Closed Bug 1263884 Opened 4 years ago Closed 4 years ago

Assertion failure: !cx->isExceptionPending(), at js/src/builtin/TestingFunctions.cpp:1316 with OOM

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --baseline-eager --ion-offthread-compile=off):

oomTest(function() {
  eval(`
    var argObj = function () { return arguments }()
    for (var p in argObj);
    delete argObj.callee;
  `);
});



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000bdaff0 in OOMTest (cx=0x7ffff6908800, argc=<optimized out>, vp=0x7fffffffcbb8) at js/src/builtin/TestingFunctions.cpp:1316
#0  0x0000000000bdaff0 in OOMTest (cx=0x7ffff6908800, argc=<optimized out>, vp=0x7fffffffcbb8) at js/src/builtin/TestingFunctions.cpp:1316
#1  0x0000000000a908c2 in js::CallJSNative (cx=0x7ffff6908800, native=0xbda990 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#2  0x0000000000a8cdc7 in js::Invoke (cx=cx@entry=0x7ffff6908800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:476
#3  0x00000000006172f1 in js::jit::DoCallFallback (cx=0x7ffff6908800, frame=0x7fffffffcc08, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffcbb8, res=...) at js/src/jit/BaselineIC.cpp:6115
#4  0x00007ffff7ff1a1f in ?? ()
[...]
#30 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x8c9	2249
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffc6e0	140737488340704
rsp	0x7fffffffc610	140737488340496
r8	0x7ffff7fdf7c0	140737354004416
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffc3d0	140737488339920
r11	0x7ffff6c27ee0	140737333329632
r12	0x1c041c0	29376960
r13	0x1c7df78	29876088
r14	0x2b71fd	2847229
r15	0x7ffff6908800	140737330055168
rip	0xbdaff0 <OOMTest(JSContext*, unsigned int, JS::Value*)+1632>
=> 0xbdaff0 <OOMTest(JSContext*, unsigned int, JS::Value*)+1632>:	movl   $0x524,0x0
   0xbdaffb <OOMTest(JSContext*, unsigned int, JS::Value*)+1643>:	callq  0x4ab6f0 <abort()>
Since js::DeletePropertyJit is on the stack, setting needinfo? from Jan and Jon as a start.
Flags: needinfo?(jdemooij)
Flags: needinfo?(jcoppeard)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Make ShapeTable::change not report OOM and report in the caller where it's required.
Flags: needinfo?(jdemooij)
Attachment #8741812 - Flags: review?(jdemooij)
Comment on attachment 8741812 [details] [diff] [review]
bug1263884-shape-table-oom

Review of attachment 8741812 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM.
Attachment #8741812 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/77279d5587f2
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.