Closed Bug 1325551 Opened 7 years ago Closed 7 years ago

Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:242

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla54
Tracking Flags:
Tracking Status
firefox51 --- wontfix
firefox52 --- wontfix
firefox-esr52 --- wontfix
firefox53 --- wontfix
firefox54 --- fixed

People

(Reporter: gkw, Assigned: jonco)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(4 files)

Detailed Crash Information
30.52 KB, text/plain
Details
bug1325551-sourceMap-oom
1.32 KB, patch
jimb
: review+
Details | Diff | Splinter Review
bug1325551-scriptSource-must-use
5.43 KB, patch
jimb
: review+
Details | Diff | Splinter Review
OOM_VERBOSE=1 stack from m-c rev 57ac9f63fc69
9.57 KB, text/plain
Details 
The following testcase crashes on mozilla-central revision 7083c0d30e75 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// jsfunfuzz-generated
oomTest(function() {
    // Adapted from randomly chosen test: js/src/jit-test/tests/debug/Source-sourceMapURL-deprecated.js
    let g = newGlobal();
    let dbg = new Debugger;
    let gw = dbg.addDebuggee(g);
    g.eval("function f(){}");
    gw.makeDebuggeeValue(g.f).script.source.sourceMapURL = 'a';
});


Backtrace:

0   js-dbg-64-dm-clang-darwin-7083c0d30e75	0x0000000102318e87 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 183 (jscntxtinlines.h:242)
1   js-dbg-64-dm-clang-darwin-7083c0d30e75	0x0000000102318a46 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 598 (Interpreter.cpp:457)
2   js-dbg-64-dm-clang-darwin-7083c0d30e75	0x000000010231a1da js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) + 330 (Interpreter.cpp:521)
3   js-dbg-64-dm-clang-darwin-7083c0d30e75	0x000000010235dbf1 js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) + 1873 (NativeObject.cpp:2437)
4   js-dbg-64-dm-clang-darwin-7083c0d30e75	0x000000010230ed24 Interpret(JSContext*, js::RunState&) + 29524 (Interpreter.cpp:259)
/snip

For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/548a09b1a4e6
user:        Jon Coppeard
date:        Tue Nov 10 09:44:52 2015 +0000
summary:     Bug 1215063 - Add os.path.isAbsolute() and as.path.join() shell utilities r=sfink

Jon, not sure if bug 1215063 is the real regressor, is it?
Blocks: 1215063
Flags: needinfo?(jcoppeard)
I doubt it.

(lldb) r
Process 5761 launched: './default-build/shell' (x86_64)
Assertion failure: !cx->isExceptionPending(), at /Users/jon/work/dev/js/src/jscntxtinlines.h:242
Process 5761 stopped
* thread #1:  js::CallJSNative at jscntxtinlines.h:242
Stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    0:  js::CallJSNative at jscntxtinlines.h:242
   239 	    bool ok = native(cx, args.length(), args.base());
   240 	    if (ok) {
   241 	        assertSameCompartment(cx, args.rval());
-> 242 	        MOZ_ASSERT_IF(!alreadyThrowing, !cx->isExceptionPending());
   243 	    }
   244 	    return ok;
   245 	}

(lldb) p native
(js::Native) $0 = 0x0000000100979b10 (shell`DebuggerSource_setSourceMapURL(JSContext*, unsigned int, JS::Value*) at Debugger.cpp:7160)
(lldb) p alreadyThrowing
(bool) $1 = false
(lldb) p cx->isExceptionPending()
(bool) $2 = true

Looks like DebuggerSource_setSourceMapURL is returning true but with an exception pending.
Flags: needinfo?(jcoppeard)
Just need to check the return value of ScriptSource::setSourceMap.
Assignee: nobody → jcoppeard
Attachment #8823589 - Flags: review?(jimb)
Add MOZ_MUST_USE to ScriptSource class in appropriate places and fix the other issue this showed up.
Attachment #8823591 - Flags: review?(jimb)
Oops, forgot to attach the OOM_VERBOSE=1 stack.
Priority: -- → P1
Attachment #8823589 - Flags: review?(jimb) → review+
Comment on attachment 8823591 [details] [diff] [review]
bug1325551-scriptSource-must-use

Review of attachment 8823591 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good, except for the two search-and-replace stumbles.

::: js/src/jsscript.h
@@ +513,5 @@
>  
>      void addSizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf,
>                                  JS::ScriptSourceInfo* info) const;
>  
> +    MOZ_MUST_USE MOZ_MUST_USE bool setSource(ExclusiveContext* cx,

This is a search-and-replace error, right?

@@ +520,3 @@
>      void setSource(SharedImmutableTwoByteString&& string);
>  
> +    MOZ_MUST_USE MOZ_MUST_USE bool setCompressedSource(ExclusiveContext* cx,

Here as well.
Attachment #8823591 - Flags: review?(jimb) → review+
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/086495e41690
Check return value of ScriptSource::setSourceMapURL r=jimb
https://hg.mozilla.org/integration/mozilla-inbound/rev/2e232a53e2db
Add MOZ_MUST_USE to ScriptSource r=jimb
https://hg.mozilla.org/mozilla-central/rev/086495e41690
https://hg.mozilla.org/mozilla-central/rev/2e232a53e2db
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox54: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Blocks: 1074745
No longer blocks: 1215063
Jon says on IRC that this is rare enough in practice that it can ride the trains.
status-firefox51: --- → wontfix
status-firefox52: --- → wontfix
status-firefox53: affectedwontfix
status-firefox-esr52: --- → wontfix
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: