1499471 - Assertion failure: !JS_IsExceptionPending(cx_), at js/src/vm/JSContext.cpp:1687

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 31724aea10ca (build with --enable-debug, run with --fuzzing-safe --no-threads --ion-eager):

(function() {
    inputs = [];
    f = (function(x) {
        4294967297 ** (x >>> 0) * Math.fround(y);
    });
    if (f) {
        for (var j = 0; j < 2; ++j) {
            try {
                f(inputs[0]);
            } catch (e) {}
        }
    }
})();

Backtrace:

#0  0x000055cd7fa1b9d0 in js::AutoUnsafeCallWithABI::AutoUnsafeCallWithABI (this=0x7ffd3bccd240, strictness=js::NoExceptions) at js/src/vm/JSContext.cpp:1687
#1  0x000055cd7f295c7d in js::powi (y=0, x=<optimized out>) at js/src/jsmath.cpp:546
#2  js::ecmaPow (x=4294967297, y=-5.4861240687936887e+303) at js/src/jsmath.cpp:583
#3  0x000055cd7f27cf27 in PowOperation (cx=<optimized out>, lhs=..., rhs=..., res=...) at js/src/vm/Interpreter.cpp:1842
#4  js::PowValues (cx=<optimized out>, lhs=..., rhs=..., res=...) at js/src/vm/Interpreter.cpp:5228
#5  0x000055cd7f78172a in js::jit::RPow::recover (this=<optimized out>, cx=0x7fee46b18000, iter=...) at js/src/jit/Recover.cpp:824
#6  0x000055cd7f61bfdd in js::jit::SnapshotIterator::computeInstructionResults (this=<optimized out>, cx=0x7fee46b18000, results=0x7ffd3bcce520) at js/src/jit/JitFrames.cpp:2056
#7  0x000055cd7f61b5c7 in js::jit::SnapshotIterator::initInstructionResults (this=0x7ffd3bccd7b8, fallback=...) at js/src/jit/JitFrames.cpp:2008
/snip

For detailed crash information, see attachment.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ad329ec90b6e
user:        Iain Ireland
date:        Mon Oct 15 13:31:34 2018 +0000
summary:     Bug 1499010: Mark ecmaPow to allow calling from recovery code r=tcampbell

Iain, is bug 1499010 a likely regressor?

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: another stack variant

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: yet another stack variant

Comment 5

[Iain Ireland [:iain]]

For context: we added an assertion on our functions that are called directly from jitted code, saying that they shouldn't be called with a pending exception unless we marked them specially. The goal was to make it clear which functions were being used in unusual ways. It turns out that a surprising number of functions are being called from recovery code. Each of these assertion bugs is a separate function that we need to annotate.

It is reasonably safe to assume that anything that asserts on |!JS_IsExceptionPending(cx_), at js/src/vm/JSContext.cpp:1687| and includes |js::jit::R[Foo]::recover| somewhere in the stack trace is another instance of the same underlying problem. In this case, the three stack traces above mean that changes are necessary in three places: js::powi, js::NumberDiv, and js::EmulatesUndefined.

Patch coming momentarily.

Comment 6

[Iain Ireland [:iain]]

Attachment: Bug 1499471: Mark unsafe API functions to allow calling from recovery code r?tcampbell

Comment 7

[Pulsebot]

Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d4fe026dee75
Mark unsafe API functions to allow calling from recovery code r=tcampbell

Comment 8

[Stefan Hindli [:stefan_hindli]]

https://hg.mozilla.org/mozilla-central/rev/d4fe026dee75

Comment 9

[Iain Ireland [:iain]]

The testcase attached to bug 1499010 also covers this bug.