Closed Bug 1335533 Opened 7 years ago Closed 6 years ago

Assertion failure: !JS_IsExceptionPending(cx), at js/src/jsexn.h:124

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox54 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
25.52 KB, text/plain
Details
OOM_VERBOSE=1 stack from m-c rev 1fe66bd0efba
5.85 KB, text/plain
Details 
The following testcase crashes on mozilla-central revision 1fe66bd0efba (build with --enable-debug --enable-more-deterministic --32, run with --fuzzing-safe --no-threads --ion-eager):

// jsfunfuzz-generated
oomTest(function () {
    // Adapted from randomly chosen test: js/src/jit-test/tests/debug/bug999655.js
    var g = newGlobal();
    Debugger(g).onNewScript = function (script) {
        fscript = script.getChildScripts()[0]
    }
    g.eval("function f(){}");
    fscript.setBreakpoint(0, {
        hit: function (frame) {
            frame.arguments[0]
        }
    });
    g.f()
})

Backtrace:

0   js-dbg-32-dm-clang-darwin-1fe66bd0efba	0x0028a568 js::jit::GetPropIRGenerator::tryAttachStub() + 2232 (jsexn.h:124)
1   js-dbg-32-dm-clang-darwin-1fe66bd0efba	0x00be7aef js::jit::DoGetElemFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetElem_Fallback*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) + 1231 (BaselineIC.cpp:851)
/snip

For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/0b58022dda33
user:        Eddy Bruel
date:        Thu Dec 29 15:10:11 2016 +0100
summary:     Bug 1271650 - Implement a C++ interface for DebuggerFrame.arguments. r=jimb

Jim, is bug 1271650 a likely regressor?
Blocks: 1271650
Flags: needinfo?(jimb)
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/48078fb0fcc2
user:        André Bargull
date:        Fri Jun 02 12:04:31 2017 +0200
summary:     Bug 1368963 - Avoid extra calls to GetPropertyKeys() in Object.freeze/seal/preventExtensions. r=jandem

I don't think this is a likely fix, is it? Shu-yu, you've fixed a few Debugger issues related to Exceptions, what do you think?
Flags: needinfo?(jimb) → needinfo?(shu)
Keywords: triage-deferred
Priority: -- → P3
> I don't think this is a likely fix, is it? Shu-yu, you've fixed a few
> Debugger issues related to Exceptions, what do you think?

Moving needinfo? to Jim.
Flags: needinfo?(shu) → needinfo?(jimb)
Looking into this today.
Flags: needinfo?(jimb)
I'm also able to reproduce this on the parent of the changeset given in comment 2. I get:

Assertion failure: cx->isExceptionPending() (Thunk execution failed but no exception was raised - missing call to js::ReportOutOfMemory()?), at /home/jimb/moz/dbg/js/src/builtin/TestingFunctions.cpp:1406
Segmentation fault (core dumped)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4)
> autoBisect shows this is probably related to the following changeset:
> 
> The first good revision is:
> changeset:   https://hg.mozilla.org/mozilla-central/rev/48078fb0fcc2
> user:        André Bargull
> date:        Fri Jun 02 12:04:31 2017 +0200
> summary:     Bug 1368963 - Avoid extra calls to GetPropertyKeys() in
> Object.freeze/seal/preventExtensions. r=jandem
> 
> I don't think this is a likely fix, is it? Shu-yu, you've fixed a few
> Debugger issues related to Exceptions, what do you think?

This does not seem like a likely fix for this bug.
Let's resolve this WFM, since it no longer reproduces. We'll find more fuzzbugs of these types going forward as well.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: