1296661 - Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:238 with OOM

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 0502bd9e025e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off):

 lfLogBuffer = `
{
}
opts = new Proxy({loc: false}, {})
(Reflect.parse("0", opts))
`.split('\n')
 lfCodeBuffer = ""
 while (true) {
     line = lfLogBuffer.shift()
     loadFile(lfCodeBuffer)
     lfCodeBuffer += line + "\n"
 }

 function loadFile(lfVarx)
 oomTest(function() {
     eval(lfVarx)
 })


Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000ac41b7 in js::CallJSNative (cx=0x7ffff692d000, native=0xc3af60 <reflect_parse(JSContext*, uint32_t, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:238
#0  0x0000000000ac41b7 in js::CallJSNative (cx=0x7ffff692d000, native=0xc3af60 <reflect_parse(JSContext*, uint32_t, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:238
#1  0x0000000000abafa5 in js::InternalCallOrConstruct (cx=0x7ffff692d000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:453
#2  0x0000000000ab0f0d in CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:504
#3  Interpret (cx=0x7ffff692d000, state=...) at js/src/vm/Interpreter.cpp:2881
#4  0x0000000000abadbe in js::RunScript (cx=0x7ffff692d000, state=...) at js/src/vm/Interpreter.cpp:399
#5  0x0000000000ac1602 in js::ExecuteKernel (cx=0x7ffff692d000, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffcd10) at js/src/vm/Interpreter.cpp:679
#6  0x00000000009fc861 in EvalKernel (cx=cx@entry=0x7ffff692d000, v=..., v@entry=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., scopeobj=..., scopeobj@entry=..., pc=<optimized out>, vp=vp@entry=...) at js/src/builtin/Eval.cpp:334
#7  0x00000000009fd381 in js::DirectEval (cx=0x7ffff692d000, v=..., vp=vp@entry=...) at js/src/builtin/Eval.cpp:451
#8  0x0000000000deb792 in js::jit::DoCallFallback (cx=0x7ffff692d000, frame=0x7fffffffcda8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffcd58, res=...) at js/src/jit/BaselineIC.cpp:5966
#9  0x00007ffff7e4f08a in ?? ()
[...]
#41 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x0	0
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffb870	140737488337008
rsp	0x7fffffffb820	140737488336928
r8	0x7ffff7fe77c0	140737354037184
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffb5e0	140737488336352
r11	0x7ffff6c27ee0	140737333329632
r12	0x7fffef3541d8	140737206632920
r13	0x7fffffffb830	140737488336944
r14	0x7fffffffbc80	140737488338048
r15	0x7ffff692d000	140737330204672
rip	0xac41b7 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+695>
=> 0xac41b7 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+695>:	movl   $0xee,0x0
   0xac41c2 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+706>:	callq  0x4bca20 <abort()>

Comment 1

[Fuzzing Team]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/9c365490d4ce
user:        Jon Coppeard
date:        Tue Oct 13 13:37:07 2015 +0100
summary:     Bug 1212469 - Make oomTest() into a shell function r=nbp

Jon, this might go back prior to this changeset, I'm seemingly unable to get an OOM_VERBOSE stack, though I could reproduce the issue on m-c rev f0e6cc636021. Do you think you might be able to take a look?

I found that this is hiding other issues e.g. bug 1305197 by chance.

Comment 3

[Jon Coppeard (:jonco)]

Attachment: bug1296661-reflect-oom

The bug is caused by not checking the return value of defineProperty in NodeBuilder::setNodeLoc.

I fixed this and added MOZ_MUST_USE everywhere in this file, although it didn't catch any more bugs.

Comment 4

[Nicholas Nethercote [inactive]]

Comment on attachment 8794775 [details] [diff] [review]
bug1296661-reflect-oom

Review of attachment 8794775 [details] [diff] [review]:
-----------------------------------------------------------------

All hail MOZ_MUST_USE.

::: js/src/builtin/ReflectParse.cpp
@@ +746,1 @@
>          return true;

The second return is now unreachable. Please remove it.

Comment 5

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/aaa9737db07e
Use MOZ_MUST_USE in Reflect.parse implementation r=njn

Comment 6

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/aaa9737db07e

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Jon, do you mind backporting this to other branches, at least to mozilla-aurora? Thanks!

Comment 8

[Jon Coppeard (:jonco)]

Comment on attachment 8794775 [details] [diff] [review]
bug1296661-reflect-oom

Approval Request Comment
[Feature/regressing bug #]: Bug 569487.
[User impact if declined]: Reflect.parse returns the wrong result on OOM.
[Describe test coverage new/current, TreeHerder]: On m-c since 28th September.
[Risks and why]: Low
[String/UUID change made/needed]: None

Comment 9

[Gerry Chang [:gchang]]

Comment on attachment 8794775 [details] [diff] [review]
bug1296661-reflect-oom

Fix an assertion error related to javascript. Take it in 51 aurora.

Comment 10

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/fb559cc346a9