Closed Bug 1483016 Opened 6 years ago Closed 6 years ago

Assertion failure: !cx->isExceptionPending(), at js/src/vm/JSContext-inl.h:331 with ES6 Modules

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1483182
Tracking Flags:
Tracking Status
firefox63 --- fixed

People

(Reporter: decoder, Assigned: n.nethercote)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update]) 

The following testcase crashes on mozilla-central revision bf79440c1376 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var lfLogBuffer = `
  var obj = {};
  for (var x in obj)
    var h = {};
`;
loadFile(lfLogBuffer);
loadFile(lfLogBuffer);
function loadFile(lfVarx) {
    oomTest(function() {
        let m = parseModule(lfVarx);
        m.declarationInstantiation();
        m.evaluation();
    });
}


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x00000000004d8cf0 in js::CheckForInterrupt (cx=0x7ffff5f17000) at js/src/vm/JSContext-inl.h:331
#0  0x00000000004d8cf0 in js::CheckForInterrupt (cx=0x7ffff5f17000) at js/src/vm/JSContext-inl.h:331
#1  0x00000000005a79b8 in Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:2268
#2  0x00000000005b2956 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:425
#3  0x00000000005b5cbd in js::ExecuteKernel (cx=<optimized out>, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffbc98) at js/src/vm/Interpreter.cpp:773
#4  0x00000000005b6119 in js::Execute (cx=<optimized out>, cx@entry=0x7ffff5f17000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x7fffffffbc98) at js/src/vm/Interpreter.cpp:806
#5  0x00000000006127a1 in js::ModuleObject::execute (cx=0x7ffff5f17000, self=..., self@entry=..., rval=rval@entry=...) at js/src/builtin/ModuleObject.cpp:1117
#6  0x0000000000cbba5d in intrinsic_ExecuteModule (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:2218
#7  0x00001fc7f711d2db in ?? ()
[...]
#11 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff5f17000	140737319628800
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffb2b0	140737488335536
rsp	0x7fffffffb290	140737488335504
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6780	140737354033024
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7fffffffba40	140737488337472
r13	0x1	1
r14	0x1	1
r15	0x7fffffffb7a0	140737488336800
rip	0x4d8cf0 <js::CheckForInterrupt(JSContext*)+224>
=> 0x4d8cf0 <js::CheckForInterrupt(JSContext*)+224>:	movl   $0x0,0x0
   0x4d8cfb <js::CheckForInterrupt(JSContext*)+235>:	ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ad30dc53e38e
user:        Nicholas Nethercote
date:        Fri Aug 10 18:00:29 2018 +1000
summary:     Bug 1481998 - Make mozilla::Hash{Map,Set}'s entry storage allocation lazy. r=luke,sfink

This iteration took 285.028 seconds to run.
Flags: needinfo?(n.nethercote)
Priority: -- → P1
I can reproduce this and I have confirmed that bug 1481998 is at fault. The failure reproduces about 50% of the time for me.
Assignee: nobody → n.nethercote
Flags: needinfo?(n.nethercote)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.