Last Comment Bug 1026465 - Crash [@ js::types::TypeSet::unknownObject] with OOM
: Crash [@ js::types::TypeSet::unknownObject] with OOM
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
-- critical (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz 912928
  Show dependency treegraph
Reported: 2014-06-17 04:55 PDT by Christian Holler (:decoder)
Modified: 2016-03-04 11:05 PST (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

[crash-signature] Machine-readable crash signature (934 bytes, text/plain)
2014-06-17 05:24 PDT, Christian Holler (:decoder)
no flags Details

Description User image Christian Holler (:decoder) 2014-06-17 04:55:22 PDT
The following testcase crashes on mozilla-central revision f19ca5123d6a (run with --fuzzing-safe):

var Test = function (foo) {
    var a = [];
new Test();
Comment 1 User image Christian Holler (:decoder) 2014-06-17 05:19:25 PDT
Crash trace:

==20269==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x08e28fb4 sp 0xff8c6e20 bp 0xff8c6f38 T0)
    #0 0x8e28fb3 in js::types::TypeSet::unknownObject() const js/src/jsinfer.h:544
    #1 0x8e28fb3 in js::types::TemporaryTypeSet::convertDoubleElements(js::types::CompilerConstraintList*) js/src/jsinfer.cpp:1807
    #2 0x8849c01 in js::jit::IonBuilder::jsop_newarray(unsigned int) js/src/jit/IonBuilder.cpp:5509
    #3 0x88347be in js::jit::IonBuilder::inspectOpcode(JSOp) js/src/jit/IonBuilder.cpp:1547
    #4 0x8828596 in js::jit::IonBuilder::traverseBytecode() js/src/jit/IonBuilder.cpp:1285
    #5 0x8819ce4 in js::jit::IonBuilder::build() js/src/jit/IonBuilder.cpp:753
    #6 0x8813db4 in js::jit::AnalyzeNewScriptProperties(JSContext*, JSFunction*, js::types::TypeObject*, JS::Handle<JSObject*>, js::Vector<js::types::TypeNewScript::Initializer, 0u, js::TempAllocPolicy>*) js/src/jit/IonAnalysis.cpp:2222
    #7 0x8e48a89 in js::ThreadSafeContext::asJSContext() const js/src/jsinfer.cpp:3427
    #8 0x8e48a89 in js::ExclusiveContext::getNewType(js::Class const*, js::TaggedProto, JSFunction*) js/src/jsinfer.cpp:3942
    #9 0x8ea069f in js::CreateThisForFunctionWithProto(JSContext*, JS::Handle<JSObject*>, JSObject*, js::NewObjectKind) js/src/jsobj.cpp:1704
    #10 0x8ea3003 in js::CreateThisForFunction(JSContext*, JS::Handle<JSObject*>, js::NewObjectKind) js/src/jsobj.cpp:1734

Needinfo from Jason because he asked for some OOM bugs to fix :)
Comment 2 User image Christian Holler (:decoder) 2014-06-17 05:24:48 PDT
Created attachment 8441333 [details]
[crash-signature] Machine-readable crash signature
Comment 3 User image Christian Holler (:decoder) 2014-09-03 14:52:59 PDT
JSBugMon: The testcase found in this bug no longer reproduces (tried revision acbdce59da2f).
Comment 4 User image Christian Holler (:decoder) 2014-09-03 17:47:13 PDT
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
user:        Brian Hackett
date:        Tue Sep 02 13:47:34 2014 -0600
summary:     Bug 1041688 - Add acquired properties analysis, r=jandem.

This iteration took 582.251 seconds to run.
Comment 5 User image Tom Schuster [:evilpie] 2015-10-06 06:05:28 PDT
Decoder doesn't see this anymore. And I couldn't reproduce in the older version either, besides producing unhandlable ooms.

Note You need to log in before you can comment on or make changes to this bug.