Closed Bug 1491326 Opened Last year Closed 11 months ago

Assertion failure: cx->isExceptionPending() (Thunk execution failed but no exception was raised - missing call to js::ReportOutOfMemory()?), at js/src/builtin/TestingFunctions.cpp:1776 with Debugger

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla64
Tracking Status
firefox-esr60 --- unaffected
firefox62 --- unaffected
firefox63 --- unaffected
firefox64 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision da268c77ac76 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe):

var g = newGlobal();
g.parent = this;
g.eval("new Debugger(parent).onExceptionUnwind = function() {}");
oomTest(() => l, (true));


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x56a74cc7 in RunIterativeFailureTest (simulator=<synthetic pointer>, params=..., cx=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1774
#0  0x56a74cc7 in RunIterativeFailureTest (simulator=<synthetic pointer>, params=..., cx=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1774
#1  OOMTest (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1901
#2  0x5676149a in CallJSNative (cx=0xf6e1b800, native=0x56a745d0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:449
[...]
#17 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9986
eax	0x0	0
ebx	0x0	0
ecx	0xf7d92864	-136763292
edx	0x0	0
esi	0xf6e1b800	-152979456
edi	0x573ebff4	1463730164
ebp	0xffffcd28	4294954280
esp	0xffffcc80	4294954112
eip	0x56a74cc7 <OOMTest(JSContext*, unsigned int, JS::Value*)+1783>
=> 0x56a74cc7 <OOMTest(JSContext*, unsigned int, JS::Value*)+1783>:	movl   $0x0,0x0
   0x56a74cd1 <OOMTest(JSContext*, unsigned int, JS::Value*)+1793>:	ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160115010341" and the hash "32a8c6a3be186bbc1f39da147eb09b087ed322e3".
The "bad" changeset has the timestamp "20160115014842" and the hash "df444117c7bea0a407387dca31ed54c3598b054a".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=32a8c6a3be186bbc1f39da147eb09b087ed322e3&tochange=df444117c7bea0a407387dca31ed54c3598b054a
Blocks: 1239369
oomTest() currently isn't fuzzing safe because we can set the expectExceptionOnFailure to true and this expectation doesn't hold for all JS we might test (notable debugging stuff).  The patch ensures this is always false when fuzzing.
Assignee: nobody → jcoppeard
Attachment #9013321 - Flags: review?(nicolas.b.pierron)
Comment on attachment 9013321 [details] [diff] [review]
bug1491326-oomtest-fuzz-safety

Review of attachment 9013321 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry for not catching this one before :/

::: js/src/builtin/TestingFunctions.cpp
@@ +2040,5 @@
>  
> +    // There are some places where we do fail without raising an exception, so
> +    // we can't expose this to the fuzzers by default.
> +    if (fuzzingSafe)
> +        params->expectExceptionOnFailure = false;

nit: Add curly braces.
Attachment #9013321 - Flags: review?(nicolas.b.pierron) → review+
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/cdd5b0bde9c1
Make oomTest() fuzzing safe by ensuring expectExceptionOnFailure parameter is false when fuzzing r=nbp
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0516dd5fc8ac
Fix typo in test code r=me on a CLOSED TREE
https://hg.mozilla.org/mozilla-central/rev/cdd5b0bde9c1
https://hg.mozilla.org/mozilla-central/rev/0516dd5fc8ac
Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in before you can comment on or make changes to this bug.