Assertion failure: !JS_IsExceptionPending(cx_), at js/src/vm/JSContext.cpp:1687

RESOLVED FIXED in Firefox 64

Status

()

defect
--
critical
RESOLVED FIXED
10 months ago
10 months ago

People

(Reporter: gkw, Assigned: iain)

Tracking

(Blocks 1 bug, 4 keywords)

Trunk
mozilla64
x86_64
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox62 unaffected, firefox63 unaffected, firefox64 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(4 attachments)

The following testcase crashes on mozilla-central revision 31724aea10ca (build with --enable-debug, run with --fuzzing-safe --no-threads --ion-eager):

(function() {
    inputs = [];
    f = (function(x) {
        4294967297 ** (x >>> 0) * Math.fround(y);
    });
    if (f) {
        for (var j = 0; j < 2; ++j) {
            try {
                f(inputs[0]);
            } catch (e) {}
        }
    }
})();

Backtrace:

#0  0x000055cd7fa1b9d0 in js::AutoUnsafeCallWithABI::AutoUnsafeCallWithABI (this=0x7ffd3bccd240, strictness=js::NoExceptions) at js/src/vm/JSContext.cpp:1687
#1  0x000055cd7f295c7d in js::powi (y=0, x=<optimized out>) at js/src/jsmath.cpp:546
#2  js::ecmaPow (x=4294967297, y=-5.4861240687936887e+303) at js/src/jsmath.cpp:583
#3  0x000055cd7f27cf27 in PowOperation (cx=<optimized out>, lhs=..., rhs=..., res=...) at js/src/vm/Interpreter.cpp:1842
#4  js::PowValues (cx=<optimized out>, lhs=..., rhs=..., res=...) at js/src/vm/Interpreter.cpp:5228
#5  0x000055cd7f78172a in js::jit::RPow::recover (this=<optimized out>, cx=0x7fee46b18000, iter=...) at js/src/jit/Recover.cpp:824
#6  0x000055cd7f61bfdd in js::jit::SnapshotIterator::computeInstructionResults (this=<optimized out>, cx=0x7fee46b18000, results=0x7ffd3bcce520) at js/src/jit/JitFrames.cpp:2056
#7  0x000055cd7f61b5c7 in js::jit::SnapshotIterator::initInstructionResults (this=0x7ffd3bccd7b8, fallback=...) at js/src/jit/JitFrames.cpp:2008
/snip

For detailed crash information, see attachment.
autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ad329ec90b6e
user:        Iain Ireland
date:        Mon Oct 15 13:31:34 2018 +0000
summary:     Bug 1499010: Mark ecmaPow to allow calling from recovery code r=tcampbell

Iain, is bug 1499010 a likely regressor?
Blocks: 1499010
Flags: needinfo?(iireland)
For context: we added an assertion on our functions that are called directly from jitted code, saying that they shouldn't be called with a pending exception unless we marked them specially. The goal was to make it clear which functions were being used in unusual ways. It turns out that a surprising number of functions are being called from recovery code. Each of these assertion bugs is a separate function that we need to annotate.

It is reasonably safe to assume that anything that asserts on |!JS_IsExceptionPending(cx_), at js/src/vm/JSContext.cpp:1687| and includes |js::jit::R[Foo]::recover| somewhere in the stack trace is another instance of the same underlying problem. In this case, the three stack traces above mean that changes are necessary in three places: js::powi, js::NumberDiv, and js::EmulatesUndefined.

Patch coming momentarily.
Flags: needinfo?(iireland)
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d4fe026dee75
Mark unsafe API functions to allow calling from recovery code r=tcampbell
https://hg.mozilla.org/mozilla-central/rev/d4fe026dee75
Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Assignee: nobody → iireland
The testcase attached to bug 1499010 also covers this bug.
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.