Closed Bug 1348904 Opened 7 years ago Closed 7 years ago

Assertion failure: !templateObj->nonProxyIsExtensible(), at js/src/jscompartment.cpp:642 with OOM

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox52 --- unaffected
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- unaffected
firefox55 --- fixed

People

(Reporter: decoder, Assigned: shu)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update,ignore])

Attachments

(1 file)

Add template objects to the registry after freezing.
1.47 KB, patch
jonco
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision e1576dd8bd9d (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var lfLogBuffer = `
(function(global) {
  global.BUGNUMBER = "";
})(this);
var BUGNUMBER = 452498;
//corefuzz-dcd-endofdata
var appendToActual = function(s) {}
//corefuzz-dcd-endofdata
function tryItOut(code) {
    d = f = Function(code)
    f()
}
tryItOut("assertEq('bar', String.raw\`bar\`);")
`;
lfLogBuffer = lfLogBuffer.split('\n');
var lfCodeBuffer = "";
while (true) {
    var line = lfLogBuffer.shift();
    if (line == null) {
        break;
    } else if (line == "//corefuzz-dcd-endofdata") {
        loadFile(lfCodeBuffer);
    } else {
        lfCodeBuffer += line + "\n";
    }
}
if (lfCodeBuffer) loadFile(lfCodeBuffer);
function loadFile(lfVarx) {
      oomTest(function() {
        eval(lfVarx);
      });
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000953578 in JSCompartment::getTemplateLiteralObject (this=0x7ffff692b000, cx=0x7ffff6948000, rawStrings=..., templateObj=...) at js/src/jscompartment.cpp:642
#0  0x0000000000953578 in JSCompartment::getTemplateLiteralObject (this=0x7ffff692b000, cx=0x7ffff6948000, rawStrings=..., templateObj=...) at js/src/jscompartment.cpp:642
#1  0x0000000000530f7d in Interpret (cx=0x7ffff6948000, state=...) at js/src/vm/Interpreter.cpp:3193
#2  0x0000000000538a12 in js::RunScript (cx=0x7ffff6948000, state=...) at js/src/vm/Interpreter.cpp:394
#3  0x000000000053b581 in js::ExecuteKernel (cx=cx@entry=0x7ffff6948000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffb090) at js/src/vm/Interpreter.cpp:677
#4  0x0000000000570ac6 in EvalKernel (cx=cx@entry=0x7ffff6948000, v=..., v@entry=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., env=env@entry=..., pc=<optimized out>, vp=...) at js/src/builtin/Eval.cpp:328
#5  0x000000000057100d in js::DirectEval (cx=cx@entry=0x7ffff6948000, v=..., vp=vp@entry=...) at js/src/builtin/Eval.cpp:438
#6  0x000000000060e200 in js::jit::DoCallFallback (cx=0x7ffff6948000, frame=0x7fffffffb128, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffb0d8, res=...) at js/src/jit/BaselineIC.cpp:2332
#7  0x000009654b9892e4 in ?? ()
rax	0x0	0
rbx	0x7fffffff9c60	140737488329824
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffff9ce0	140737488329952
rsp	0x7fffffff9c30	140737488329776
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7fffffff9c80	140737488329856
r13	0x7ffff692b000	140737330196480
r14	0x7ffff692b450	140737330197584
r15	0x7ffff692b470	140737330197616
rip	0x953578 <JSCompartment::getTemplateLiteralObject(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>)+1192>
=> 0x953578 <JSCompartment::getTemplateLiteralObject(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>)+1192>:	movl   $0x0,0x0
   0x953583 <JSCompartment::getTemplateLiteralObject(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>)+1203>:	ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/4fe119142fb5
user:        Shu-yu Guo
date:        Wed Mar 08 12:00:54 2017 -0800
summary:     Bug 1108941 - Implement the per-global template literal registry. (r=arai,jonco)

This iteration took 265.180 seconds to run.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 5fe5dcf1c10a).
This seems like a fragile testcase, setting needinfo? from Shu-yu as per comment 1 as a start.
Flags: needinfo?(shu)
The bug is that defining the property may fail, causing the invariant that all
template objects in the cache are frozen. Teaches me to be clever...
Attachment #8850146 - Flags: review?(jcoppeard)
Flags: needinfo?(shu)
Attachment #8850146 - Flags: review?(jcoppeard) → review+
(In reply to Shu-yu Guo [:shu] from comment #4)
Oh, and please add check in the testcase too if possible.
(In reply to Jon Coppeard (:jonco) from comment #5)
> (In reply to Shu-yu Guo [:shu] from comment #4)
> Oh, and please add check in the testcase too if possible.

Unfortunately I couldn't figure out a reliable test case since it depends on OOM.
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ce401c54cdbb
Add template objects to the registry after freezing. (r=jonco)
https://hg.mozilla.org/mozilla-central/rev/ce401c54cdbb
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox55: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Priority: -- → P2
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: