Closed Bug 1310589 Opened 8 years ago Closed 8 years ago

Assertion failure: !cx->isExceptionPending(), at js/src/jscntxt.h:689

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox52 --- fixed

People

(Reporter: gkw, Assigned: jonco)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(4 files)

Detailed Crash Information
32.70 KB, text/plain
Details
Testcase
5.62 KB, text/plain
Details
OOM_VERBOSE=1 stack from m-c rev 9079d1671121
11.51 KB, text/plain
Details
bug1310589-shrinkSlots-OOM
7.00 KB, patch
evilpie
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 9079d1671121 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

See attachment.

Backtrace:

0   js-dbg-64-dm-clang-darwin-9079d1671121	0x0000000108c2491d js::array_reverse(JSContext*, unsigned int, JS::Value*) + 1325 (jscntxt.h:689)
1   js-dbg-64-dm-clang-darwin-9079d1671121	0x000000010933ec0d js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 93 (jscntxtinlines.h:240)
2   js-dbg-64-dm-clang-darwin-9079d1671121	0x000000010933e988 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 696 (Interpreter.cpp:446)
3   js-dbg-64-dm-clang-darwin-9079d1671121	0x0000000109336394 Interpret(JSContext*, js::RunState&) + 34644 (Interpreter.cpp:2922)
4   js-dbg-64-dm-clang-darwin-9079d1671121	0x000000010932da1b js::RunScript(JSContext*, js::RunState&) + 443 (Interpreter.cpp:404)
5   js-dbg-64-dm-clang-darwin-9079d1671121	0x000000010933e923 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 595 (Interpreter.cpp:476)
/snip

For detailed crash information, see attachment.
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160302090939" and the hash "09bb9469a14d4587e44027e648438a5f23526cd7".
The "bad" changeset has the timestamp "20160302093919" and the hash "9de2c10a1cc34fdeade8523b53f03d567e7f190b".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=09bb9469a14d4587e44027e648438a5f23526cd7&tochange=9de2c10a1cc34fdeade8523b53f03d567e7f190b
Not sure if the regression window is entirely accurate, so setting needinfo? from Jon as a start.
Flags: needinfo?(jcoppeard)
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/432cce28b337
user:        Boris Zbarsky
date:        Wed Mar 02 12:38:23 2016 -0500
summary:     Bug 1252905.  Don't invoke the interrupt callback while an exception is pending.  r=jandem

Not sure if this result is correct...
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #5)
> Not sure if this result is correct...

Likely unrelated, it just happened to add the assert that's failing here.
https://dxr.mozilla.org/mozilla-central/rev/9079d167112122805f99f57bb8856e1b1675af0f/js/src/vm/NativeObject.cpp#500-502 adds the pending exception, but doesn't propagate the allocation failure resp. clears the pending exception when allocation failures can be ignored.
We need to clear the exception here since we're ignoring it.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8802069 - Flags: review?(evilpies)
Comment on attachment 8802069 [details] [diff] [review]
bug1310589-shrinkSlots-OOM

Review of attachment 8802069 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/vm/NativeObject.cpp
@@ +498,5 @@
>      MOZ_ASSERT_IF(!is<ArrayObject>(), newCount >= SLOT_CAPACITY_MIN);
>  
>      HeapSlot* newslots = ReallocateObjectBuffer<HeapSlot>(cx, this, slots_, oldCount, newCount);
> +    if (!newslots) {
> +        cx->recoverFromOutOfMemory();

This makes sense and matches NativeObject::shrinkElements. r+
Attachment #8802069 - Flags: review?(evilpies) → review+
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e2d125de7b24
Fix OOM handling in NativeObject::shrinkSlots r=evilpie
https://hg.mozilla.org/mozilla-central/rev/e2d125de7b24
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox52: affectedfixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: