Closed Bug 1320226 Opened 8 years ago Closed 8 years ago

Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:242

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox52 + fixed
firefox53 --- fixed

People

(Reporter: gkw, Assigned: bbouvier)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files, 1 obsolete file)

Detailed Crash Information
29.98 KB, text/plain
Details
oom.patch
3.03 KB, patch
bbouvier
: review+
jcristau
: approval-mozilla-aurora+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision bad312aefb42 (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion): // Adapted from randomly chosen test: js/src/jit-test/tests/debug/wasm-01.js oomTest(function() { var g = newGlobal(); g.eval("new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary('(module (func) (export \"\" 0))')));"); var dbg = new Debugger(g); dbg.findScripts(); }) Backtrace: 0 js-dbg-64-clang-darwin-bad312aefb42 0x00000001031d38d7 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 183 (jscntxtinlines.h:242) 1 js-dbg-64-clang-darwin-bad312aefb42 0x00000001031d3494 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 548 (Interpreter.cpp:447) 2 js-dbg-64-clang-darwin-bad312aefb42 0x00000001031cb254 Interpret(JSContext*, js::RunState&) + 36404 (Interpreter.cpp:2922) 3 js-dbg-64-clang-darwin-bad312aefb42 0x00000001031c21eb js::RunScript(JSContext*, js::RunState&) + 443 (Interpreter.cpp:405) 4 js-dbg-64-clang-darwin-bad312aefb42 0x00000001031d3448 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 472 (Interpreter.cpp:477) /snip For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/958074f3b830 user: Dan Gohman date: Fri Sep 23 09:13:15 2016 -0500 summary: Bug 1287220 - Baldr: update to binary version 0xc (r=luke) Dan, is bug 1287220 a likely regressor?
Blocks: 1287220
Flags: needinfo?(sunfish)
Attached patch oom.patch (obsolete) — Splinter Review
Probably even older than that. Two issues here: - Debugger::findScripts calls consider(WasmInstanceObject*), which can set oom, but never checks against this flag and report it. - GetBufferSource can OOM without reporting too (because the Bytes in SharedBytes use the SystemAllocPolicy)
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Flags: needinfo?(sunfish)
Attachment #8814361 - Flags: review?(luke)
tracking this wasm issue for 52
tracking-firefox52: ?+
Comment on attachment 8814361 [details] [diff] [review] oom.patch Review of attachment 8814361 [details] [diff] [review]: ----------------------------------------------------------------- Thanks! ::: js/src/wasm/WasmJS.cpp @@ +711,5 @@ > > JSObject* unwrapped = CheckedUnwrap(obj); > > + size_t byteLength; > + uint8_t* ptr = nullptr; Probably good to initialize byteLength too for symmetry.
Attachment #8814361 - Flags: review?(luke) → review+
Attached patch oom.patchSplinter Review
Thanks for the review! carrying forward r+, updated patch for aurora uplift.
Attachment #8814361 - Attachment is obsolete: true
Attachment #8815179 - Flags: review+
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/fd4aacce0b00 Report OOM when going through all the wasm instances and when copying the wasm buffer source fails; r=luke
https://hg.mozilla.org/mozilla-central/rev/fd4aacce0b00
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox53: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Comment on attachment 8815179 [details] [diff] [review] oom.patch Approval Request Comment [Feature/Bug causing the regression]: wasm [User impact if declined]: errors not getting reported + undefined behavior when looking at wasm code through the debugger [Is this code covered by automated tests?]: no; OOM bugs are very sensitive to memory allocations and thus hard to reproduce in a consistent fashion [Has the fix been verified in Nightly?]: yes [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: n/a [Is the change risky?]: very low [Why is the change risky/not risky?]: tested/fuzzed for a week and no linked reports about it; plus it's a more conservative change [String changes made/needed]: n/a
Attachment #8815179 - Flags: approval-mozilla-aurora?
Comment on attachment 8815179 [details] [diff] [review] oom.patch wasm fix for aurora52
Attachment #8815179 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: