Closed
Bug 781343
Opened 12 years ago
Closed 12 years ago
"Assertion failure: !cx->isExceptionPending(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla18
People
(Reporter: gkw, Assigned: jorendorff)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker][jsbugmon:update,reconfirm][js:p1:fx18] qa?)
Attachments
(3 files, 1 obsolete file)
3.48 KB,
text/plain
|
Details | |
660 bytes,
patch
|
jimb
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
3.59 KB,
patch
|
jimb
:
review+
|
Details | Diff | Splinter Review |
try { Object.defineProperty(this, "o", { enumerable: true, get: function() { e; } }); for each(var x in this) {} } catch (e) {} function a() {} a([1].filter(x)) asserts js debug shell on m-c changeset 4e3fb1f9f72a without any CLI arguments at Assertion failure: !cx->isExceptionPending(), Setting [fuzzblocker] not because this happens often, but because it happens intermittently with somewhat-tough-to-reduce testcases so having such a small testcase is even more rare.
Reporter | ||
Comment 1•12 years ago
|
||
(not sure about this bisection - bug 729369 might just be exposing a latent bug) autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 88389:cfa346e78b0d user: Bill McCloskey date: Tue Mar 06 11:38:44 2012 -0800 summary: Bug 729369 - Expose the same set of SpiderMonkey testing APIs to debug shell and debug browser chrome (r=Waldo)
Blocks: 729369
Reporter | ||
Comment 2•12 years ago
|
||
I used the following configure command: sh ../configure --target=i386-apple-darwin8.0.0 --disable-optimize --enable-debug --enable-methodjit --enable-type-inference --enable-more-deterministic --disable-tests --enable-valgrind
Updated•12 years ago
|
Whiteboard: [fuzzblocker] → [fuzzblocker][jsbugmon:update]
Assignee | ||
Updated•12 years ago
|
Assignee: general → jorendorff
Assignee | ||
Comment 3•12 years ago
|
||
SM doesn't build for me with the given ../configure command line. I have to add CROSS_COMPILE=1 and some other bits and pieces. And the bug doesn't reproduce for me, either with tip or with the revision specified in comment 0. Does it still reproduce, Gary? I'm a little confused, because the stack says that the function we were calling was 'Notes', but notes isn't mentioned in the testcase.
Updated•12 years ago
|
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker][jsbugmon:update][js:p1:fx18]
Reporter | ||
Comment 4•12 years ago
|
||
Try: LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -fcolor-diagnostics -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -fcolor-diagnostics -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -fcolor-diagnostics" HOST_CXX="clang++ -Qunused-arguments -fcolor-diagnostics" sh ./configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --disable-optimize --enable-debug --enable-methodjit --enable-type-inference --enable-more-deterministic --disable-tests --enable-valgrind I still reproduce with m-c changeset 8b46964e55c9, updating the stack.
Attachment #650313 -
Attachment is obsolete: true
Reporter | ||
Comment 5•12 years ago
|
||
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #2) > I used the following configure command: > > sh ../configure --target=i386-apple-darwin8.0.0 --disable-optimize > --enable-debug --enable-methodjit --enable-type-inference > --enable-more-deterministic --disable-tests --enable-valgrind It appears I left out the environment variables needed to trigger a 32-bit js shell build. Oops.
Comment 6•12 years ago
|
||
I saw this twice in a try server push: https://tbpl.mozilla.org/?tree=Try&rev=0962adf50428 2 runs of the jsreftests hit it, 12 other runs were fine. My stacks were under SendToGenerator() for the test js1_8_5/extensions/recursion.js, which is a little different. Given that it was a recursion test, I thought maybe there was an OOM at the wrong time and added a shell test function oomTrigger(n) that would fail the nth memory allocation after you called it (using the same JSContext). But I wasn't able to reproduce it with or without calls to oomTrigger, so I gave up.
Comment 7•12 years ago
|
||
Well, ok, 6 of the other 12 were opt builds, so they don't count.
Comment 8•12 years ago
|
||
Maybe add a printout of what exception is being thrown when we hit this?
Assignee | ||
Comment 9•12 years ago
|
||
Turns out to be a trivial shell-only bug.
Attachment #659894 -
Flags: review?(jimb)
Assignee | ||
Comment 10•12 years ago
|
||
Steve, this assertion means a JSNative returned true but there was an exception pending. You can see which native by looking at the 'native' argument in frame 0.
Assignee | ||
Comment 11•12 years ago
|
||
While I'm hanging out in here...
Attachment #659898 -
Flags: review?(jimb)
Reporter | ||
Comment 12•12 years ago
|
||
The bug that the patch in comment 9 fixes, goes all the way back to hg changeset 1 (and prior), which means it's ancient.
Comment 13•12 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #10) > Steve, this assertion means a JSNative returned true but there was an > exception pending. You can see which native by looking at the 'native' > argument in frame 0. Yes, I know. Perhaps my failure is not the same, but it happened in the browser, not the shell. And I only have the tbpl output from the minidump stack trace, so I can't look to see what native it is. Gary also told me that a simple |notes(1)| from the shell also triggers this, but that appears to be because if ValueToScript returns NULL, it may or may not have thrown an exception. Which also seems bad.
Assignee | ||
Comment 14•12 years ago
|
||
(In reply to Steve Fink [:sfink] from comment #13) > Gary also told me that a simple |notes(1)| from the shell also triggers > this, but that appears to be because if ValueToScript returns NULL, it may > or may not have thrown an exception. Which also seems bad. It looks to me like if ValueToScript returns NULL, an exception is definitely pending.
Updated•12 years ago
|
Attachment #659894 -
Flags: review?(jimb) → review+
Comment 15•12 years ago
|
||
Comment on attachment 659898 [details] [diff] [review] Part 2 - Common up some stuff in shell/js.cpp, v1 Review of attachment 659898 [details] [diff] [review]: ----------------------------------------------------------------- Absolutely lovely. Warms my heart.
Attachment #659898 -
Flags: review?(jimb) → review+
Assignee | ||
Comment 16•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/7ff900d42c59 https://hg.mozilla.org/integration/mozilla-inbound/rev/2e685a0f1027
Comment 17•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/7ff900d42c59 https://hg.mozilla.org/mozilla-central/rev/2e685a0f1027
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Reporter | ||
Comment 18•12 years ago
|
||
I am glad this was fixed, because this would mask another bug 791445 of the same assert.
Reporter | ||
Comment 19•12 years ago
|
||
jorendorff, do you mind asking for approval on aurora 17 branch (which is going to be an ESR)? It will help with fuzzing on that future ESR branch. Thank you!
status-firefox17:
--- → affected
status-firefox18:
--- → fixed
Assignee | ||
Comment 20•12 years ago
|
||
Comment on attachment 659894 [details] [diff] [review] v1 [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 729369 User impact if declined: This patch will help with fuzzing on Aurora. The only impact of declining this would be less security testing. Testing completed (on m-c, etc.): on m-c. Risk to taking this patch (and alternatives if risky): Minimal (this code is not part of the browser). String or UUID changes made by this patch: None. Other notes: Will not be requesting approval for part 2, which is just code cleanup.
Attachment #659894 -
Flags: approval-mozilla-aurora?
Comment 21•12 years ago
|
||
Comment on attachment 659894 [details] [diff] [review] v1 [Triage Comment] Low risk change in support of fuzzing.
Attachment #659894 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Reporter | ||
Comment 22•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/eb69897f7d24
Flags: in-testsuite?
Comment 23•12 years ago
|
||
I've tried several times, but I can't reproduce this bug. I will keep on trying on a different machine.
Updated•12 years ago
|
Whiteboard: [fuzzblocker][jsbugmon:update][js:p1:fx18] → [fuzzblocker][jsbugmon:update,reconfirm][js:p1:fx18]
Comment 24•12 years ago
|
||
Setting this to "qa?" and removing "verifyme" for the time being. Could I get some more info on how to reproduce this bug please?
Keywords: verifyme
Whiteboard: [fuzzblocker][jsbugmon:update,reconfirm][js:p1:fx18] → [fuzzblocker][jsbugmon:update,reconfirm][js:p1:fx18] qa?
Reporter | ||
Comment 25•12 years ago
|
||
You'll have to compile a shell from m-c changeset 4e3fb1f9f72a in comment 0, using the configure options in comment 2 to get a 32-bit shell to get it to reproduce.
Comment 26•12 years ago
|
||
While trying to build Firefox on Ubuntu 12.04 (which is up-to-date), I get the following error: http://pastebin.mozilla.org/1929133 Could you please help me solve this?
Reporter | ||
Comment 27•12 years ago
|
||
> Could you please help me solve this?
You need to first install "ia32-libs gcc-multilib g++-multilib" via apt-get, I think.
Comment 28•12 years ago
|
||
Even after using the command you suggested: sudo apt-get install ia32-libs-multiarch gcc-multilib g++-multilib (only using "ia32-libs" didn't seem to work), I still receive the same error as in comment 26, when running the configure command in comment 2.
You need to log in
before you can comment on or make changes to this bug.
Description
•