Closed
Bug 1215363
Opened 9 years ago
Closed 9 years ago
Assertion failure: cx->isExceptionPending(), at builtin/TestingFunctions.cpp:1158 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
Tracking | Status | |
---|---|---|
firefox44 | --- | fixed |
People
(Reporter: decoder, Assigned: jonco)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
6.87 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 4f4615ffec6a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks --ion-offthread-compile=off --ion-check-range-analysis). Actually I see multiple ones involving different functions that OOM: oomTest(() => parseModule(10)); or this: var lfcode = new Array(); oomTest((function(x) { assertEq(...Object); })); or this: var lfcode = new Array(); oomTest(() => getBacktrace({})); Not sure if these are distinct bugs not, but I can't seem to differentiate them by the stack, they all look like this: Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00000000007d1703 in OOMTest (cx=0x7f7c6df06c00, argc=<optimized out>, vp=<optimized out>) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/builtin/TestingFunctions.cpp:1158 #1 0x00000000009e4412 in js::CallJSNative (cx=0x7f7c6df06c00, native=0x7d13a0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jscntxtinlines.h:235 #2 0x00000000009e0d70 in js::Invoke (cx=cx@entry=0x7f7c6df06c00, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/vm/Interpreter.cpp:784 #3 0x00000000009d229a in Interpret (cx=cx@entry=0x7f7c6df06c00, state=...) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/vm/Interpreter.cpp:3107 #4 0x00000000009e057b in js::RunScript (cx=cx@entry=0x7f7c6df06c00, state=...) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/vm/Interpreter.cpp:725 #5 0x00000000009e2f9c in js::ExecuteKernel (cx=cx@entry=0x7f7c6df06c00, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/vm/Interpreter.cpp:1000 #6 0x00000000009e3409 in js::Execute (cx=cx@entry=0x7f7c6df06c00, script=script@entry=..., scopeChainArg=..., rval=0x0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/vm/Interpreter.cpp:1035 #7 0x00000000008444e7 in Evaluate (cx=cx@entry=0x7f7c6df06c00, scope=..., staticScope=staticScope@entry=..., optionsArg=..., srcBuf=..., rval=..., rval@entry=...) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsapi.cpp:4693 #8 0x00000000008449b6 in JS::Evaluate (cx=cx@entry=0x7f7c6df06c00, options=..., bytes=<optimized out>, length=71, rval=..., rval@entry=...) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsapi.cpp:4747 #9 0x000000000085317e in Evaluate (rval=..., filename=<optimized out>, optionsArg=..., cx=0x7f7c6df06c00, cx@entry=0x7fff8971f5c0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsapi.cpp:4764 #10 JS::Evaluate (cx=cx@entry=0x7f7c6df06c00, optionsArg=..., filename=<optimized out>, rval=..., rval@entry=...) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsapi.cpp:4802 #11 0x00000000004936d9 in LoadScript (cx=0x7f7c6df06c00, argc=<optimized out>, vp=0x7fff8971f8a8, scriptRelative=false) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/shell/js.cpp:839 #12 0x00007f7c6e10e4cd in ?? () #13 0x0000000000000073 in ?? () #14 0x00007fff8971f880 in ?? () #15 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x2 2 rcx 0x7f7c6e22a88d 140172400437389 rdx 0x0 0 rsi 0x7f7c6e4ff9d0 140172403407312 rdi 0x7f7c6e4fe1c0 140172403401152 rbp 0x7fff8971e8d0 140735499331792 rsp 0x7fff8971e7f0 140735499331568 r8 0x7f7c6f56f780 140172420642688 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7f7c6e4fbbe0 140172403391456 r11 0x0 0 r12 0x7fff8971e880 140735499331712 r13 0x3 3 r14 0x7f7c6df06c00 140172397145088 r15 0x1b4e01c 28631068 rip 0x7d1703 <OOMTest(JSContext*, unsigned int, JS::Value*)+867> => 0x7d1703 <OOMTest(JSContext*, unsigned int, JS::Value*)+867>: movl $0x486,0x0 0x7d170e <OOMTest(JSContext*, unsigned int, JS::Value*)+878>: callq 0x4a51c0 <abort()>
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781". The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1
Assignee | ||
Comment 2•9 years ago
|
||
Yes, they are all different bugs with the same symptom - the operation fails due to OOM but we don't report the error. The stack is the same due to it being checked in the same place in the oomTest() function.
Assignee | ||
Comment 3•9 years ago
|
||
Fix a couple of OOM handling bugs. I had to change the sprintf-style functions in jsprf.cpp to crash when passed a bad format string so that we can assume that a nullptr return means out of memory.
Assignee: nobody → jcoppeard
Attachment #8675763 -
Flags: review?(terrence)
Comment 4•9 years ago
|
||
Comment on attachment 8675763 [details] [diff] [review] bug1215363-various-ooms Review of attachment 8675763 [details] [diff] [review]: ----------------------------------------------------------------- Nice! ::: js/src/jsprf.cpp @@ +374,5 @@ > while (c != 0) { > if (c > '9' || c < '0') { > if (c == '$') { // numbered argument case > if (i > 0) > + MOZ_CRASH("Bad format string"); \o/ I've always wondered if this error handling wasn't grossly unsafe and/or why we're not just crashing on bad paths here.
Attachment #8675763 -
Flags: review?(terrence) → review+
Comment 6•9 years ago
|
||
backout bugherder merge |
https://hg.mozilla.org/mozilla-central/rev/6f1f7fc0f7cd
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•