1886940 - Assertion failure: !cx->isExceptionPending(), at gc/GCAPI.cpp:492

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect, P1)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: debug stack

[].with(Symbol.hasInstance);

(gdb) bt
#0  js::gc::CreateUniqueIdForNativeObject (nobj=0x2f3e10041190, uidp=0x7fffffffc1a0) at /home/w11x500-lin/trees/mozilla-central/js/src/gc/GCAPI.cpp:492
#1  0x00005555576a7bc9 in SetObjectIsUsedAsPrototype (cx=cx@entry=0x7ffff6b3ab00, proto=proto@entry=...) at /home/w11x500-lin/trees/mozilla-central/js/src/vm/Shape.cpp:1017
#2  0x000055555769de84 in js::SharedShape::getInitialShape (cx=0x7ffff6b3ab00, clasp=0x555558bd1b40 <js::ErrorObject::classes+192>, realm=0x7ffff6be7200, proto=..., nfixed=8, objectFlags=...) at /home/w11x500-lin/trees/mozilla-central/js/src/vm/Shape.cpp:1398
#3  0x00005555574faa55 in NewObject (cx=cx@entry=0x7ffff6b3ab00, clasp=0x555558bd1b40 <js::ErrorObject::classes+192>, proto=..., kind=js::gc::AllocKind::OBJECT8_BACKGROUND, newKind=newKind@entry=js::GenericObject, objFlags=objFlags@entry=...) at /home/w11x500-lin/trees/mozilla-central/js/src/vm/JSObject.cpp:762
#4  0x00005555574fa907 in js::NewObjectWithGivenTaggedProto (cx=0x7ffff7bfca60 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6b3ab00, clasp=0x0, proto=..., allocKind=js::gc::AllocKind::OBJECT16, newKind=newKind@entry=js::GenericObject, objFlags=..., objFlags@entry=...) at /home/w11x500-lin/trees/mozilla-central/js/src/vm/JSObject.cpp:781
#5  0x00005555574715c8 in js::NewObjectWithGivenTaggedProto<(js::NewObjectKind)0> (cx=0x7ffff6b3ab00, clasp=0x0, proto=..., objFlags=...) at /home/w11x500-lin/trees/mozilla-central/js/src/vm/JSObject-inl.h:371
#6  js::NewObjectWithGivenProto (cx=0x7ffff6b3ab00, clasp=0x0, proto=...) at /home/w11x500-lin/trees/mozilla-central/js/src/vm/JSObject-inl.h:397
#7  js::ErrorObject::create (cx=0x7ffff6b3ab00, errorType=JSEXN_RANGEERR, stack=..., fileName=..., sourceId=2, lineNumber=1, columnNumber=..., report=..., message=..., cause=..., protoArg=...) at /home/w11x500-lin/trees/mozilla-central/js/src/vm/ErrorObject.cpp:549
#8  0x0000555557910e69 in js::ErrorToException (cx=cx@entry=0x7ffff6b3ab00, reportp=reportp@entry=0x7fffffffc630, callback=<optimized out>, callback@entry=0x55555746f2f0 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0) at /home/w11x500-lin/trees/mozilla-central/js/src/jsexn.cpp:356
#9  0x0000555557474fab in ReportError (cx=0x7ffff6b3ab00, reportp=0x7fffffffc630, callback=0x55555746f2f0 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0) at /home/w11x500-lin/trees/mozilla-central/js/src/vm/ErrorReporting.cpp:173
/snip

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7278e5cc8ae4
user:        Jon Coppeard
date:        Thu Mar 21 13:59:21 2024 +0000
summary:     Bug 1883144 - Clear any pending exception when creating a unique ID for a native object r=jandem

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 9f6186fead44.

Assuming not s-s since the potential regressor bug 1883144 mentions that pending exceptions are just correctness issues. Jon, is bug 1883144 a likely regressor?

This is triggering quite often, btw.

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1883144

Comment 2

[Jon Coppeard (:jonco)]

Attachment: Bug 1886940 - Change NativeObject::setUnqiueId to not throw on failure r?jandem

In the fix for bug 1883144 I manually cleared the current exception in places
where we were just about to report an error, but it would be better have this
happen automatically if it's a common pattern. And it does seem sensible to
check for an exception and then replace it with a more meaningful error.

It's important to clear the pending exception because in general engine code
does not expect to be called with a pending exception already set, yet this can
happen when creating an error object (and can reach quite a lot of code this
way).

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to Jon Coppeard (:jonco) from comment #2)

Created attachment 9392732 [details]
Bug 1886940 - Clear pending exception while creating error object r?jandem

I happened to test this patch and unfortunately on m-c rev 5d6efea5e0bb only with this patch, I get the following:

oomTest(function () {
  (function () {
    var x = [disassemble, new Int8Array(2 ** 8 + 1)];
    x.shift().apply([], x);
  })();
});

Assertion failure: cx->isExceptionPending(), at jsexn.cpp:314 with --fuzzing-safe --no-threads --no-baseline --no-ion, regular debug 64-bit build on Linux.

(gdb) bt
#0  js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*)::$_0::operator()() const (this=<optimized out>) at /home/skymainubu/trees/mozilla-central/js/src/jsexn.cpp:314
#1  mozilla::ScopeExit<js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*)::$_0>::~ScopeExit() (this=<optimized out>) at /home/skymainubu/shell-cache/js-dbg-64-linux-x86_64-5d6efea5e0bb/objdir-js/dist/include/mozilla/ScopeExit.h:106
#2  js::ErrorToException (cx=cx@entry=0x7ffff6b39100, reportp=reportp@entry=0x7fffffffafd0, callback=<optimized out>, callback@entry=0x555557473820 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0) at /home/skymainubu/trees/mozilla-central/js/src/jsexn.cpp:379
#3  0x00005555574794db in ReportError (cx=0x7ffff6b39100, reportp=0x7fffffffafd0, callback=0x555557473820 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0) at /home/skymainubu/trees/mozilla-central/js/src/vm/ErrorReporting.cpp:173
#4  js::ReportErrorNumberVA (cx=cx@entry=0x7ffff6b39100, isWarning=isWarning@entry=js::IsWarning::No, callback=callback@entry=0x555557473820 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=11, argumentsType=argumentsType@entry=js::ArgumentsAreUTF8, ap=0x7fffffffb130) at /home/skymainubu/trees/mozilla-central/js/src/vm/ErrorReporting.cpp:487
#5  0x00005555578e240e in JS_ReportErrorNumberUTF8VA (ap=0x7fffffffb130, cx=<optimized out>, errorCallback=<optimized out>, userRef=<optimized out>, errorNumber=<optimized out>) at /home/skymainubu/trees/mozilla-central/js/src/jsapi.cpp:3822
#6  JS_ReportErrorNumberUTF8 (cx=cx@entry=0x7ffff6b39100, errorCallback=0x555557473820 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=11) at /home/skymainubu/trees/mozilla-central/js/src/jsapi.cpp:3812
#7  0x00005555574e71ff in js::ReportValueError (cx=cx@entry=0x7ffff6b39100, errorNumber=11, spindex=<optimized out>, v=v@entry=..., fallback=..., arg1=arg1@entry=0x0, arg2=0x0) at /home/skymainubu/trees/mozilla-central/js/src/vm/JSContext.cpp:662
#8  0x000055555727a310 in js::ReportIsNotFunction (cx=0x7ffff7beda60 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6b39100, v=..., v@entry=..., numToSkip=numToSkip@entry=-1, construct=construct@entry=js::NO_CONSTRUCT) at /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:276
#9  0x00005555575207ae in js::ReportIfNotFunction (cx=0x7ffff6b39100, v=..., construct=js::NO_CONSTRUCT) at /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter-inl.h:638
#10 0x00005555578e2dd4 in JS_ValueToFunction (cx=cx@entry=0x7ffff6b39100, value=...) at /home/skymainubu/trees/mozilla-central/js/src/jsapi.cpp:334
#11 0x000055555781caf9 in js::TestingFunctionArgumentToScript (cx=cx@entry=0x7ffff6b39100, v=..., v@entry=..., funp=0x7ffff7bec723 <_IO_2_1_stderr_+131>, funp@entry=0x7fffffffb410) at /home/skymainubu/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:8850
#12 0x0000555557168ef5 in DisassembleToSprinter (cx=cx@entry=0x7ffff6b39100, argc=argc@entry=1, vp=vp@entry=0x7fffffffb788, sp=sp@entry=0x7fffffffb6d0) at /home/skymainubu/trees/mozilla-central/js/src/shell/js.cpp:3477
#13 0x000055555714909a in DisassembleToString (cx=0x7ffff6b39100, argc=<optimized out>, vp=0x7fffffffb788) at /home/skymainubu/trees/mozilla-central/js/src/shell/js.cpp:3498
#14 0x00002f6e062ffef7 in ?? ()
#15 0x20255c9b31351700 in ?? ()
#16 0x00007fffffffb760 in ?? ()
#17 0x0000000000000000 in ?? ()
(gdb)

Comment 4

[Jon Coppeard (:jonco)]

(In reply to Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) from comment #3)
Thanks for testing this.

Comment 6

[Jon Coppeard (:jonco)]

Attachment: Bug 1886940 - Part 2: Throw when allocating memory for string chars fails r?sfink

The asserts added in the first patch turned up this existing problem.
AllocChars takes a context so is assumed to report an error on failure.

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

for (let i = 0; i < 1; i++) {
  enableShellAllocationMetadataBuilder(1);
}
registerModule("z", parseModule(""));
oomTest(function () {
  moduleLink(
    parseModule(
      'import{x, y} from "z"; for (let i = 0; i < 1; i++) { FOO; BAR; }'
    )
  );
});

Here's another testcase that is not fixed by any of these 2 patches, and also points to the following regressor:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7278e5cc8ae4
user:        Jon Coppeard
date:        Thu Mar 21 13:59:21 2024 +0000
summary:     Bug 1883144 - Clear any pending exception when creating a unique ID for a native object r=jandem

Stack from debug build m-c rev 19d905446a32, with --fuzzing-safe --no-threads --ion-eager, using configure commands AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests:

492       MOZ_ASSERT(!cx->isExceptionPending());
(gdb) bt
#0  js::gc::CreateUniqueIdForNativeObject (nobj=0x24d67733e348, uidp=0x7fffffffb3c0) at /home/ubu32gx500/trees/mozilla-central/js/src/gc/GCAPI.cpp:492
#1  0x0000555557d6ebf1 in js::StableCellHasher<JSObject*>::ensureHash (l=<optimized out>, hashOut=<optimized out>) at /home/ubu32gx500/trees/mozilla-central/js/src/gc/StableCellHasher-inl.h:185
#2  js::StableCellHasher<js::HeapPtr<JSObject*> >::ensureHash (l=<optimized out>, hashOut=<optimized out>) at /home/ubu32gx500/trees/mozilla-central/js/src/gc/Barrier.h:1145
#3  mozilla::FallibleHashMethods<js::StableCellHasher<js::HeapPtr<JSObject*> > >::ensureHash<JSObject* const&> (l=<optimized out>, hashOut=<optimized out>) at /home/ubu32gx500/shell-cache/js-dbg-64-linux-x86_64-19d905446a32/objdir-js/dist/include/js/RootingAPI.h:896
#4  mozilla::EnsureHash<mozilla::HashMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value>, js::StableCellHasher<js::HeapPtr<JSObject*> >, js::TrackedAllocPolicy<(js::TrackingKind)1> >::MapHashPolicy, JSObject* const&> (aLookup=<optimized out>, aHashOut=<optimized out>) at /home/ubu32gx500/shell-cache/js-dbg-64-linux-x86_64-19d905446a32/objdir-js/dist/include/mozilla/HashTable.h:926
#5  mozilla::detail::HashTable<mozilla::HashMapEntry<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >, mozilla::HashMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value>, js::StableCellHasher<js::HeapPtr<JSObject*> >, js::TrackedAllocPolicy<(js::TrackingKind)1> >::MapHashPolicy, js::TrackedAllocPolicy<(js::TrackingKind)1> >::putNew<JSObject*&, JS::Value&> (this=this@entry=0x7ffff5c0f0e8, aLookup=@0x7fffffffb418: 0x24d67733e348, aArgs=..., aArgs=...) at /home/ubu32gx500/shell-cache/js-dbg-64-linux-x86_64-19d905446a32/objdir-js/dist/include/mozilla/HashTable.h:2208
#6  0x0000555557d44799 in mozilla::HashMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value>, js::StableCellHasher<js::HeapPtr<JSObject*> >, js::TrackedAllocPolicy<(js::TrackingKind)1> >::putNew<JSObject*&, JS::Value&> (this=0x7ffff5c0f0e8, aKey=@0x7fffffffb418: 0x24d67733e348, aValue=...) at /home/ubu32gx500/shell-cache/js-dbg-64-linux-x86_64-19d905446a32/objdir-js/dist/include/mozilla/HashTable.h:272
#7  js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::putNew<JSObject*&, JS::Value&> (this=<optimized out>, k=@0x7fffffffb418: 0x24d67733e348, v=...) at /home/ubu32gx500/trees/mozilla-central/js/src/gc/WeakMap.h:262
#8  js::ObjectWeakMap::add (this=<optimized out>, cx=0x7ffff5c39100, obj=0x24d67733e348, target=<optimized out>) at /home/ubu32gx500/trees/mozilla-central/js/src/gc/WeakMap.cpp:211
#9  0x0000555557648df6 in JS::Realm::setNewObjectMetadata (this=<optimized out>, cx=0x7ffff5c39100, obj=...) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Realm.cpp:400
#10 0x00005555572179b5 in js::SetNewObjectMetadata<js::NativeObject> (cx=0x7ffff5c39100, obj=<optimized out>) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/JSObject-inl.h:200
#11 0x00005555574f8b50 in NewObject (cx=cx@entry=0x7ffff5c39100, clasp=0x555558bd07f0 <js::ErrorObject::classes+288>, proto=..., kind=js::gc::AllocKind::OBJECT8_BACKGROUND, newKind=newKind@entry=js::GenericObject, objFlags=objFlags@entry=...) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/JSObject.cpp:769
#12 0x00005555574f8997 in js::NewObjectWithGivenTaggedProto (cx=0x7ffff7a1ca60 <_IO_stdfile_2_lock>, cx@entry=0x7ffff5c39100, clasp=0x0, proto=..., allocKind=96, newKind=newKind@entry=js::GenericObject, objFlags=..., objFlags@entry=...) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/JSObject.cpp:781
#13 0x000055555746f658 in js::NewObjectWithGivenTaggedProto<(js::NewObjectKind)0> (cx=0x7ffff5c39100, clasp=0x0, proto=..., objFlags=...) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/JSObject-inl.h:371
#14 js::NewObjectWithGivenProto (cx=0x7ffff5c39100, clasp=0x0, proto=...) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/JSObject-inl.h:397
#15 js::ErrorObject::create (cx=0x7ffff5c39100, errorType=JSEXN_SYNTAXERR, stack=..., fileName=..., sourceId=0, lineNumber=1, columnNumber=..., report=..., message=..., cause=..., protoArg=...) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/ErrorObject.cpp:549
#16 0x00005555579128da in JS::CreateError (cx=cx@entry=0x7ffff5c39100, type=type@entry=JSEXN_SYNTAXERR, stack=..., fileName=..., lineNumber=1, columnNumber=..., report=0x0, message=..., cause=..., rval=...) at /home/ubu32gx500/trees/mozilla-central/js/src/jsexn.cpp:781
#17 0x000055555758f027 in ThrowResolutionError (cx=cx@entry=0x7ffff5c39100, module=module@entry=..., resolution=resolution@entry=..., name=name@entry=..., errorInfo=errorInfo@entry=0x7fffffffb900) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Modules.cpp:1039
#18 0x000055555758e3ca in js::ModuleInitializeEnvironment (cx=cx@entry=0x7ffff5c39100, module=...) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Modules.cpp:1131
#19 0x000055555758fcc1 in InnerModuleLinking (cx=cx@entry=0x7ffff5c39100, module=..., stack=stack@entry=..., index=1, index@entry=0, indexOut=indexOut@entry=0x7fffffffba18) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Modules.cpp:1342
#20 0x00005555575884d0 in js::ModuleLink (cx=cx@entry=0x7ffff5c39100, module=module@entry=...) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Modules.cpp:1211
#21 0x000055555714a764 in ModuleLink (cx=0x7ffff5c39100, argc=<optimized out>, vp=<optimized out>) at /home/ubu32gx500/trees/mozilla-central/js/src/shell/js.cpp:5459
#22 0x00000535940380f3 in ?? ()
#23 0x0000000000000000 in ?? ()
(gdb)

Comment 8

[Jon Coppeard (:jonco)]

Well this new assertion seems to be provoking a lot of failures. I'll try a different approach to the bug.

Comment 9

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3f1eac3b81b2
Change NativeObject::setUnqiueId to not throw on failure r=jandem

Comment 10

[Jon Coppeard (:jonco)]

Patch 2 is not required with the different approach in the new patch 1, but as this still fixes a problem I'll land it anyway.

Comment 11

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e196882e5ed9
Part 2: Throw when allocating memory for string chars fails r=sfink

Comment 12

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/3f1eac3b81b2

Comment 13

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/e196882e5ed9