Closed Bug 1026476 Opened 10 years ago Closed 9 years ago

Crash [@ js::FillBindingVector] with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
501 bytes, text/plain
Details 
The following testcase crashes on mozilla-central revision f19ca5123d6a (run with --fuzzing-safe):


gc();
var f = Function("a", "b", "return a + b;");
oomAfterAllocations(2);
f.toSource();
Trace from an optimized ASan build:

Program received signal SIGSEGV, Segmentation fault.
0x090233f6 in js::FillBindingVector (fromScript=0xee333180, vec=<optimized out>) at ../../dist/include/mozilla/Vector.h:1036
1036      if (mLength == mCapacity && !growStorageBy(1))
#0  0x090233f6 in js::FillBindingVector (fromScript=0xee333180, vec=<optimized out>) at ../../dist/include/mozilla/Vector.h:1036
#1  0x08d58117 in js::FunctionToString (fun=, bodyOnly=<optimized out>, lambdaParen=<optimized out>, cx=<optimized out>) at js/src/jsfun.cpp:899
#2  0x08dda413 in fun_toStringHelper (cx=<optimized out>, obj=<error reading variable: Cannot access memory at address 0x0>, indent=<optimized out>) at js/src/jsfun.cpp:997
#3  0x08de0e15 in fun_toSource (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/jsfun.cpp:1036
#4  0x0926a4b5 in js::Invoke (args=..., cx=<optimized out>, construct=<optimized out>) at js/src/jscntxtinlines.h:241
#5  0x0925560b in Interpret (cx=0xee333180, state=...) at js/src/vm/Interpreter.cpp:2566
#6  0x0922da28 in js::RunScript (cx=<optimized out>, state=...) at js/src/vm/Interpreter.cpp:402
#7  0x091fc58b in js::ExecuteKernel (script=<error reading variable: Cannot access memory at address 0x0>, evalInFrame=..., result=<optimized out>, cx=<optimized out>, scopeChainArg=..., thisv=..., type=<optimized out>) at js/src/vm/Interpreter.cpp:610
ebx     0x971cff4       158453748
esi     0x8     8
Vector(JS::Handle<JSScript*>, js::Vector<js::Binding, 32u, js::TempAllocPolicy>*)+246>:    mov    (%esi),%ebx


Needinfo on Jason since he wanted some more OOM bugs :)
Blocks: 912928
Flags: needinfo?(jorendorff)
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b2de3b90184a
user:        Sean Stangl
date:        Fri Dec 13 14:49:26 2013 -0800
summary:     Bug 946481 - Add xaddl to Assembler-x86-shared. r=efaust

This iteration took 315.823 seconds to run.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision d2d56f9066bf).
Assignee: general → nobody
FillBindingVector has been removed from our codebase. The new way of iterating through bindings in FunctionToString seems memory safe.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: