozilla.org/mozilla-central/rev/a5d85a401db3
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Duplicate of this bug: 1263874
You need to log in before you can comment on or make changes to this bug.