727476 - JS OOM Testing: Assertion failure: compartment()->activeInference, at js/src/jsinfer.cpp:2161 or Crash [@ JSString::isAtom]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following command crashes/asserts on mozilla-central revision d45c7d7b0079:

js -m -n -a -A 501026 -f js/src/tests/shell.js -f js/src/tests/e4x/shell.js -f js/src/tests/e4x/GC/shell.js -f js/src/tests/e4x/GC/regress-280844-2.js


Passing through the assertions yields this crash:

Program received signal SIGABRT, Aborted.
out of memory
Assertion failure: str, at ../../jsval.h:702

Program received signal SIGABRT, Aborted.

Program received signal SIGSEGV, Segmentation fault.
0x0000000000442e04 in JSString::isAtom (this=0x0) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/String.h:381
381             bool atomized = (d.lengthAndFlags & ATOM_MASK) == ATOM_FLAGS;
(gdb) bt 4
#0  0x0000000000442e04 in JSString::isAtom (this=0x0) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/String.h:381
#1  0x0000000000444db4 in js::CompartmentChecker::check (this=0x7fffffffce30, str=0x0) at ../jscntxtinlines.h:181
#2  0x0000000000444e4a in js::CompartmentChecker::check (this=0x7fffffffce30, v=...) at ../jscntxtinlines.h:189
#3  0x0000000000447f77 in js::assertSameCompartment<JS::Value> (cx=0xb5eae0, t1=...) at ../jscntxtinlines.h:251

Comment 1

[Bob Clary [:bc] (inactive)]

Note this assertion is common on oom/low memory conditions with image suck bugs.

Comment 2

[Brian Hackett [Laid off!]]

Attachment: patch

Bogus assert.

Comment 4

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/43cd822084b3

Comment 5

[Matt Brubeck (:mbrubeck)]

https://hg.mozilla.org/mozilla-central/rev/43cd822084b3

Comment 6

[Bob Clary [:bc] (inactive)]

Matt, I still see this assertion during low/oom conditions due to image-suck at http://mxr.mozilla.org/mozilla-central/source/js/src/jsinfer.cpp#2122. Is that assertion bogus as well?