Closed Bug 1108824 Opened 10 years ago Closed 10 years ago

Assertion failure: !cx->isExceptionPending(), at jscntxtinlines.h

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla37
Tracking Flags:
Tracking Status
firefox37 --- affected

People

(Reporter: gkw, Assigned: terrence)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker])

Attachments

(2 files)

stack
3.97 KB, text/plain
Details
bug-1108824-v0.diff
1.09 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review
// Randomly chosen test: js/src/tests/test262/ch10/10.4/10.4.3/10.4.3-1-15gs.js // -- reduced away -- // Randomly chosen test: js/src/jit-test/tests/bug793385.js try { gcparam("maxBytes", gcparam("gcBytes") + 1); function f() { f(); } assertEq((f()), null); } catch (e) {} // Randomly chosen test: js/src/jit-test/tests/basic/bug532568.js load("bug532568.js"); // jsfunfuzz " " + ";"; asserts js debug shell on m-i changeset 917fafd942ae with --fuzzing-safe --no-threads --no-ion at Assertion failure: !cx->isExceptionPending(), at jscntxtinlines.h. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-inbound/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are: http://hg.mozilla.org/mozilla-central/file/917fafd942ae/js/src/tests/test262/ch10/10.4/10.4.3/10.4.3-1-15gs.js http://hg.mozilla.org/mozilla-central/file/917fafd942ae/js/src/jit-test/tests/bug793385.js http://hg.mozilla.org/mozilla-central/file/917fafd942ae/js/src/jit-test/tests/basic/bug532568.js autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/eae28492fdc6 user: Terrence Cole date: Thu Dec 04 09:41:12 2014 -0800 summary: Bug 1100493 - Call js_ReportOutOfMemory on all failure paths in refillFreeList; r=jorendorff Terrence, is bug 1100493 a likely regressor?
Flags: needinfo?(terrence)
bug532568.js is: x = 0; x += 0 + '';
Whiteboard: [jsbugmon:update]
Attached file stack
(lldb) bt 5 * thread #1: tid = 0x5edbf9, 0x000000010064964e js-dbg-opt-64-dm-nsprBuild-darwin-917fafd942ae`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [inlined] js::NativeObject& JSObject::as<js::NativeObject>(this=<unavailable>) + 5 at jsobj.h:742, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x000000010064964e js-dbg-opt-64-dm-nsprBuild-darwin-917fafd942ae`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [inlined] js::NativeObject& JSObject::as<js::NativeObject>(this=<unavailable>) + 5 at jsobj.h:742 frame #1: 0x0000000100649649 js-dbg-opt-64-dm-nsprBuild-darwin-917fafd942ae`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [inlined] NoSuchMethod(argc=<unavailable>, vp=<unavailable>) at Interpreter.cpp:193 frame #2: 0x0000000100649649 js-dbg-opt-64-dm-nsprBuild-darwin-917fafd942ae`js::Invoke(cx=<unavailable>, args=<unavailable>, construct=<unavailable>) + 1257 at Interpreter.cpp:471 frame #3: 0x00000001006672b0 js-dbg-opt-64-dm-nsprBuild-darwin-917fafd942ae`Interpret(cx=<unavailable>, state=<unavailable>) + 46000 at Interpreter.cpp:2541 frame #4: 0x000000010065bed9 js-dbg-opt-64-dm-nsprBuild-darwin-917fafd942ae`js::RunScript(cx=0x0000000101d01cf0, state=0x00007fff5fbff178) + 345 at Interpreter.cpp:434 (lldb)
The second js_ReportOutOfMemory I added to refillFreeLists in bug 1100493 is not actually correct -- in the OOM-but-NoGC case we need to let the caller retry.
Assignee: nobody → terrence
Status: NEW → ASSIGNED
Flags: needinfo?(terrence)
Attachment #8533426 - Flags: review?(jorendorff)
There are many (seemingly-recent) variants of such asserts involving isExceptionPending, setting [fuzzblocker].
Whiteboard: [fuzzblocker]
Hurm, we might want to back out and re-land 1100493 without the broken hunk then.
Comment on attachment 8533426 [details] [diff] [review] bug-1108824-v0.diff Review of attachment 8533426 [details] [diff] [review]: ----------------------------------------------------------------- I don't understand how you can tolerate this. How do you ever know what's correct? Working on a static analysis that might reach this kind of mistake. Not sure.
Attachment #8533426 - Flags: review?(jorendorff) → review+
(In reply to Jason Orendorff [:jorendorff] from comment #7) > Comment on attachment 8533426 [details] [diff] [review] > bug-1108824-v0.diff > > Review of attachment 8533426 [details] [diff] [review]: > ----------------------------------------------------------------- > > I don't understand how you can tolerate this. How do you ever know what's > correct? I stand by my earlier statement: speckled chickens and fuzzers. And we're all out of chickens. > Working on a static analysis that might reach this kind of mistake. Not sure. The problem here is the decoupling of cx->exception and stack return codes. The correct solution is haskell's Maybe type. I guess that is arguably a static analysis. We're currently working hard to make Gecko effectively treat cx->exception as the return from Execute, so this may not actually be infeasible, if we want to put the work in.
https://hg.mozilla.org/mozilla-central/rev/c291b2eac809
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: