1931494 - Assertion failure: cx->isExceptionPending() || cx->isPropagatingForcedReturn() || cx->hadUncatchableException(), at vm/Interpreter.cpp:440

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: debug stack

let m = {};
function f(x, y, z) {
  if (Object.hasOwn(m, y)) {
    p = m[y];
  } else if (typeof x !== "undefined") {
    r = "addMarkObservers";
    if (i === 3) r = "print";
    p = (function () {
      return new (function () {
        this.s = [{ t: { undefined } }, { u: { r } }, { v: { undefined } }];
      })();
    })();
  } else {
    p = new (function () {
      this.s = [];
    })();
  }
  Object.defineProperty(m, y, { value: p });
  n = [];
  (function (q) {
    for (i = 0; i < p.s.length; i++) {
      if (Object.hasOwn(p.s[i], "v")) {
        n.push(q[3]);
      } else if (Object.hasOwn(p.s[i], "t")) {
        n.push(this);
      } else if (
        (function () {
          return { u: { r } };
        })()
      )
        n.push(p.s[i].u.r);
    }
  })(z);
  (function () {
    try {
      n[0][n[1]](...n.slice(2, n.length));
    } catch (e) {}
  })();
}
f();
function g() {
  f(this, "", [this, Uint8Array, , [[]], 0]);
  f(this, "1", this);
}
g();
oomTest(g);

(gdb) bt
#0  AssertExceptionResult (cx=cx@entry=0x7ffff6f36200) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:439
#1  0x000055555727aa7f in CallJSNative (cx=cx@entry=0x7ffff6f36200, native=<optimized out>, reason=reason@entry=js::CallReason::Call, args=...) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:537
#2  0x0000555557251032 in js::InternalCallOrConstruct (cx=0x7ffff6f36200, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:628
#3  0x0000555557251d68 in InternalCall (cx=<optimized out>, args=..., reason=1490543312, reason@entry=js::CallReason::Call) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:695
#4  0x0000555557251f59 in js::Call (cx=cx@entry=0x7ffff6f36200, fval=fval@entry=..., thisv=thisv@entry=..., args=..., rval=..., reason=reason@entry=js::CallReason::Call) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:727
#5  0x0000555557fb1306 in js::jit::InvokeFunction (cx=0x7ffff6f36200, obj=..., constructing=<optimized out>, ignoresReturnValue=true, argc=1, argv=0x7fffffffbdb0, rval=...) at /home/i32g7900a/trees/mozilla-central/js/src/jit/VMFunctions.cpp:548
/snip

I'm going to guess that this is related to bug 1921780 again.

Run with --fuzzing-safe --no-threads --ion-eager, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 0191fbfc9115.

Setting s-s just in case. Jan, did bug 1921780 likely expose the issue?

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1921780

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

I'm going to guess that the testcase in comment 0 involves addMarkObservers.

oomTest(function () { addMarkObservers([[]]); });

Here's another testcase that reproduces on m-c rev 6c508a387477, also involves addMarkObservers, same assert, different flags: --fuzzing-safe --no-threads --no-baseline --no-ion

Jan, do you think they are related?

Comment 3

[Jan de Mooij [:jandem]]

Yes these are the same (probably quite old) bug. A missing ReportOutOfMemory call for addMarkObservers.

Comment 4

[Jan de Mooij [:jandem]]

Attachment: Bug 1931494 - Add missing ReportOutOfMemory call for addMarkObservers shell function. r?jonco!

Comment 5

[Pulsebot]

Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/45b9d50e2ae6
Add missing ReportOutOfMemory call for addMarkObservers shell function. r=jonco

Comment 6

[pstanciu]

https://hg.mozilla.org/mozilla-central/rev/45b9d50e2ae6