Closed
Bug 1483016
Opened 6 years ago
Closed 6 years ago
Assertion failure: !cx->isExceptionPending(), at js/src/vm/JSContext-inl.h:331 with ES6 Modules
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
DUPLICATE
of bug 1483182
| Tracking | Status | |
|---|---|---|
| firefox63 | --- | fixed |
People
(Reporter: decoder, Assigned: n.nethercote)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
The following testcase crashes on mozilla-central revision bf79440c1376 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):
var lfLogBuffer = `
var obj = {};
for (var x in obj)
var h = {};
`;
loadFile(lfLogBuffer);
loadFile(lfLogBuffer);
function loadFile(lfVarx) {
oomTest(function() {
let m = parseModule(lfVarx);
m.declarationInstantiation();
m.evaluation();
});
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x00000000004d8cf0 in js::CheckForInterrupt (cx=0x7ffff5f17000) at js/src/vm/JSContext-inl.h:331
#0 0x00000000004d8cf0 in js::CheckForInterrupt (cx=0x7ffff5f17000) at js/src/vm/JSContext-inl.h:331
#1 0x00000000005a79b8 in Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:2268
#2 0x00000000005b2956 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:425
#3 0x00000000005b5cbd in js::ExecuteKernel (cx=<optimized out>, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffbc98) at js/src/vm/Interpreter.cpp:773
#4 0x00000000005b6119 in js::Execute (cx=<optimized out>, cx@entry=0x7ffff5f17000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x7fffffffbc98) at js/src/vm/Interpreter.cpp:806
#5 0x00000000006127a1 in js::ModuleObject::execute (cx=0x7ffff5f17000, self=..., self@entry=..., rval=rval@entry=...) at js/src/builtin/ModuleObject.cpp:1117
#6 0x0000000000cbba5d in intrinsic_ExecuteModule (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:2218
#7 0x00001fc7f711d2db in ?? ()
[...]
#11 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7ffff5f17000 140737319628800
rcx 0x7ffff6c1c2dd 140737333281501
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffb2b0 140737488335536
rsp 0x7fffffffb290 140737488335504
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6780 140737354033024
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x7fffffffba40 140737488337472
r13 0x1 1
r14 0x1 1
r15 0x7fffffffb7a0 140737488336800
rip 0x4d8cf0 <js::CheckForInterrupt(JSContext*)+224>
=> 0x4d8cf0 <js::CheckForInterrupt(JSContext*)+224>: movl $0x0,0x0
0x4d8cfb <js::CheckForInterrupt(JSContext*)+235>: ud2
|
||
Updated•6 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•6 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/ad30dc53e38e
user: Nicholas Nethercote
date: Fri Aug 10 18:00:29 2018 +1000
summary: Bug 1481998 - Make mozilla::Hash{Map,Set}'s entry storage allocation lazy. r=luke,sfink
This iteration took 285.028 seconds to run.
|
||
Updated•6 years ago
|
Flags: needinfo?(n.nethercote)
Priority: -- → P1
|
Assignee | |
Comment 2•6 years ago
|
||
I can reproduce this and I have confirmed that bug 1481998 is at fault. The failure reproduces about 50% of the time for me.
Assignee: nobody → n.nethercote
Flags: needinfo?(n.nethercote)
|
|
Assignee | |
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
|
||
Comment 4•6 years ago
|
||
Fixed in 63 in bug 1483016.
You need to log in
before you can comment on or make changes to this bug.
Description
•