Closed Bug 1652153 Opened 5 years ago Closed 5 years ago

Assertion failure: !cx->isExceptionPending(), at vm/Interpreter.cpp:487 with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- wontfix
firefox78 --- wontfix
firefox79 --- wontfix
firefox80 --- verified

People

(Reporter: decoder, Assigned: anba)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
155 bytes, text/plain
Details
Bug 1652153: Clear any pending exception when JS_EncodeStringToUTF8 failed in ErrorReportBuilder::init. r=evilpie!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200710-01da3a7fa07c (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

x = "x";
lFile(x);
function lFile() {
  return oomTest(function() {
    let error = new Error("foobar");
    let report = createErrorReport(error);
  });
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555555943ff4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#1  0x0000555555943649 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#2  0x0000555555944cdc in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#3  0x0000555555937e99 in Interpret(JSContext*, js::RunState&) ()
#4  0x000055555592e262 in js::RunScript(JSContext*, js::RunState&) ()
#5  0x000055555594355f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#6  0x0000555555944cdc in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#7  0x0000555555944f50 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#8  0x0000555555a436c3 in JS_CallFunction(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSFunction*>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) ()
#9  0x0000555555eb30ce in RunIterativeFailureTest(JSContext*, IterativeFailureTestParams const&, IterativeFailureSimulator&) ()
#10 0x0000555555ee4467 in OOMTest(JSContext*, unsigned int, JS::Value*) ()
#11 0x0000555555943d72 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#22 0x00005555557c27d9 in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#23 0x00005555557bacda in main ()
rax	0x555556fccb24	93825019988772
rbx	0x7ffff4eef1f0	140737302688240
rcx	0x5555583c6840	93825040934976
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb060	140737488334944
rsp	0x7fffffffafe0	140737488334816
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9bd40	140737353727296
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7ffff4702800	140737294379008
r13	0x7fffffffb260	140737488335456
r14	0x7ffff6027000	140737320742912
r15	0xf4eef101	4109299969
rip	0x555555943ff4 <CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)+1092>
=> 0x555555943ff4 <_Z12CallJSNativeP9JSContextPFbS0_jPN2JS5ValueEEN2js10CallReasonERKNS1_8CallArgsE+1092>:	movl   $0x1e7,0x0
   0x555555943fff <_Z12CallJSNativeP9JSContextPFbS0_jPN2JS5ValueEEN2js10CallReasonERKNS1_8CallArgsE+1103>:	callq  0x55555584938e <abort>
Attached file Testcase
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Pushed by btara@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e33443877fc0 Clear any pending exception when JS_EncodeStringToUTF8 failed in ErrorReportBuilder::init. r=evilpie
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200713095122-2c8bc998c107. The bug appears to have been introduced in the following build range: > Start: c1d7d5e9a18be64a5b15745a752ad3ad2f3324d5 (20200228151150) > End: 34a0a8b8badcd231bc7c720887b2a8e4e430ce4b (20200228151846) > Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c1d7d5e9a18be64a5b15745a752ad3ad2f3324d5&tochange=34a0a8b8badcd231bc7c720887b2a8e4e430ce4b

https://hg.mozilla.org/mozilla-central/rev/e33443877fc0

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox80: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
Status: RESOLVED → VERIFIED
status-firefox80: fixedverified
Keywords: bugmon
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200714153520-bca48c382991. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: