Closed Bug 1111201 Opened 10 years ago Closed 9 years ago

Assertion failure: uintptr_t(obj) > 0x1000 || uintptr_t(obj) == 0x42, at ../../dist/include/js/Value.h:828 with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox37 --- affected
firefox44 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,ignore])

Attachments

(1 file)

1111201.patch
1.13 KB, patch
bbouvier
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision f14dcd1c8c0b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --no-threads):

function runTestCase(testcase) {
    if (testcase() !== true) {}
}
gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
function testcase() {
        try {
            testcase(options, ({}, {}), 0,0)
        } catch (e) {}
}
runTestCase(testcase);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000077b824 in OBJECT_TO_JSVAL_IMPL (obj=<optimized out>) at ../../dist/include/js/Value.h:828
828	    MOZ_ASSERT(uintptr_t(obj) > 0x1000 || uintptr_t(obj) == 0x42);
#0  0x000000000077b824 in OBJECT_TO_JSVAL_IMPL (obj=<optimized out>) at ../../dist/include/js/Value.h:828
#1  setObject (obj=..., this=<optimized out>) at ../../dist/include/js/Value.h:1057
#2  JS::ObjectValue (obj=...) at ../../dist/include/js/Value.h:1470
#3  0x00000000006d1293 in OBJECT_TO_JSVAL_IMPL (obj=<optimized out>) at ../../dist/include/js/Value.h:828
#4  setObject (obj=..., this=<synthetic pointer>) at ../../dist/include/js/Value.h:1057
#5  JS::ObjectValue (obj=...) at ../../dist/include/js/Value.h:1470
#6  0x00000000006d2c68 in FromObjectPayload (payload=<optimized out>) at js/src/jit/JitFrames.cpp:1717
#7  js::jit::FromTypedPayload (type=<optimized out>, payload=<optimized out>) at js/src/jit/JitFrames.cpp:1745
#8  0x00000000006f0437 in js::jit::SnapshotIterator::allocationValue (this=<optimized out>, alloc=...) at js/src/jit/JitFrames.cpp:1817
#9  0x00000000006b4e7c in js::jit::SnapshotIterator::read (this=0x7ffffff43ff0) at js/src/jit/JitFrameIterator.h:482
#10 0x0000000000808d7d in js::jit::RObjectState::recover (this=0x7ffffff44058, cx=0x1a0a160, iter=...) at js/src/jit/Recover.cpp:1238
#11 0x0000000000774d23 in js::jit::SnapshotIterator::computeInstructionResults (this=<optimized out>, cx=0x1a0a160, results=0x7fffffffc590) at js/src/jit/JitFrames.cpp:2092
#12 0x0000000000774f39 in js::jit::SnapshotIterator::initInstructionResults (this=0x7ffffff448f0, fallback=...) at js/src/jit/JitFrames.cpp:2050
#13 0x0000000000679aac in init (cx=0x1a0a160, this=0x7ffffff448f0) at js/src/jit/BaselineBailouts.cpp:414
#14 js::jit::BailoutIonToBaseline (cx=0x1a0a160, activation=<optimized out>, iter=..., invalidate=true, bailoutInfo=0x7ffffff44db0, excInfo=0x7ffffff44fa0, poppedLastSPSFrameOut=0x7ffffff4502f) at js/src/jit/BaselineBailouts.cpp:1451
#15 0x00000000005c30d2 in js::jit::ExceptionHandlerBailout (cx=0x1a0a160, frame=..., rfe=0x7ffffff45738, excInfo=..., overrecursed=0x7ffffff4502e, poppedLastSPSFrameOut=0x7ffffff4502f) at js/src/jit/Bailouts.cpp:200
#16 0x000000000070f1e4 in HandleExceptionIon (poppedLastSPSFrameOut=0x7ffffff4502f, overrecursed=0x7ffffff4502e, rfe=0x7ffffff45738, frame=..., cx=0x1a0a160) at js/src/jit/JitFrames.cpp:491
#17 js::jit::HandleException (rfe=0x7ffffff45738) at js/src/jit/JitFrames.cpp:748
#18 0x00007ffff7f71fcc in ?? ()
#19 0x0000000000000008 in ?? ()
#20 0x00007ffffff45738 in ?? ()
#21 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x0	0
rcx	0x7ffff6cb7910	140737333917968
rdx	0x0	0
rsi	0x7ffff6f8baa0	140737336883872
rdi	0x7ffff6f8a180	140737336877440
rbp	0x7ffffff43e30	140737487584816
rsp	0x7ffffff43e30	140737487584816
r8	0x7ffff7fe8740	140737354041152
r9	0x0	0
r10	0x7ffffff43bc0	140737487584192
r11	0x7ffff6c3fc90	140737333427344
r12	0x7ffffff43eb0	140737487584944
r13	0x7ffffff44058	140737487585368
r14	0x1a0a160	27304288
r15	0x7ffffff44038	140737487585336
rip	0x77b824 <JS::ObjectValue(JSObject&)+28>
=> 0x77b824 <JS::ObjectValue(JSObject&)+28>:	movl   $0x7b,0x0
   0x77b82f <JS::ObjectValue(JSObject&)+39>:	callq  0x404a30 <abort@plt>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 0532f2509f3f).
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/f41f1f33b1b3
user:        Nicolas B. Pierron
date:        Fri Nov 28 14:03:18 2014 +0100
summary:     Bug 1105187 - Do not sink effectful instructions. r=sunfish

