Closed Bug 1269755 Opened 9 years ago Closed 9 years ago

Assertion failure: !cx->isExceptionPending(), at js/src/jscntxt.h:667 with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox49 --- wontfix
firefox52 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

OOM_VERBOSE=1 stack from m-c rev 560b2c805bf7
5.40 KB, text/plain
Details
bug1269755-concat-oom
3.81 KB, patch
jandem
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 77cead2cd203 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2): oomTest(function() { eval(` for ( power = 0; power <= 32; power++ ) { shiftexp = Math.pow( 2, power ); for ( addexp = 0; addexp <= 32; addexp++ ) { SignedRightShift( shiftexp, addexp ); shiftexp >> addexp; } } function Mask( b, n ) { b = ToUint32BitString( b ); b = b.substring( b.length - n ); b = ToUint32Decimal( b ); } function ToUint32BitString( n ) { var b = ""; for ( p = 31; p >=0; p-- ) { n >= Math.pow(2,p); b += "0"; } return b; } function ToUint32Decimal( bin ) { bin = "0" + bin; } function SignedRightShift( s, a ) { a = Mask( a, 5 ); } `)}); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000005302a8 in js::CheckForInterrupt (cx=<optimized out>) at js/src/jscntxt.h:667 #0 0x00000000005302a8 in js::CheckForInterrupt (cx=<optimized out>) at js/src/jscntxt.h:667 #1 0x0000000000aa095e in Interpret (cx=cx@entry=0x7ffff6908c00, state=...) at js/src/vm/Interpreter.cpp:1919 #2 0x0000000000aaf378 in js::RunScript (cx=0x7ffff6908c00, state=...) at js/src/vm/Interpreter.cpp:426 #3 0x0000000000ab132b in js::ExecuteKernel (cx=0x7ffff6908c00, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffc0b0) at js/src/vm/Interpreter.cpp:704 #4 0x000000000083f43e in EvalKernel (cx=0x7ffff6908c00, v=..., v@entry=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., scopeobj=..., scopeobj@entry=..., pc=<optimized out>, vp=vp@entry=...) at js/src/builtin/Eval.cpp:328 #5 0x000000000083fd71 in js::DirectEval (cx=0x7ffff6908c00, v=..., vp=vp@entry=...) at js/src/builtin/Eval.cpp:439 #6 0x000000000061c412 in js::jit::DoCallFallback (cx=0x7ffff6908c00, frame=0x7fffffffc148, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc0f8, res=...) at js/src/jit/BaselineIC.cpp:5954 #7 0x00007ffff7ff1c4f in ?? () [...] #29 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x0 0 rcx 0x7ffff6ca588d 140737333844109 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffac50 140737488333904 rsp 0x7fffffffac50 140737488333904 r8 0x7ffff7fdf7c0 140737354004416 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffaa10 140737488333328 r11 0x7ffff6c27ee0 140737333329632 r12 0x1c338c0 29571264 r13 0x7ffff46de2c0 140737294230208 r14 0x7ffff46de250 140737294230096 r15 0x4000000 67108864 rip 0x5302a8 <js::CheckForInterrupt(JSContext*)+56> => 0x5302a8 <js::CheckForInterrupt(JSContext*)+56>: movl $0x29b,0x0 0x5302b3 <js::CheckForInterrupt(JSContext*)+67>: callq 0x4b07b0 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781". The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1
Since string-concat is present in the testcase, and js::ConcatStrings is on the stack, setting needinfo? from Jon, as Jon had resolved bug 1259913 which also involved js::ConcatStrings.
Flags: needinfo?(jcoppeard)
I only managed to slightly reduce this further to: oomTest(function() { eval(` for (y = 0; y < 3; y++ ) { SignedRightShift(y ); } function Mask( b, n ) { b = ToUint32BitString( b ); b = b.substring( b.length - n ); b = "0" + b; } function ToUint32BitString( n ) { var b = ""; for ( var p = 0; p < 29; p++ ) { b += "0"; } return b; } function SignedRightShift(a ) { a = Mask( a, 5 ); } `)}); Run with --fuzzing-safe --no-threads --no-baseline --no-ion on m-c rev 560b2c805bf7.
Fix js::ConcatStrings to not throw an exception when called with NoGC template parameter. This fixes the reported crash, but the same test case also fails when run with --ion-eager. I'm going to split this off into a separate bug as it's clearly not the same issue.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8795327 - Flags: review?(jdemooij)
See Also: → 1305739
Attachment #8795327 - Flags: review?(jdemooij) → review+
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/d9b67ef4fb0a Don't report OOM in ConcatStrings<NoGC> r=jandem
https://hg.mozilla.org/mozilla-central/rev/d9b67ef4fb0a
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox52: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Do we want to uplift that to 50 or 51? If so, please submit the uplift request. Thanks
status-firefox49: affectedwontfix
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: