Closed
Bug 1461034
Opened 7 years ago
Closed 7 years ago
Assertion failure: cx_->isExceptionPending(), at js/src/frontend/BytecodeCompiler.cpp:588
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla62
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox60 | --- | unaffected |
| firefox61 | --- | wontfix |
| firefox62 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
10.02 KB,
text/plain
|
Details | |
|
1.25 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 4303d49c5393 (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
oomTest(function(){s[-1]})
Backtrace:
#0 0x000055d46d3a3e05 in AutoAssertReportedException::~AutoAssertReportedException (this=0x7ffd781f33f0, __in_chrg=<optimized out>) at js/src/frontend/BytecodeCompiler.cpp:588
#1 0x000055d46d39f7b5 in js::frontend::CompileLazyFunction (cx=<optimized out>, lazy=..., lazy@entry=..., chars=<optimized out>, length=length@entry=9) at js/src/frontend/BytecodeCompiler.cpp:745
#2 0x000055d46d089570 in JSFunction::createScriptForLazilyInterpretedFunction (cx=<optimized out>, fun=...) at js/src/vm/JSFunction.cpp:1626
#3 0x000055d46c97179c in JSFunction::getOrCreateScript (cx=<optimized out>, fun=...) at js/src/vm/JSFunction.h:528
#4 0x000055d46caa0c11 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7f9940817000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•7 years ago
|
||
|
|
Reporter | |
Comment 2•7 years ago
|
||
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/ce42829bf948
user: Jan de Mooij
date: Thu May 03 16:17:09 2018 +0200
summary: Bug 1458198 - Assert the frontend reported an exception if it fails to compile a script. r=jorendorff
Jan, is bug 1458198 a likely regressor?
Blocks: 1458198
Flags: needinfo?(jdemooij)
|
Assignee | |
Comment 3•7 years ago
|
||
The OOM trap: when you improve our OOM testing/asserts and then get to fix all the issues that come up...
|
|
Assignee | |
Comment 4•7 years ago
|
||
We reported OOM correctly but then we incorrectly called recoverFromOutOfMemory.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8975256 -
Flags: review?(jcoppeard)
|
||
Updated•7 years ago
|
Attachment #8975256 -
Flags: review?(jcoppeard) → review+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0d1f6fbcc3a1
Don't clear an OOM exception in FoldElement. r=jonco
|
|
||
Comment 6•7 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
|
||
Updated•7 years ago
|
status-firefox60:
--- → unaffected
status-firefox61:
--- → wontfix
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Flags: in-testsuite+
|
||
Updated•7 years ago
|
Keywords: regression
You need to log in
before you can comment on or make changes to this bug.
Description
•