Closed
Bug 1499010
Opened 6 years ago
Closed 6 years ago
Assertion failure: !JS_IsExceptionPending(cx_), at js/src/vm/JSContext.cpp:1687
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla64
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox62 | --- | unaffected |
| firefox63 | --- | unaffected |
| firefox64 | --- | fixed |
People
(Reporter: gkw, Assigned: iain)
References
Details
(4 keywords, Whiteboard: [jsbugmon:])
Attachments
(4 files)
The following testcase crashes on mozilla-central revision 6e0139775220 (build with --enable-debug, run with --fuzzing-safe --ion-eager --cache-ir-stubs=off):
function testMathyFunction(f, inputs) {
for (var j = 0; j < 29; ++j) {
for (var k = 0; k < 29; ++k) {
try {
f(inputs[j], inputs[k]);
} catch (e) {}
}
}
}
mathy2 = function(x, y) {
(Math.pow(y, y))(h || (0, h.f));
}
testMathyFunction(mathy2, [
1, Number.MIN_SAFE_INTEGER, -Number.A, -Number.R, 2, 2, 0xf, 0, 1, 0, 2, Math.PI, 2, 0xf,
2, 0, 1, 0, 0, Number.MAX_VALUE, 0, 0, Number.MAX_SAFE_INTEGER, 1, 0, -Number.E, 0, 2, 0
]);
Backtrace:
#0 0x00005568631cc930 in js::AutoUnsafeCallWithABI::AutoUnsafeCallWithABI (this=0x7ffc79dfa5e8, strictness=js::NoExceptions) at js/src/vm/JSContext.cpp:1687
#1 0x0000556862a422aa in js::ecmaPow (x=-9007199254740991, y=-9007199254740991) at js/src/jsmath.cpp:575
#2 0x0000556862a29551 in PowOperation (cx=<optimized out>, lhs=..., rhs=..., res=...) at js/src/vm/Interpreter.cpp:1835
#3 js::PowValues (cx=<optimized out>, lhs=..., rhs=..., res=...) at js/src/vm/Interpreter.cpp:5221
#4 0x0000556862f2ce9a in js::jit::RPow::recover (this=<optimized out>, cx=0x7f04ad418000, iter=...) at js/src/jit/Recover.cpp:824
#5 0x0000556862dc774d in js::jit::SnapshotIterator::computeInstructionResults (this=<optimized out>, cx=0x7f04ad418000, results=0x7ffc79dfb8d0) at js/src/jit/JitFrames.cpp:2056
/snip
For detailed crash information, see attachment.
This reproduces about 80% of the time for me, so not setting to be monitored by JSBugMon.
|
Reporter | |
Comment 1•6 years ago
|
||
|
|
Reporter | |
Comment 2•6 years ago
|
||
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/838b2692a934
user: Iain Ireland
date: Thu Oct 11 02:07:02 2018 +0000
summary: Bug 1492977: Rework RAII exception guards r=tcampbell
Iain, is bug 1492977 a likely regressor?
Blocks: 1492977
Flags: needinfo?(iireland)
|
Assignee | |
Comment 3•6 years ago
|
||
Yes, this is the same issue as bug 1498303 but with a different unmarked function as culprit. Patch coming shortly.
Flags: needinfo?(iireland)
|
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → iireland
|
|
Assignee | |
Comment 4•6 years ago
|
||
|
|
Assignee | |
Comment 5•6 years ago
|
||
This one slipped through because RPow::recover calls ecmaPow through the interpreter (PowValues -> PowOperation -> ecmaPow), not directly. I did one last pass looking for other calls that might sneak through, but didn't find anything (other than RPowHalf, which also calls ecmaPow). Hopefully this is the last of these bugs.
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ad329ec90b6e
Mark ecmaPow to allow calling from recovery code r=tcampbell
|
||
Comment 7•6 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
|
||
Comment 8•6 years ago
|
||
Can we land the testcase?
status-firefox62:
--- → unaffected
status-firefox63:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Flags: needinfo?(iireland)
|
|
Assignee | |
Comment 10•6 years ago
|
||
|
||
Comment 11•6 years ago
|
||
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d4cbc3865457
Add testcase for AutoUnsafeCallWithABI recovery fuzz bugs r=tcampbell
|
|
Assignee | |
Comment 12•6 years ago
|
||
Note: this testcase covers this bug, bug 1498303, and bug 1499471.
|
||
Comment 13•6 years ago
|
||
Backed out changeset d4cbc3865457 (bug 1499010) for spidermonkey failure
Push with failures:
https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=d4cbc38654579d04aa00e04d0f676abf2066a8fe
Backout:
https://hg.mozilla.org/integration/autoland/rev/0289f2a3bdab2c2b12bd6bc3998bfc4db109a0fd
Flags: needinfo?(tcampbell)
|
|
Assignee | |
Comment 14•6 years ago
|
||
|
||
Updated•6 years ago
|
Flags: needinfo?(tcampbell)
|
|
||
Comment 15•6 years ago
|
||
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2eb4c1dd70f1
Add fixed testcase for AutoUnsafeCallWithABI recovery fuzz bugs r=tcampbell
|
||
Comment 16•6 years ago
|
||
| bugherder | ||
You need to log in
before you can comment on or make changes to this bug.
Description
•