1767394 - MOZ_ASSERT(!JS_IsExceptionPending(cx_));

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect, P1)

Description

[lukas.bernhard]

Steps to reproduce:

During fuzzing, I found an assertion violation in SpiderMoneky. Tested on git commit ea1234192518e01694a88eac8ff090e4cadf5ca4. Marking as s-s as precaution.

sample.js

function main() {
    for (let i = 0; i < 33; i++) {
        try {
            const v6 = class V6 extends Float64Array {
                constructor() {
                    const v11 = Math.sqrt(4);
                    [,v7] = "a";
                }   
            };  
            new v6();
        }   
        catch(v27) { } 
    }   
}
main();

invoked as:

obj-x86_64-pc-linux-gnu/dist/bin/js --fast-warmup --no-threads --cpu-count=1 --ion-offthread-compile=off --fuzzing-safe sample.js

asserts here

#0  js::AutoUnsafeCallWithABI::AutoUnsafeCallWithABI (this=0x7fffffffb330, strictness=js::NoExceptions)
    at js/src/vm/JSContext.cpp:1290
#1  0x0000555556c3a552 in js::math_sqrt_impl (x=4) at js/src/jsmath.cpp:628
#2  math_function<&js::math_sqrt_impl> (cx=cx@entry=0x7ffff692a200, val=val@entry=..., res=...)
    at js/src/jsmath.cpp:69
#3  0x0000555556c3a487 in js::math_sqrt_handle (cx=0x7ffff7c59a40 <_IO_stdfile_2_lock>, 
    cx@entry=0x7ffff692a200, number=..., number@entry=..., result=..., result@entry=...)
    at js/src/jsmath.cpp:634
#4  0x0000555557b5fdff in js::jit::RSqrt::recover (this=0x7fffffffb460, cx=0x7ffff692a200, iter=...)
    at js/src/jit/Recover.cpp:1098
#5  0x0000555557a705ed in js::jit::SnapshotIterator::computeInstructionResults (
    this=this@entry=0x7fffffffb500, cx=cx@entry=0x7ffff692a200, results=results@entry=0x7fffffffbde0)
    at js/src/jit/JitFrames.cpp:1975
#6  0x0000555557a6f82b in js::jit::SnapshotIterator::initInstructionResults (
    this=this@entry=0x7fffffffb990, fallback=...)
    at js/src/jit/JitFrames.cpp:1928
#7  0x0000555557a6f49b in js::jit::SnapshotIterator::maybeRead (this=this@entry=0x7fffffffb990, a=..., 
    fallback=...) at js/src/jit/JitFrames.cpp:1758
#8  0x0000555557a690e7 in js::jit::SnapshotIterator::maybeRead (this=0x7fffffffb990, fallback=...)
    at js/src/jit/JSJitFrameIter.h:531
#9  js::jit::CloseLiveIteratorIon (cx=0x7ffff692a200, frame=..., tn=<optimized out>)
    at js/src/jit/JitFrames.cpp:110
#10 js::jit::HandleExceptionIon (cx=<optimized out>, frame=..., rfe=0x7fffffffba78, 
    hitBailoutException=<optimized out>) at js/src/jit/JitFrames.cpp:248
#11 js::jit::HandleException (rfe=0x7fffffffba78)
    at js/src/jit/JitFrames.cpp:723

Comment 1

[lukas.bernhard]

Bisecting the issue identifies commit 1d51fba3653114cd9535d2ca704c52e06f5cb240 related to bug 1765779

Comment 2

[André Bargull [:anba]]

I think this is actually a regression from bug 1730426, where UnsafeABIStrictness::AllowPendingExceptions overrides were removed from various functions.

Comment 3

[André Bargull [:anba]]

Attachment: Bug 1767394: Save any pending exceptions before closing iterators from Ion. r=tcampbell!

Comment 4

[Ted Campbell [:tcampbell]]

As Andre mentions in Comment 2, this was formerly AllowPendingExceptions and the assertion here is benign.

Comment 5

[Pulsebot]

Pushed by andre.bargull@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/71c453477e4e
Save any pending exceptions before closing iterators from Ion. r=tcampbell

Comment 6

[Marian-Vasile Laza]

https://hg.mozilla.org/mozilla-central/rev/71c453477e4e