This iteration took 263.920 seconds to run.
Blocks: 912928
I still get this from time to time.

This is an automated crash issue comment:

Summary: Assertion failure: uintptr_t(obj) > 0x1000 || uintptr_t(obj) == 0x42, at ../../dist/include/js/Value.h:828
Build version: mozilla-central revision d3228c82badd
Build flags: --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug
Runtime options: --fuzzing-safe --thread-count=2 --ion-extra-checks

Testcase:

var m = function() {
    "use asm"
    function g() {}
    return g;
};
var g = m();
oomAfterAllocations(1);
assertEq(Object.getOwnPropertyNames(new g).length, 0);

Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000000042be24 in OBJECT_TO_JSVAL_IMPL (obj=<optimized out>) at ../../dist/include/js/Value.h:828
#1  0x000000000052b4a3 in OBJECT_TO_JSVAL_IMPL (obj=<optimized out>) at ../../dist/include/js/Value.h:828
#2  0x00000000005a6a1d in setObject (obj=..., this=<synthetic pointer>) at ../../dist/include/js/Value.h:1054
#3  ObjectValue (obj=...) at ../../dist/include/js/Value.h:1492
#4  CallAsmJS (cx=0x7fe9dc206800, argc=<optimized out>, vp=<optimized out>) at js/src/asmjs/AsmJSLink.cpp:796
#5  0x00000000006ccc22 in js::CallJSNative (cx=0x7fe9dc206800, native=0x5a5fd0 <CallAsmJS(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#6  0x00000000006d1730 in js::CallJSNativeConstructor (cx=0x7fe9dc206800, native=0x5a5fd0 <CallAsmJS(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:268
#7  0x00000000006c5886 in js::InvokeConstructor (cx=cx@entry=0x7fe9dc206800, args=...) at js/src/vm/Interpreter.cpp:803
#8  0x00000000006adbea in Interpret (cx=cx@entry=0x7fe9dc206800, state=...) at js/src/vm/Interpreter.cpp:2969
#9  0x00000000006bbb23 in js::RunScript (cx=cx@entry=0x7fe9dc206800, state=...) at js/src/vm/Interpreter.cpp:661
#10 0x00000000006c6836 in js::ExecuteKernel (cx=cx@entry=0x7fe9dc206800, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x7fff11b80918) at js/src/vm/Interpreter.cpp:902
#11 0x00000000006c8b23 in js::Execute (cx=cx@entry=0x7fe9dc206800, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x7fff11b80918) at js/src/vm/Interpreter.cpp:936
#12 0x0000000000ac6e26 in ExecuteScript (cx=cx@entry=0x7fe9dc206800, scope=..., script=..., rval=0x7fff11b80918) at js/src/jsapi.cpp:4334
#13 0x0000000000ac6f6f in JS_ExecuteScript (cx=cx@entry=0x7fe9dc206800, scriptArg=..., scriptArg@entry=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4359
#14 0x00000000004805a1 in runOffThreadScript (cx=0x7fe9dc206800, argc=<optimized out>, vp=0x7fff11b80918) at js/src/shell/js.cpp:3352
#15 0x00000000006ccc22 in js::CallJSNative (cx=0x7fe9dc206800, native=0x480490 <runOffThreadScript(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#16 0x00000000006bc122 in js::Invoke (cx=cx@entry=0x7fe9dc206800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:720
#17 0x00000000006bddc6 in js::Invoke (cx=cx@entry=0x7fe9dc206800, thisv=..., fval=..., argc=<optimized out>, argv=0x7fff11b80e28, rval=...) at js/src/vm/Interpreter.cpp:775
#18 0x0000000000bcd184 in js::DirectProxyHandler::call (this=this@entry=0x1b21a40 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7fe9dc206800, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77
#19 0x0000000000bd3a32 in js::CrossCompartmentWrapper::call (this=0x1b21a40 <js::CrossCompartmentWrapper::singleton>, cx=0x7fe9dc206800, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289
#20 0x0000000000be048a in js::Proxy::call (cx=cx@entry=0x7fe9dc206800, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:391
#21 0x0000000000be056e in js::proxy_Call (cx=0x7fe9dc206800, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:697
#22 0x00000000006ccc22 in js::CallJSNative (cx=0x7fe9dc206800, native=0xbe04d0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#23 0x00000000006bc3c5 in js::Invoke (cx=cx@entry=0x7fe9dc206800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:708
#24 0x00000000006bddc6 in js::Invoke (cx=cx@entry=0x7fe9dc206800, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fff11b812b8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:775
#25 0x00000000008e833a in js::jit::DoCallFallback (cx=0x7fe9dc206800, frame=0x7fff11b812e8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fff11b812a8, res=...) at js/src/jit/BaselineIC.cpp:9867
#26 0x00007fe9dd777bdf in ?? ()
[...]
#36 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fe9dc206800	140642397218816
rcx	0x7fe9dc5c688d	140642401151117
rdx	0x0	0
rsi	0x7fe9dc89b9d0	140642404121040
rdi	0x7fe9dc89a1c0	140642404114880
rbp	0x7fff11b7f6a0	140733490656928
rsp	0x7fff11b7f6a0	140733490656928
r8	0x7fe9dd90b780	140642421356416
r9	0x2030303031783020	2319406791642329120
r10	0x7fe9dc897be0	140642404105184
r11	0x0	0
r12	0x7fff11b7f820	140733490657312
r13	0x7fe9d8f408e0	140642343979232
r14	0x7fff11b7f8e0	140733490657504
r15	0x1	1
rip	0x42be24 <OBJECT_TO_JSVAL_IMPL(JSObject*)+28>
=> 0x42be24 <OBJECT_TO_JSVAL_IMPL(JSObject*)+28>:	movl   $0x33c,0x0
   0x42be2f <OBJECT_TO_JSVAL_IMPL(JSObject*)+39>:	callq  0x498fe0 <abort()>
Attached patch 1111201.patchSplinter Review 
The first test case doesn't reproduce, but the second is a trivial one to fix. Got r=evilpie over the shoulder.
Attachment #8670169 - Flags: review+
Assignee: nobody → benj
https://hg.mozilla.org/mozilla-central/rev/3f42d96aab54
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: