1491326 - Assertion failure: cx->isExceptionPending() (Thunk execution failed but no exception was raised - missing call to js::ReportOutOfMemory()?), at js/src/builtin/TestingFunctions.cpp:1776 with Debugger

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision da268c77ac76 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe):

var g = newGlobal();
g.parent = this;
g.eval("new Debugger(parent).onExceptionUnwind = function() {}");
oomTest(() => l, (true));


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x56a74cc7 in RunIterativeFailureTest (simulator=<synthetic pointer>, params=..., cx=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1774
#0  0x56a74cc7 in RunIterativeFailureTest (simulator=<synthetic pointer>, params=..., cx=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1774
#1  OOMTest (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1901
#2  0x5676149a in CallJSNative (cx=0xf6e1b800, native=0x56a745d0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:449
[...]
#17 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9986
eax	0x0	0
ebx	0x0	0
ecx	0xf7d92864	-136763292
edx	0x0	0
esi	0xf6e1b800	-152979456
edi	0x573ebff4	1463730164
ebp	0xffffcd28	4294954280
esp	0xffffcc80	4294954112
eip	0x56a74cc7 <OOMTest(JSContext*, unsigned int, JS::Value*)+1783>
=> 0x56a74cc7 <OOMTest(JSContext*, unsigned int, JS::Value*)+1783>:	movl   $0x0,0x0
   0x56a74cd1 <OOMTest(JSContext*, unsigned int, JS::Value*)+1793>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160115010341" and the hash "32a8c6a3be186bbc1f39da147eb09b087ed322e3".
The "bad" changeset has the timestamp "20160115014842" and the hash "df444117c7bea0a407387dca31ed54c3598b054a".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=32a8c6a3be186bbc1f39da147eb09b087ed322e3&tochange=df444117c7bea0a407387dca31ed54c3598b054a

Comment 2

[Jon Coppeard (:jonco)]

Attachment: bug1491326-oomtest-fuzz-safety

oomTest() currently isn't fuzzing safe because we can set the expectExceptionOnFailure to true and this expectation doesn't hold for all JS we might test (notable debugging stuff).  The patch ensures this is always false when fuzzing.

Comment 3

[Nicolas B. Pierron [:nbp]]

Comment on attachment 9013321 [details] [diff] [review]
bug1491326-oomtest-fuzz-safety

Review of attachment 9013321 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry for not catching this one before :/

::: js/src/builtin/TestingFunctions.cpp
@@ +2040,5 @@
>  
> +    // There are some places where we do fail without raising an exception, so
> +    // we can't expose this to the fuzzers by default.
> +    if (fuzzingSafe)
> +        params->expectExceptionOnFailure = false;

nit: Add curly braces.

Comment 4

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/cdd5b0bde9c1
Make oomTest() fuzzing safe by ensuring expectExceptionOnFailure parameter is false when fuzzing r=nbp

Comment 5

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0516dd5fc8ac
Fix typo in test code r=me on a CLOSED TREE

Comment 6

[Raul Gurzau (:RaulG)]

https://hg.mozilla.org/mozilla-central/rev/cdd5b0bde9c1
https://hg.mozilla.org/mozilla-central/rev/0516dd5fc8ac