Bug 1881417 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

on 2024-02-21 21:22:52 PST

```
for (let x = 0; x < 2; (function() { x++; })()) {};
function f() {
  var y = new (function () {})();
  (function () {
    Reflect.apply(y.toString, [], [0]);
  })();
}
f();
var z = [];
z.keepFailing = [];
oomTest(f, z);
dumpHeap();
```

```
(gdb) bt
#0  js::NativeObject::setDenseInitializedLengthInternal (this=0x8ce34b412f8, length=0) at /home/yksubu/trees/mozilla-central/js/src/vm/NativeObject.h:1477
#1  0x0000555557ee776a in js::NativeObject::setDenseInitializedLength (this=0x8ce34b412f8, length=0) at /home/yksubu/trees/mozilla-central/js/src/vm/NativeObject.h:1483
#2  js::jit::ShapeListObject::traceWeak (this=0x8ce34b412f8, trc=<optimized out>) at /home/yksubu/trees/mozilla-central/js/src/jit/BaselineCacheIRCompiler.cpp:2188
#3  0x000055555752369e in JSClass::doTrace (trc=0x7fffffffc780, obj=0x8ce34b412f8, this=<optimized out>) at /home/yksubu/shell-cache/js-dbg-64-linux-x86_64-f8dd4015fa59/objdir-js/dist/include/js/Class.h:653
#4  JSObject::traceChildren (this=0x8ce34b412f8, trc=0x7fffffffc780) at /home/yksubu/trees/mozilla-central/js/src/vm/JSObject.cpp:3343
#5  0x0000555557d687fb in JS::TraceChildren(JSTracer*, JS::GCCellPtr)::$_0::operator()<JSObject*>(JSObject*) const (t=0x8ce34b412f8, this=<optimized out>) at /home/yksubu/trees/mozilla-central/js/src/gc/Tracer.cpp:62
#6  JS::MapGCThingTyped<JS::TraceChildren(JSTracer*, JS::GCCellPtr)::$_0>(void*, JS::TraceKind, JS::TraceChildren(JSTracer*, JS::GCCellPtr)::$_0&&) (thing=0x8ce34b412f8, traceKind=<optimized out>, f=...) at /home/yksubu/shell-cache/js-dbg-64-linux-x86_64-f8dd4015fa59/objdir-js/dist/include/js/TraceKind.h:253
#7  JS::ApplyGCThingTyped<JS::TraceChildren(JSTracer*, JS::GCCellPtr)::$_0>(void*, JS::TraceKind, JS::TraceChildren(JSTracer*, JS::GCCellPtr)::$_0&&) (thing=0x8ce34b412f8, traceKind=<optimized out>, f=...) at /home/yksubu/shell-cache/js-dbg-64-linux-x86_64-f8dd4015fa59/objdir-js/dist/include/js/TraceKind.h:268
#8  JS::TraceChildren (trc=trc@entry=0x7fffffffc780, thing=...) at /home/yksubu/trees/mozilla-central/js/src/gc/Tracer.cpp:59
/snip
```

```
The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/2be36abf09c0
user:        Iulian Moraru
date:        Tue Jul 11 19:40:57 2023 +0300
summary:     Backed out changeset ab845ce2e822 (bug 1837192) for causing spidermonkey build bustages. CLOSED TREE
```

Run with `--fuzzing-safe --no-threads --ion-eager`, compile with `AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests`, tested on m-c rev f8dd4015fa59.

Setting s-s to be safe. For some reason, it's pointing to a backout as a cause. I'll set needinfo? from Jan as a start.

Revision 1 by

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

on 2024-02-21 22:12:16 PST

```
for (let x = 0; x < 2; (function() { x++; })()) {};
function f() {
  var y = new (function () {})();
  (function () {
    Reflect.apply(y.toString, [], [0]);
  })();
}
f();
var z = [];
z.keepFailing = [];
oomTest(f, z);
dumpHeap();
```

```
(gdb) bt
#0  js::NativeObject::setDenseInitializedLengthInternal (this=0x8ce34b412f8, length=0) at /home/yksubu/trees/mozilla-central/js/src/vm/NativeObject.h:1477
#1  0x0000555557ee776a in js::NativeObject::setDenseInitializedLength (this=0x8ce34b412f8, length=0) at /home/yksubu/trees/mozilla-central/js/src/vm/NativeObject.h:1483
#2  js::jit::ShapeListObject::traceWeak (this=0x8ce34b412f8, trc=<optimized out>) at /home/yksubu/trees/mozilla-central/js/src/jit/BaselineCacheIRCompiler.cpp:2188
#3  0x000055555752369e in JSClass::doTrace (trc=0x7fffffffc780, obj=0x8ce34b412f8, this=<optimized out>) at /home/yksubu/shell-cache/js-dbg-64-linux-x86_64-f8dd4015fa59/objdir-js/dist/include/js/Class.h:653
#4  JSObject::traceChildren (this=0x8ce34b412f8, trc=0x7fffffffc780) at /home/yksubu/trees/mozilla-central/js/src/vm/JSObject.cpp:3343
#5  0x0000555557d687fb in JS::TraceChildren(JSTracer*, JS::GCCellPtr)::$_0::operator()<JSObject*>(JSObject*) const (t=0x8ce34b412f8, this=<optimized out>) at /home/yksubu/trees/mozilla-central/js/src/gc/Tracer.cpp:62
#6  JS::MapGCThingTyped<JS::TraceChildren(JSTracer*, JS::GCCellPtr)::$_0>(void*, JS::TraceKind, JS::TraceChildren(JSTracer*, JS::GCCellPtr)::$_0&&) (thing=0x8ce34b412f8, traceKind=<optimized out>, f=...) at /home/yksubu/shell-cache/js-dbg-64-linux-x86_64-f8dd4015fa59/objdir-js/dist/include/js/TraceKind.h:253
#7  JS::ApplyGCThingTyped<JS::TraceChildren(JSTracer*, JS::GCCellPtr)::$_0>(void*, JS::TraceKind, JS::TraceChildren(JSTracer*, JS::GCCellPtr)::$_0&&) (thing=0x8ce34b412f8, traceKind=<optimized out>, f=...) at /home/yksubu/shell-cache/js-dbg-64-linux-x86_64-f8dd4015fa59/objdir-js/dist/include/js/TraceKind.h:268
#8  JS::TraceChildren (trc=trc@entry=0x7fffffffc780, thing=...) at /home/yksubu/trees/mozilla-central/js/src/gc/Tracer.cpp:59
/snip
```

(Edit: see comment 2 for the real regressor)

Run with `--fuzzing-safe --no-threads --ion-eager`, compile with `AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests`, tested on m-c rev f8dd4015fa59.

Setting s-s to be safe. I'll set needinfo? from Jan as a start.