Last Comment Bug 1026476 - Crash [@ js::FillBindingVector] with OOM
: Crash [@ js::FillBindingVector] with OOM
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
-- critical (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz 912928
  Show dependency treegraph
Reported: 2014-06-17 05:33 PDT by Christian Holler (:decoder)
Modified: 2015-10-06 04:14 PDT (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

[crash-signature] Machine-readable crash signature (501 bytes, text/plain)
2014-06-17 05:34 PDT, Christian Holler (:decoder)
no flags Details

Description User image Christian Holler (:decoder) 2014-06-17 05:33:09 PDT
The following testcase crashes on mozilla-central revision f19ca5123d6a (run with --fuzzing-safe):

var f = Function("a", "b", "return a + b;");
Comment 1 User image Christian Holler (:decoder) 2014-06-17 05:34:34 PDT
Created attachment 8441339 [details]
[crash-signature] Machine-readable crash signature
Comment 2 User image Christian Holler (:decoder) 2014-06-17 05:36:07 PDT
Trace from an optimized ASan build:

Program received signal SIGSEGV, Segmentation fault.
0x090233f6 in js::FillBindingVector (fromScript=0xee333180, vec=<optimized out>) at ../../dist/include/mozilla/Vector.h:1036
1036      if (mLength == mCapacity && !growStorageBy(1))
#0  0x090233f6 in js::FillBindingVector (fromScript=0xee333180, vec=<optimized out>) at ../../dist/include/mozilla/Vector.h:1036
#1  0x08d58117 in js::FunctionToString (fun=, bodyOnly=<optimized out>, lambdaParen=<optimized out>, cx=<optimized out>) at js/src/jsfun.cpp:899
#2  0x08dda413 in fun_toStringHelper (cx=<optimized out>, obj=<error reading variable: Cannot access memory at address 0x0>, indent=<optimized out>) at js/src/jsfun.cpp:997
#3  0x08de0e15 in fun_toSource (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/jsfun.cpp:1036
#4  0x0926a4b5 in js::Invoke (args=..., cx=<optimized out>, construct=<optimized out>) at js/src/jscntxtinlines.h:241
#5  0x0925560b in Interpret (cx=0xee333180, state=...) at js/src/vm/Interpreter.cpp:2566
#6  0x0922da28 in js::RunScript (cx=<optimized out>, state=...) at js/src/vm/Interpreter.cpp:402
#7  0x091fc58b in js::ExecuteKernel (script=<error reading variable: Cannot access memory at address 0x0>, evalInFrame=..., result=<optimized out>, cx=<optimized out>, scopeChainArg=..., thisv=..., type=<optimized out>) at js/src/vm/Interpreter.cpp:610
ebx     0x971cff4       158453748
esi     0x8     8
Vector(JS::Handle<JSScript*>, js::Vector<js::Binding, 32u, js::TempAllocPolicy>*)+246>:    mov    (%esi),%ebx

Needinfo on Jason since he wanted some more OOM bugs :)
Comment 3 User image Christian Holler (:decoder) 2014-06-21 22:51:08 PDT
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
user:        Sean Stangl
date:        Fri Dec 13 14:49:26 2013 -0800
summary:     Bug 946481 - Add xaddl to Assembler-x86-shared. r=efaust

This iteration took 315.823 seconds to run.
Comment 4 User image Christian Holler (:decoder) 2014-07-15 07:12:21 PDT
JSBugMon: The testcase found in this bug no longer reproduces (tried revision d2d56f9066bf).
Comment 5 User image Benjamin Bouvier [:bbouvier] 2015-10-06 04:14:12 PDT
FillBindingVector has been removed from our codebase. The new way of iterating through bindings in FunctionToString seems memory safe.

Note You need to log in before you can comment on or make changes to this bug.