Assertion failure: cx->isExceptionPending(), at jit/Ion.cpp:2010
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr140 | --- | unaffected |
| firefox146 | --- | unaffected |
| firefox147 | --- | unaffected |
| firefox148 | --- | fixed |
People
(Reporter: gkw, Assigned: h4writer)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: regression, reporter-external, testcase)
Attachments
(2 files)
oomTest(function () {
Object.defineProperty([], 1, { function() {} });
for (var i of "month") {};
Object.defineProperty([], "", {});
});
(gdb) bt
#0 0x00005555580ca60e in MOZ_CrashSequence (aAddress=0x0, aLine=2010)
at /home/msf2/shell-cache/js-dbg-64-linux-x86_64-6a0626aaa09a-601896/objdir-js/dist/include/mozilla/Assertions.h:237
#1 js::jit::Compile (cx=cx@entry=0x7ffff5e38200, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffbcc8, osrPc=osrPc@entry=0x0)
at /home/msf2/trees/firefox/js/src/jit/Ion.cpp:2010
#2 0x00005555580cb17b in BaselineCanEnterAtEntry (cx=0x7ffff5e38200, script=..., frame=0x7fffffffbcc8) at /home/msf2/trees/firefox/js/src/jit/Ion.cpp:2125
#3 IonCompileScriptForBaseline (cx=0x7ffff5e38200, frame=0x7fffffffbcc8, pc=<optimized out>) at /home/msf2/trees/firefox/js/src/jit/Ion.cpp:2234
#4 0x000028e88a565066 in ?? ()
#5 0x00007fffffffbd00 in ?? ()
/snip
23b0c4c44976-601276
23b0c4c449768f62d52310e79f7a977cb3c24364 is the first interesting commit
commit 23b0c4c449768f62d52310e79f7a977cb3c24364
Author: Hannes Verschore
Date: Thu Dec 18 16:07:13 2025 +0000
Bug 1999828: Part 1 - Split TryFoldingStubs into two passes. One to detect the shape (and later slot offset) and another to gather the values. r=iain
Preparation to being able to fold GuardShape followed by {Load|Store}{Fixed|Dynamic}Slot.
For this we split the detection of stubs with different shapes (and in the future slots) and gathering.
This patch does this in two passes. One to detect the availability to fold (detect shape and slot change at same offset).
The second pass is used to make sure all Stub information is the same and saves the different shapes (and slots).
The other changes are to support the subsequent patches.
Differential Revision: https://phabricator.services.mozilla.com/D274201
Run with --fuzzing-safe --baseline-warmup-threshold=6 --blinterp-warmup-threshold=1 --ion-warmup-threshold=0 --trial-inlining-warmup-threshold=0, compile with AR=ar sh ~/trees/firefox/js/src/configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on gh rev 6a0626aaa09a87200258dbf6161fde44722c763e.
Hannes, is bug 1999828 a likely regressor?
|
||
Comment 1•3 months ago
|
||
Set release status flags based on info from the regressing bug 1999828
|
Assignee | |
Comment 2•3 months ago
|
||
I am a bit fuzzy about the OOM rules. But looking at where we are failing, I see I added a "cx->recoverFromOutOfMemory();" where there was none previously.
I assume this error is because
- We fail allocation
- We run cx->recoverFromOutOfMemory();
- We still do "return false" indicating a problem
- Ion expects an exception, but there isn't one.
Upon allocation failures we need to do (IIUC):
cx->recoverFromOutOfMemory();
return true;
or
return false; // no recoverFromOutOfMemory();
Patch should be arriving today.
|
|
Assignee | |
Comment 3•3 months ago
|
||
|
||
Updated•3 months ago
|
|
||
Updated•3 months ago
|
|
||
Updated•3 months ago
|
|
||
Comment 4•3 months ago
|
||
This isn't security sensitive. There probably isn't a reliable way to trigger OOM here, and even if there was, there's nothing exploitable about accidentally not throwing an exception.
|
|
||
Updated•3 months ago
|
|
||
Comment 6•2 months ago
|
||
| bugherder | ||
|
||
Updated•2 months ago
|
|
||
Updated•2 months ago
|
Description
•