Closed Bug 1498303 Opened 6 years ago Closed 6 years ago

Assertion failure: !JS_IsExceptionPending(cx_), at js/src/vm/JSContext.cpp:1687

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla64
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox62 --- unaffected
firefox63 --- unaffected
firefox64 --- fixed

People

(Reporter: gkw, Assigned: iain)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
6.12 KB, text/plain
Details
Bug 1498303: Relax restrictions on pending exceptions in math functions called from recovery code r?tcampbell
46 bytes, text/x-phabricator-request
Details | Review
The following testcase crashes on mozilla-central revision ddcd7cc2f3cd (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager): function f(x) { Math.max(0, x) != y; } z = [0]; for (var j = 0; j < 1; ++j) { for (var k = 0; k < 2; ++k) { try { f(z[0]); } catch (e) {} } } Backtrace: #0 0x0000562508ce9390 in js::AutoUnsafeCallWithABI::AutoUnsafeCallWithABI (this=0x7ffc68e7bb28, strictness=js::NoExceptions) at js/src/vm/JSContext.cpp:1687 #1 0x0000562508552bfb in js::math_max_impl (x=0, y=<optimized out>) at js/src/jsmath.cpp:465 #2 js::minmax_impl (cx=0x7f9989918000, max=true, a=..., b=..., res=...) at js/src/jsmath.cpp:533 #3 0x0000562508a4936a in js::jit::RMinMax::recover (this=0x7ffc68e7bd38, cx=<optimized out>, iter=...) at js/src/jit/Recover.cpp:881 #4 0x00005625088d7eed in js::jit::SnapshotIterator::computeInstructionResults (this=<optimized out>, cx=0x7f9989918000, results=0x7ffc68e7cde0) at js/src/jit/JitFrames.cpp:2056 #5 0x00005625088d74d7 in js::jit::SnapshotIterator::initInstructionResults (this=0x7ffc68e7c0a8, fallback=...) at js/src/jit/JitFrames.cpp:2008 /snip For detailed crash information, see attachment.
autobisectjs shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/838b2692a934 user: Iain Ireland date: Thu Oct 11 02:07:02 2018 +0000 summary: Bug 1492977: Rework RAII exception guards r=tcampbell Iain, is bug 1492977 a likely regressor?
Blocks: 1492977
Flags: needinfo?(iireland)
Bug 1492977 tightened up some asserts a few more cases need tweaks. > math_min_impl > math_max_impl > ecmaHypot > math_sign_impl
Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/48b41b195cae Relax restrictions on pending exceptions in math functions called from recovery code r=tcampbell
Assignee: nobody → iireland
Flags: needinfo?(iireland)
https://hg.mozilla.org/mozilla-central/rev/48b41b195cae
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox64: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
The testcase attached to bug 1499010 also covers this bug.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: