1328134 - Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:242 with getBacktrace

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 31ffcb82ced8 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var lfLogBuffer = `
Function.prototype.toString = function() {
  this("", "", String(["f"]), String('a'.match()))
};
getBacktrace({thisprops: true});
`;
readline = function() {}
loadFile(lfLogBuffer)
loadFile(lfLogBuffer)
function loadFile(lfVarx) {
    evaluate(lfVarx);
}



Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  js::CallJSNative (cx=cx@entry=0x7f1dff05f000, native=0x446b90 <StackDump(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:242
#1  0x0000000000542c21 in js::InternalCallOrConstruct (cx=0x7f1dff05f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:457
#2  0x0000000000543036 in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:502
#3  0x00000000005431ae in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:521
#4  0x00000000007e28ad in js::jit::InvokeFunction (cx=0x7f1dff05f000, obj=..., constructing=<optimized out>, argc=4, argv=0x7fffb9314950, rval=...) at js/src/jit/VMFunctions.cpp:114
#5  0x00007f1e005c922a in ?? ()
#6  0x0000000000000000 in ?? ()
rax	0x2052520	33891616
rbx	0x7fffb9314800	140736300402688
rcx	0x11a33f0	18494448
rdx	0x0	0
rsi	0x7f1dff67b770	139766815766384
rdi	0x7f1dff67a540	139766815761728
rbp	0x7fffb9314570	140736300402032
rsp	0x7fffb9314520	140736300401952
r8	0x7f1dff67b770	139766815766384
r9	0x7f1e0076c740	139766833530688
r10	0x0	0
r11	0x0	0
r12	0x7f1dff05f000	139766809358336
r13	0x1	1
r14	0x7fffb9314530	140736300401968
r15	0x7fffb9314888	140736300402824
rip	0x54d239 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+393>
=> 0x54d239 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+393>:	movl   $0x0,0x0
   0x54d244 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+404>:	ud2

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b5b06959919a
user:        Tooru Fujisawa
date:        Sat Sep 05 21:55:06 2015 +0900
summary:     Bug 887016 - Part 9: Implement RegExp.prototype[@@match] and call it from String.prototype.match. r=till

Arai-san, is bug 887016 a likely regressor?

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

readline = function() {};
function f() {
    Function.prototype.toString = function () {
        this("", "", "x", 'a'.match() + "");
    };
    getBacktrace({
        thisprops: 1
    });
}
f()

Slightly more reduced testcase, reproduces on m-c rev 57ac9f63fc69.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Unable to get the OOM_VERBOSE=1 stack because there was no series of output message similar to:

ReportOutOfMemory called
  allocation 1768
ReportOutOfMemory called
  allocation 1769
ReportOutOfMemory called
  allocation 1770
ReportOutOfMemory called
  allocation 1771
ReportOutOfMemory called
ReportOutOfMemory called
  allocation 1772
ReportOutOfMemory called

that was dumped.

Comment 4

[Tooru Fujisawa [:arai]]

StackDump should return false when JS::FormatStackDump fails, or clear exception before returning true.

Comment 5

[Tooru Fujisawa [:arai]]

so, this is not a regression from Bug 887016.
also, this is shell-only function that doesn't affect browser.

Comment 6

[Tooru Fujisawa [:arai]]

Attachment: Clear pending exception when JS::FormatStackDump fails in StackDump.

Added JS_ClearPendingException, since it's shell-only testing function and we already printed error message.
the testcase doesn't end when this bug is fixed, so I don't include it in this patch.

Comment 7

[Tooru Fujisawa [:arai]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/39927f8b09e5c0baf0c0f6897012bc1a57c659c0
Bug 1328134 - Clear pending exception when JS::FormatStackDump fails in StackDump. r=evilpie

Comment 8

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/39927f8b09e5

Comment 9

[Ryan VanderMeulen [:RyanVM]]

Probably not worth backporting to Beta, but please request Aurora approval on this when you get a chance.

Comment 10

[Tooru Fujisawa [:arai]]

Comment on attachment 8824010 [details] [diff] [review]
Clear pending exception when JS::FormatStackDump fails in StackDump.

Sorry for the delay.
Same patch is applicable to mozilla-aurora.

Approval Request Comment
> [Feature/Bug causing the regression]
Bug 1043577

> [User impact if declined]
None.
This crash happens only in debug build of JS shell.
This will affect fuzzing, and fixing this helps it to avoid hitting crash.

> [Is this code covered by automated tests?]
No, since the testcase doesn't stop if the issue is fixed.

> [Has the fix been verified in Nightly?]
At least locally, yes.

> [Needs manual test from QE? If yes, steps to reproduce]
I don't thinks this requires QE.

> [List of other uplifts needed for the feature/fix]
None

> [Is the change risky?]
No

> [Why is the change risky/not risky?]
This patch touches only shell-only testing function.
It's not exposed to browser.

> [String changes made/needed]
None

Comment 11

[Julien Cristau [:jcristau]]

Comment on attachment 8824010 [details] [diff] [review]
Clear pending exception when JS::FormatStackDump fails in StackDump.

fix assertion in debug builds, aurora52+

Comment 12

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/8588dbbcfd31