1269714 - Assertion failure: !cx->asJSContext()->isExceptionPending(), at js/src/frontend/BytecodeCompiler.cpp:565 with Debugger and OOM

Status: RESOLVED DUPLICATE of bug 1345453

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 77cead2cd203 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off):

g = newGlobal();
oomTest(Function(`
  class printBugNumber {}   
  dbg = Debugger(g).onNewScript = function() [];
  g.eval("function f() arguments[0]")
`));



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000c2f0f2 in BytecodeCompiler::compileScript (this=this@entry=0x7fffffffa700, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:565
#0  0x0000000000c2f0f2 in BytecodeCompiler::compileScript (this=this@entry=0x7fffffffa700, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:565
#1  0x0000000000c2f263 in js::frontend::CompileScript (cx=<optimized out>, alloc=<optimized out>, scopeChain=scopeChain@entry=..., enclosingStaticScope=..., enclosingStaticScope@entry=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=0x7ffff7e8aeb0, extraSct=extraSct@entry=0x0, sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:742
#2  0x000000000083f815 in EvalKernel (cx=cx@entry=0x7ffff6908c00, v=..., evalType=evalType@entry=INDIRECT_EVAL, caller=..., scopeobj=..., pc=pc@entry=0x0, vp=vp@entry=...) at js/src/builtin/Eval.cpp:315
#3  0x000000000083fb59 in js::IndirectEval (cx=0x7ffff6908c00, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Eval.cpp:422
#4  0x0000000000ab2b82 in js::CallJSNative (cx=0x7ffff6908c00, native=0x83fa80 <js::IndirectEval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#5  0x0000000000aaf5f7 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6908c00, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:480
#6  0x0000000000aaf8db in InternalCall (cx=cx@entry=0x7ffff6908c00, args=...) at js/src/vm/Interpreter.cpp:525
#7  0x0000000000aafa1a in js::Call (cx=cx@entry=0x7ffff6908c00, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:544
#8  0x00000000009c7e36 in js::DirectProxyHandler::call (this=this@entry=0x1c89a50 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff6908c00, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:82
#9  0x00000000009c7feb in js::CrossCompartmentWrapper::call (this=0x1c89a50 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff6908c00, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:309
#10 0x00000000009d45ca in js::Proxy::call (cx=0x7ffff6908c00, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:400
#11 0x00000000009d4669 in js::proxy_Call (cx=0x7ffff6908c00, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:692
#12 0x0000000000ab2b82 in js::CallJSNative (cx=0x7ffff6908c00, native=0x9d45f0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#13 0x0000000000aaf7c0 in js::InternalCallOrConstruct (cx=0x7ffff6908c00, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:468
#14 0x0000000000aaf8db in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:525
#15 0x0000000000a9f4d9 in CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:531
#16 Interpret (cx=cx@entry=0x7ffff6908c00, state=...) at js/src/vm/Interpreter.cpp:2831
#17 0x0000000000aaf378 in js::RunScript (cx=cx@entry=0x7ffff6908c00, state=...) at js/src/vm/Interpreter.cpp:426
#18 0x0000000000aaf649 in js::InternalCallOrConstruct (cx=0x7ffff6908c00, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#19 0x0000000000aaf8db in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:525
#20 0x0000000000aafa1a in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:544
#21 0x00000000008d9439 in JS_CallFunction (cx=0x7ffff6908c00, obj=..., fun=..., fun@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2883
#22 0x0000000000bf781e in OOMTest (cx=0x7ffff6908c00, argc=<optimized out>, vp=0x7ffff32df090) at js/src/builtin/TestingFunctions.cpp:1310
#23 0x0000000000ab2b82 in js::CallJSNative (cx=0x7ffff6908c00, native=0xbf7460 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#37 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7483
rax	0x0	0
rbx	0x7fffffffa330	140737488331568
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffa6e0	140737488332512
rsp	0x7fffffffa240	140737488331328
r8	0x7ffff7fdf7c0	140737354004416
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffa000	140737488330752
r11	0x7ffff6c27ee0	140737333329632
r12	0x7fffffffa2b0	140737488331440
r13	0x7ffff69dd240	140737330926144
r14	0x7fffffffa700	140737488332544
r15	0x7fffffffad68	140737488334184
rip	0xc2f0f2 <BytecodeCompiler::compileScript(JS::Handle<JSObject*>, JS::Handle<JSScript*>)+2146>
=> 0xc2f0f2 <BytecodeCompiler::compileScript(JS::Handle<JSObject*>, JS::Handle<JSScript*>)+2146>:	movl   $0x235,0x0
   0xc2f0fd <BytecodeCompiler::compileScript(JS::Handle<JSObject*>, JS::Handle<JSScript*>)+2157>:	callq  0x4b07b0 <abort()>

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781".
The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: OOM_VERBOSE=1 stack from m-c rev 45709b7b6466

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Debugger is on the OOM_VERBOSE=1 stack, setting needinfo? from our Debugger gurus.

Comment 4

[Jim Blandy :jimb]

I can reproduce on changeset 77cead2cd203.

Comment 5

[Nick Fitzgerald [:fitzgen] [⏰PST; UTC-8]]

Thanks for taking this, Jim.

Comment 6

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Jim, what's next here?

Comment 7

[Jim Blandy :jimb]

Yeesh. I need to find time to work on this, is what's next. Bumping up the priority.

Comment 8

[Fuzzing Team]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 23fe0b76a018).

Comment 9

[Fuzzing Team]

JSBugMon: Fix Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781".
The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1

Comment 10

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This bug, until verified by Jim, is probably still around and intermittent.

Comment 11

[Jim Blandy :jimb]

This doesn't reproduce on tip. I tried to bisect last night but my decision script didn't work too well. Will look at it more today.

Comment 12

[Jim Blandy :jimb]

This is a duplicate of bug 1345453, fixed in d98072a1b492.