Closed Bug 1491350 Opened Last year Closed Last year

Assertion failure: !JS_IsExceptionPending(cx), at js/src/jsexn.h:130 with OOM and hasOwnProperty

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla64
Tracking Status
firefox-esr60 --- wontfix
firefox62 --- wontfix
firefox63 --- wontfix
firefox64 --- fixed

People

(Reporter: decoder, Assigned: iain)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file, 1 obsolete file)

The following testcase crashes on mozilla-central revision efccb758c78c (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --baseline-eager):

oomTest(new Function(`
  var a = ['p', 'q', 'r', 's', 't'];
  var o = {p:1, q:2, r:3, s:4, t:5};
  for (var i in o)
    delete o[i];
  for (var i of a)
    o.hasOwnProperty(undefined + this, false);
`));


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x00005555559ac3c0 in js::AutoAssertNoPendingException::~AutoAssertNoPendingException (this=<optimized out>, __in_chrg=<optimized out>) at js/src/jsexn.h:130
#0  0x00005555559ac3c0 in js::AutoAssertNoPendingException::~AutoAssertNoPendingException (this=<optimized out>, __in_chrg=<optimized out>) at js/src/jsexn.h:130
#1  0x000055555599f824 in js::jit::HasPropIRGenerator::tryAttachStub (this=this@entry=0x7fffffffb630) at js/src/jit/CacheIR.cpp:3213
#2  0x000055555590d6f7 in js::jit::DoHasOwnFallback (cx=<optimized out>, frame=<optimized out>, stub_=<optimized out>, keyValue=..., objValue=..., res=...) at js/src/jit/BaselineIC.cpp:2331
#3  0x00003b2d9a4c6bb3 in ?? ()
[...]
#57 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x1	1
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffb4c0	140737488336064
rsp	0x7fffffffb4c0	140737488336064
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6780	140737354033024
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7fffffffb500	140737488336128
r13	0x7fffffffb520	140737488336160
r14	0x1	1
r15	0x7fffffffb630	140737488336432
rip	0x5555559ac3c0 <js::AutoAssertNoPendingException::~AutoAssertNoPendingException()+48>
=> 0x5555559ac3c0 <js::AutoAssertNoPendingException::~AutoAssertNoPendingException()+48>:	movl   $0x0,0x0
   0x5555559ac3cb <js::AutoAssertNoPendingException::~AutoAssertNoPendingException()+59>:	ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/5e1a2ab034ae
user:        Tom Schuster
date:        Thu Apr 13 22:17:57 2017 +0200
summary:     Bug 1344469 - Part 4 - Megamorphic stub. r=jandem

This iteration took 261.879 seconds to run.
Tom, is bug 1344469 a likely regressor?
Blocks: 1344469
Flags: needinfo?(evilpies)
I'm taking this bug to as a good first JIT bug for Iain.
Assignee: nobody → iireland
Flags: needinfo?(evilpies)
https://searchfox.org/mozilla-central/rev/6c82481caa506a240a626bb44a2b8cbe0eedb3a0/js/src/jit/VMFunctions.cpp#1752

This is leaking an OOM into a number of signatures. It probably fill fix a few OOM jit fuzz bugs. We should have an AutoNoPendingException for the ValueToAtomOrSymbol. It might be fine to just pass nullptr for cx.
nullptr for cx isn't valid for AtomizeString, so just capturing the exception in ValueToAtomOrSymbol is probably best.
Duplicate of this bug: 1491337
Attachment #9010664 - Attachment is obsolete: true
Comment on attachment 9010641 [details]
Bug 1491350: Clear pending OOM exceptions before returning from hasNativeProperty / getNativePropertyByValue

Ted Campbell [:tcampbell] has approved the revision.
Attachment #9010641 - Flags: review+
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2b5b7bd869ac
Clear pending OOM exceptions before returning from hasNativeProperty / getNativePropertyByValue r=tcampbell
https://hg.mozilla.org/mozilla-central/rev/2b5b7bd869ac
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in before you can comment on or make changes to this bug.