Closed Bug 1037685 Opened 10 years ago Closed 9 years ago

Assertion failure: inited == !getPrototype(key).isUndefined(), at vm/GlobalObject.h:184 with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1219128
Tracking Flags:
Tracking Status
firefox33 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:])

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
807 bytes, text/plain
Details
The following testcase asserts on mozilla-central revision e1a037c085d1 (run with --fuzzing-safe): try { try { x = evalcx('lazy'); for (var i = 0; i != N; ++i) {} } catch (e) {} gcparam("maxBytes", gcparam("gcBytes") + 4*1024); x--; } catch(exc2) {} var BUGNUMBER = 611276; print(BUGNUMBER + ": " + x);
This is likely an OOM and not related to the ARM simulator, but this particular test only seems to reproduce there. Needinfo on jorendorff because it's OOM.
status-firefox33: --- → affected
Flags: needinfo?(jorendorff)
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Cool, this still reproduces. ARM debug simulator build on Mac OS X 10.10, here's my configuration: export CC='clang -m32' export CXX='clang++ -m32' export AR='ar' export CONFARGS='--target=i686-apple-darwin10.0.0 --without-intl-api --enable-debug --disable-optimize --enable-threadsafe --enable-simulator=arm'
Assignee: nobody → lhansen
Status: NEW → ASSIGNED
Simpler: try { x = evalcx('lazy'); gcparam("maxBytes", gcparam("gcBytes") + 4*1024); x--; } catch(e) {} print(x);
Reproduces also on Mac OS X 32-bit build.
Assignee: lhansen → nobody
Status: ASSIGNED → NEW
OS: Linux → All
Hardware: ARM → All
Can't reproduce on Linux, building with CC="gcc -m32" CXX="g++ -m32" AR=ar ../configure --target=i686-pc-linux and running with --fuzzing-safe. Instead, I get uncaught exception: out of memory (Unable to print stack trace) Christian, is it fixed?
Flags: needinfo?(jorendorff) → needinfo?(choller)
This is an automated crash issue comment: Summary: Assertion failure: inited == !getPrototype(key).isUndefined(), at js/src/vm/GlobalObject.h:204 Build version: mozilla-central revision 5b2baa5e9356 Build flags: --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug Runtime options: --fuzzing-safe --ion-offthread-compile=off min.js Testcase: a = evalcx("lazy") oomTest(() => a.toString) Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x000000000042d1dc in js::GlobalObject::classIsInitialized (key=JSProto_Function, this=0x7ffff3f8c060) at js/src/vm/GlobalObject.h:204 #0 0x000000000042d1dc in js::GlobalObject::classIsInitialized (key=JSProto_Function, this=0x7ffff3f8c060) at js/src/vm/GlobalObject.h:204 #1 0x0000000000525275 in classIsInitialized (key=JSProto_Function, this=0x7ffff3f8c060) at js/src/vm/GlobalObject.h:346 #2 functionObjectClassesInitialized (this=0x7ffff3f8c060) at js/src/vm/GlobalObject.h:209 #3 js::GlobalObject::getOrCreateObjectPrototype (this=0x7ffff3f8c060, cx=0x7ffff6907000) at js/src/vm/GlobalObject.h:342 #4 0x00000000008b2e44 in JS_ResolveStandardClass (cx=cx@entry=0x7ffff6907000, obj=..., obj@entry=..., id=..., id@entry=..., resolved=resolved@entry=0x7fffffffc940) at js/src/jsapi.cpp:1121 #5 0x000000000048af14 in sandbox_resolve (cx=0x7ffff6907000, obj=..., id=..., resolvedp=0x7fffffffc940) at js/src/shell/js.cpp:2621 #6 0x0000000000a9501d in CallResolveOp (recursedp=<synthetic pointer>, propp=..., id=..., obj=..., cx=0x7ffff6907000) at js/src/vm/NativeObject-inl.h:389 #7 js::LookupOwnPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7ffff6907000, obj=obj@entry=..., id=id@entry=..., propp=..., propp@entry=..., donep=donep@entry=0x7fffffffca20) at js/src/vm/NativeObject-inl.h:482 #8 0x0000000000ab8e74 in NativeGetPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7ffff6907000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:1992 #9 0x0000000000ab9560 in js::NativeGetProperty (cx=cx@entry=0x7ffff6907000, obj=..., receiver=..., receiver@entry=..., id=..., id@entry=..., vp=..., vp@entry=...) at js/src/vm/NativeObject.cpp:2036 #10 0x00000000009a181f in GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7ffff6907000) at js/src/vm/NativeObject.h:1475 #11 js::DirectProxyHandler::get (this=this@entry=0x1c260b0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff6907000, proxy=..., proxy@entry=..., receiver=receiver@entry=..., id=id@entry=..., vp=vp@entry=...) at js/src/proxy/DirectProxyHandler.cpp:237 #12 0x00000000009a3802 in js::CrossCompartmentWrapper::get (this=0x1c260b0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff6907000, wrapper=..., receiver=..., id=..., vp=...) at js/src/proxy/CrossCompartmentWrapper.cpp:165 #13 0x00000000009a3619 in js::Proxy::get (cx=0x7ffff6907000, proxy=..., receiver_=..., id=..., vp=...) at js/src/proxy/Proxy.cpp:300 #14 0x0000000000aba2f2 in GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff6907000) at js/src/jsobj.h:822 #15 js::GetProperty (cx=cx@entry=0x7ffff6907000, v=..., v@entry=..., name=..., name@entry=..., vp=vp@entry=...) at js/src/vm/Interpreter.cpp:4071 #16 0x0000000000aa8b5f in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=0x7ffff6907000) at js/src/vm/Interpreter.cpp:219 #17 Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:2521 #18 0x0000000000ab7318 in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:428 #19 0x0000000000ab765d in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:496 #20 0x0000000000ab812c in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:530 #21 0x00000000008ac824 in JS_CallFunction (cx=cx@entry=0x7ffff6907000, obj=..., fun=..., fun@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2858 #22 0x0000000000a3ba9b in OOMTest (cx=0x7ffff6907000, argc=<optimized out>, vp=0x7ffff3cb2090) at js/src/builtin/TestingFunctions.cpp:1292 #23 0x0000000000abe2b2 in js::CallJSNative (cx=0x7ffff6907000, native=0xa3b6b0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #24 0x0000000000ab7601 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:478 #25 0x0000000000aa8562 in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:2802 #26 0x0000000000ab7318 in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:428 #27 0x0000000000abcc79 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907000, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:684 #28 0x0000000000abcf58 in js::Execute (cx=cx@entry=0x7ffff6907000, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:717 #29 0x00000000008acab8 in ExecuteScript (cx=cx@entry=0x7ffff6907000, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4366 #30 0x00000000008acc93 in JS_ExecuteScript (cx=cx@entry=0x7ffff6907000, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4399 #31 0x00000000004298a6 in RunFile (compileOnly=false, file=0x7ffff3ca6c00, filename=0x7fffffffea68 "min.js", cx=0x7ffff6907000) at js/src/shell/js.cpp:522 #32 Process (cx=cx@entry=0x7ffff6907000, filename=0x7fffffffea68 "min.js", forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:747 #33 0x0000000000480ecc in ProcessArgs (op=0x7fffffffe590, cx=0x7ffff6907000) at js/src/shell/js.cpp:6548 #34 Shell (envp=<optimized out>, op=0x7fffffffe590, cx=0x7ffff6907000) at js/src/shell/js.cpp:6870 #35 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7234 rax 0x0 0 rbx 0x7ffff3f8c060 140737286553696 rcx 0x7ffff6ca588d 140737333844109 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffc780 140737488340864 rsp 0x7fffffffc780 140737488340864 r8 0x7ffff7fe77c0 140737354037184 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffc540 140737488340288 r11 0x7ffff6c27ee0 140737333329632 r12 0x7ffff6907000 140737330049024 r13 0x7ffff6907000 140737330049024 r14 0xfff9000000000000 -1970324836974592 r15 0x7ffff3f1cd00 140737286098176 rip 0x42d1dc <js::GlobalObject::classIsInitialized(JSProtoKey) const+28> => 0x42d1dc <js::GlobalObject::classIsInitialized(JSProtoKey) const+28>: movl $0xcc,0x0 0x42d1e7 <js::GlobalObject::classIsInitialized(JSProtoKey) const+39>: callq 0x4a61b0 <abort()>
@jorendorff: Bug is not fixed, new test is in the last comment. Also note that this bug probably has been filed multiple times, one of the dups is probably bug 1219128 which has some other info :)
Flags: needinfo?(jorendorff)
Duping forward since that information is quite useful.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → DUPLICATE
Flags: needinfo?(choller)
Severity: critical → S4
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: