Closed Bug 1253124 Opened 8 years ago Closed 8 years ago

Crash [@ EncodeLatin1] with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla48
Tracking Flags:
Tracking Status
firefox47 --- wontfix
firefox48 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

bug1253124-source-oom
2.24 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision e15383656900 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

for (lfLocal in this)
  toPrimitive = Date.prototype[Symbol.toPrimitive];
  assertThrowsInstanceOf(() =>  0);
  obj = {};
  oomAfterAllocations(10);
  assertThrowsInstanceOf(() => toPrimitive.call(obj, "boolean"));
function assertThrowsInstanceOf(f) {
  f();
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
EncodeLatin1 (cx=cx@entry=0x7ffff6907800, str=str@entry=0x0) at js/src/jsapi.cpp:5059
#0  EncodeLatin1 (cx=cx@entry=0x7ffff6907800, str=str@entry=0x0) at js/src/jsapi.cpp:5059
#1  0x00000000008b44f6 in JS_EncodeString (cx=cx@entry=0x7ffff6907800, str=0x0) at js/src/jsapi.cpp:5085
#2  0x00000000008f9b0b in encodeLatin1 (this=<optimized out>, str=<optimized out>, cx=<optimized out>) at js/src/jsapi.h:4626
#3  js::ValueToSourceForError (cx=cx@entry=0x7ffff6907800, val=..., bytes=...) at js/src/jsexn.cpp:1059
#4  0x00000000008b9915 in JS::GetFirstArgumentAsTypeHint (cx=cx@entry=0x7ffff6907800, args=..., result=result@entry=0x7fffffffaf40) at js/src/jsapi.cpp:1690
#5  0x00000000008f3571 in date_toPrimitive (cx=0x7ffff6907800, argc=1, vp=0x7ffff45b1198) at js/src/jsdate.cpp:2999
#6  0x0000000000ac0722 in js::CallJSNative (cx=0x7ffff6907800, native=0x8f34f0 <date_toPrimitive(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#7  0x0000000000ab9a71 in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:478
#8  0x00000000008fa49b in js::fun_call (cx=0x7ffff6907800, argc=<optimized out>, vp=0x7ffff45b1198) at js/src/jsfun.cpp:1205
#9  0x0000000000ac0722 in js::CallJSNative (cx=0x7ffff6907800, native=0x8fa3f0 <js::fun_call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#41 0x0000000000000000 in ?? ()
rax	0x7ffff695d000	140737330401280
rbx	0x7ffff6907800	140737330051072
rcx	0x7ffff7dd5320	140737351865120
rdx	0x7ffff7fdfad0	140737354005200
rsi	0x0	0
rdi	0x7ffff6907800	140737330051072
rbp	0x7fffffffad00	140737488334080
rsp	0x7fffffffac30	140737488333872
r8	0x14	20
r9	0x7ffff6a002f8	140737331069688
r10	0x1	1
r11	0x2	2
r12	0x7fffffffad10	140737488334096
r13	0x7ffff6907800	140737330051072
r14	0x0	0
r15	0x7ffff45b11a8	140737292997032
rip	0x8b425a <EncodeLatin1(js::ExclusiveContext*, JSString*)+26>
=> 0x8b425a <EncodeLatin1(js::ExclusiveContext*, JSString*)+26>:	testb  $0x3f,(%rsi)
   0x8b425d <EncodeLatin1(js::ExclusiveContext*, JSString*)+29>:	jne    0x8b4368 <EncodeLatin1(js::ExclusiveContext*, JSString*)+296>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a0dd5a83ba36
user:        Jan de Mooij
date:        Thu Jul 24 11:56:43 2014 +0200
summary:     Bug 1031529 part 2 - Remove JS_THREADSAFE #ifdefs everywhere. r=bhackett

changeset:   https://hg.mozilla.org/mozilla-central/rev/6426fef52f51
user:        Jan de Mooij
date:        Thu Jul 24 11:56:45 2014 +0200
summary:     Bug 1031529 part 3 - Step defining JS_THREADSAFE, remove --disable-threadsafe. r=glandium

This iteration took 141.402 seconds to run.
This regression window is probably not accurate as it should probably hail from prior to that.

Setting needinfo? from Jon for this OOM bug as a fallback.
Flags: needinfo?(jcoppeard)
Patch to check returned pointers in a couple of places.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8727347 - Flags: review?(jdemooij)
Attachment #8727347 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/7e3fc275d763
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox48: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Decoder, could you please verify this issue is fixed as expected on a latest Nightly build? Thanks!
Flags: needinfo?(choller)
Hi Jonco, Jandem: Should we consider uplifting this to Aurora47? Is it low risk enough to do that?
Flags: needinfo?(jdemooij)
Flags: needinfo?(jcoppeard)
Just noticed the whiteboard tag, removing NI as the verification ought to happen automatically.
Flags: needinfo?(choller)
(In reply to Ritu Kothari (:ritu) from comment #7)
Yes, let's do it.
Flags: needinfo?(jdemooij)
Flags: needinfo?(jcoppeard)
(In reply to Jon Coppeard (:jonco) from comment #9)
Although TBH, there's not that likely that this will be hit in practice.  Did you have a particular reason for wanting to uplift this?
Flags: needinfo?(rkothari)
(In reply to Jon Coppeard (:jonco) from comment #10)
> (In reply to Jon Coppeard (:jonco) from comment #9)
> Although TBH, there's not that likely that this will be hit in practice. 
> Did you have a particular reason for wanting to uplift this?

Mainly since it was tagged as a crash. But if the likelihood of hitting this crash is very low and the risk associated with the fix is medium/high, we can just let it right the trains. It seems to me like you are leaning towards doing that and it sounds like a good idea to me.
Flags: needinfo?(rkothari)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: