Closed Bug 1787730 Opened 3 years ago Closed 3 years ago

Assertion failure: cx_->isExceptionPending(), at frontend/BytecodeCompiler.cpp:72

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
106 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox104 --- unaffected
firefox105 --- disabled
firefox106 --- verified

People

(Reporter: decoder, Assigned: bthrall)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])

Attachments

(3 files)

Detailed Crash Information
2.10 KB, text/plain
Details
Testcase
24 bytes, text/plain
Details
Bug 1787730 - Ignore errors during off-thread delazification r=arai,nbp
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20220827-0b115d7382af (debug build, run with --fuzzing-safe --ion-offthread-compile=off --delazification-mode=concurrent-df+on-demand --baseline-eager --ion-warmup-threshold=0 test.js):

oomTest(() => evalcx(0))

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000055a5cb4a0ff7 in AutoAssertReportedException::~AutoAssertReportedException() ()
#1  0x000055a5cb4a79fb in bool CompileGlobalScriptToStencilAndMaybeInstantiate<char16_t>(JSContext*, js::ErrorContext*, unsigned long, js::LifoAlloc&, js::frontend::CompilationInput&, js::frontend::ScopeBindingCache*, JS::SourceText<char16_t>&, js::ScopeKind, mozilla::Variant<mozilla::UniquePtr<js::frontend::ExtensibleCompilationStencil, JS::DeletePolicy<js::frontend::ExtensibleCompilationStencil> >, RefPtr<js::frontend::CompilationStencil>, js::frontend::CompilationGCOutput*>&) ()
#2  0x000055a5cb4734c4 in js::frontend::CompileGlobalScript(JSContext*, js::ErrorContext*, unsigned long, JS::ReadOnlyCompileOptions const&, JS::SourceText<char16_t>&, js::ScopeKind) ()
#3  0x000055a5cae4dd8d in bool EvaluateSourceBuffer<char16_t>(JSContext*, js::ScopeKind, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceText<char16_t>&, JS::MutableHandle<JS::Value>) ()
#4  0x000055a5cae4d9c8 in JS::Evaluate(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<char16_t>&, JS::MutableHandle<JS::Value>) ()
#5  0x000055a5cabaaf7e in EvalInContext(JSContext*, unsigned int, JS::Value*) ()
#6  0x00003f5ec83e628e in ?? ()
#7  0x00007ffca753ca28 in ?? ()
#8  0x00007ffca753c370 in ?? ()
#9  0x0000000000000000 in ?? ()
rax	0x55a5c98d1a0c	94170539432460
rbx	0x7ff0ec72a100	140672735813888
rcx	0x55a5cc2ab060	94170583314528
rdx	0x1	1
rsi	0x0	0
rdi	0x7ff0ed83d7d0	140672753719248
rbp	0x7ffca753ada0	140723115765152
rsp	0x7ffca753ad90	140723115765136
r8	0x0	0
r9	0x78	120
r10	0x55a5c956e55b	94170535880027
r11	0x7ff0ed6d1340	140672752227136
r12	0xaaaaaaaaaaaaaaaa	-6148914691236517206
r13	0x7ffca753c080	140723115769984
r14	0x0	0
r15	0x7ff0ec72a100	140672735813888
rip	0x55a5cb4a0ff7 <AutoAssertReportedException::~AutoAssertReportedException()+215>
=> 0x55a5cb4a0ff7 <_ZN27AutoAssertReportedExceptionD2Ev+215>:	movl   $0x48,0x0
   0x55a5cb4a1002 <_ZN27AutoAssertReportedExceptionD2Ev+226>:	callq  0x55a5cac11bb4 <abort>
Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220829094551-ad01d1ce5556.
The bug appears to have been introduced in the following build range:

Start: c683eec886927339b9e34f6c3aef2b9360ea99cc (20220819145720)
End: 7259398085eb8272cf374a2e7b255b2c19cc8c41 (20220819150333)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c683eec886927339b9e34f6c3aef2b9360ea99cc&tochange=7259398085eb8272cf374a2e7b255b2c19cc8c41

Whiteboard: [bugmon:update,bisect][fuzzblocker] → [bugmon:update,bisected,confirmed][fuzzblocker]

:bthrall, could you take a quick look at this bug. Based on the Pushlog in the Bugmon Analysis is comment 3, this might be caused by your push.

Flags: needinfo?(bthrall)

Yes, this is almost certainly caused by the changes for bug 1761581. I will look at finding a fix ASAP.

My intuition says I can find the cause in an hour or two, but it might take longer.

Flags: needinfo?(bthrall)
Severity: -- → S4
Priority: -- → P1

I am assigning this to :bthrall since he is actively working on this.

Assignee: nobody → bthrall

Off-thread delazification was not reporting OOM back to the main thread's
JSContext, causing the assertion at BytecodeCompiler.cpp:71 to fail.

https://searchfox.org/mozilla-central/source/js/src/frontend/BytecodeCompiler.cpp#71

OverRecursed needs to be reported back to the JSContext, too, but I don't have
a test for that yet.

Based on JSContext::onOutOfMemory() and JSContext::onOverRecursed(), OOM takes
precedence over OverRecursed, so if we check OOM first, it will persist through
the check for OverRecursed, even if both have been set. If both have been set,
the expected result is an OOM exception status.

Based on comment #3, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:bthrall, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit auto_nag documentation.

Flags: needinfo?(bthrall)
Flags: needinfo?(bthrall)
Regressed by: 1782569

Set release status flags based on info from the regressing bug 1782569

status-firefox104: --- → unaffected
status-firefox105: --- → affected
status-firefox-esr102: --- → unaffected
status-firefox-esr91: --- → unaffected
Attachment #9292355 - Attachment description: Bug 1787730 - Report OutOfMemory and OverRecursed errors from ErrorContext back to JSContext r=arai → WIP: Bug 1787730 - Ignore errors during off-thread delazification

My current patch depends on changes in the patch for bug 1786117.

If we need to resolve this bug sooner, I can easily adapt the patch to not depend on bug 1786117.

Depends on: 1786117
Attachment #9292355 - Attachment description: WIP: Bug 1787730 - Ignore errors during off-thread delazification → Bug 1787730 - Ignore errors during off-thread delazification r=arai,nbp

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:bthrall, could you increase the severity?

For more information, please visit auto_nag documentation.

Flags: needinfo?(bthrall)
Pushed by bthrall@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bb6b001abe51 Ignore errors during off-thread delazification r=arai,nbp

I'm not sure what severity would be appropriate here, so I raised it to S3. Feel free to update it as you feel appropriate.

I just landed a patch for this, so unless something goes wrong, this bug will be resolved soon anyway :)

Severity: S4 → S3
Flags: needinfo?(bthrall)

https://hg.mozilla.org/mozilla-central/rev/bb6b001abe51

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox106: fix-optionalfixed
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch
Regressions: 1789528

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220906213903-b7f6557aaf06.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox106: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: