Closed
Bug 1026476
Opened 11 years ago
Closed 9 years ago
Crash [@ js::FillBindingVector] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
Attachments
(1 file)
|
501 bytes,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision f19ca5123d6a (run with --fuzzing-safe):
gc();
var f = Function("a", "b", "return a + b;");
oomAfterAllocations(2);
f.toSource();
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Comment 2•11 years ago
|
||
Trace from an optimized ASan build:
Program received signal SIGSEGV, Segmentation fault.
0x090233f6 in js::FillBindingVector (fromScript=0xee333180, vec=<optimized out>) at ../../dist/include/mozilla/Vector.h:1036
1036 if (mLength == mCapacity && !growStorageBy(1))
#0 0x090233f6 in js::FillBindingVector (fromScript=0xee333180, vec=<optimized out>) at ../../dist/include/mozilla/Vector.h:1036
#1 0x08d58117 in js::FunctionToString (fun=, bodyOnly=<optimized out>, lambdaParen=<optimized out>, cx=<optimized out>) at js/src/jsfun.cpp:899
#2 0x08dda413 in fun_toStringHelper (cx=<optimized out>, obj=<error reading variable: Cannot access memory at address 0x0>, indent=<optimized out>) at js/src/jsfun.cpp:997
#3 0x08de0e15 in fun_toSource (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/jsfun.cpp:1036
#4 0x0926a4b5 in js::Invoke (args=..., cx=<optimized out>, construct=<optimized out>) at js/src/jscntxtinlines.h:241
#5 0x0925560b in Interpret (cx=0xee333180, state=...) at js/src/vm/Interpreter.cpp:2566
#6 0x0922da28 in js::RunScript (cx=<optimized out>, state=...) at js/src/vm/Interpreter.cpp:402
#7 0x091fc58b in js::ExecuteKernel (script=<error reading variable: Cannot access memory at address 0x0>, evalInFrame=..., result=<optimized out>, cx=<optimized out>, scopeChainArg=..., thisv=..., type=<optimized out>) at js/src/vm/Interpreter.cpp:610
ebx 0x971cff4 158453748
esi 0x8 8
Vector(JS::Handle<JSScript*>, js::Vector<js::Binding, 32u, js::TempAllocPolicy>*)+246>: mov (%esi),%ebx
Needinfo on Jason since he wanted some more OOM bugs :)
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/b2de3b90184a
user: Sean Stangl
date: Fri Dec 13 14:49:26 2013 -0800
summary: Bug 946481 - Add xaddl to Assembler-x86-shared. r=efaust
This iteration took 315.823 seconds to run.
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 4•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision d2d56f9066bf).
|
Assignee | |
Updated•11 years ago
|
Assignee: general → nobody
|
||
Comment 5•9 years ago
|
||
FillBindingVector has been removed from our codebase. The new way of iterating through bindings in FunctionToString seems memory safe.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•