As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 1164532 - Assertion failure: !isInList(), at js/src/jsweakmap.cpp:42 with OOM
: Assertion failure: !isInList(), at js/src/jsweakmap.cpp:42 with OOM
Status: RESOLVED DUPLICATE of bug 1165966
[jsbugmon:update]
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz 912928
  Show dependency treegraph
 
Reported: 2015-05-13 09:54 PDT by Christian Holler (:decoder)
Modified: 2015-05-19 09:14 PDT (History)
7 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
affected


Attachments

Description User image Christian Holler (:decoder) 2015-05-13 09:54:07 PDT
The following testcase crashes on mozilla-central revision 62d9b117c688 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

var g = newGlobal("ar-u-nu-arab", this);
function attach(g, i) {
    var dbg = Debugger(g);
    oomAfterAllocations(10);
}
for (var i = 0; i < 3; i++)
    attach(g, i);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000b99098 in js::WeakMapBase::~WeakMapBase (this=0x7ffff695db40, __in_chrg=<optimized out>) at js/src/jsweakmap.cpp:42
#0  0x0000000000b99098 in js::WeakMapBase::~WeakMapBase (this=0x7ffff695db40, __in_chrg=<optimized out>) at js/src/jsweakmap.cpp:42
#1  0x0000000000644e4e in ~WeakMap (this=0x7ffff695db40, __in_chrg=<optimized out>) at js/src/jsweakmap.h:111
#2  ~DebuggerWeakMap (this=0x7ffff695db40, __in_chrg=<optimized out>) at js/src/vm/Debugger.h:65
#3  js::Debugger::~Debugger (this=0x7ffff695d800, __in_chrg=<optimized out>) at js/src/vm/Debugger.cpp:388
#4  0x00000000006524eb in js_delete<js::Debugger> (p=0x7ffff695d800) at ../../dist/include/js/Utility.h:238
#5  operator() (this=<optimized out>, ptr=0x7ffff695d800) at ../../dist/include/js/Utility.h:329
#6  reset (aPtr=0x0, this=<synthetic pointer>) at ../../dist/include/mozilla/UniquePtr.h:308
#7  ~UniquePtr (this=<synthetic pointer>, __in_chrg=<optimized out>) at ../../dist/include/mozilla/UniquePtr.h:253
#8  js::Debugger::construct (cx=0x7ffff691b4e0, argc=1, vp=0x7ffff51e9140) at js/src/vm/Debugger.cpp:3113
#9  0x000000000067a652 in js::CallJSNative (cx=0x7ffff691b4e0, native=0x652060 <js::Debugger::construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#10 0x000000000066ad73 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:727
#11 0x0000000000664907 in Interpret (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:2955
#12 0x000000000066a843 in js::RunScript (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:677
#13 0x0000000000674efe in js::ExecuteKernel (cx=cx@entry=0x7ffff691b4e0, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:902
#14 0x0000000000677139 in js::Execute (cx=cx@entry=0x7ffff691b4e0, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:942
#15 0x0000000000a64f09 in ExecuteScript (cx=cx@entry=0x7ffff691b4e0, obj=..., scriptArg=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4160
#16 0x0000000000a650cb in JS_ExecuteScript (cx=cx@entry=0x7ffff691b4e0, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4182
#17 0x00000000004258cb in RunFile (compileOnly=false, file=0x7ffff699e400, filename=0x7fffffffdfc9 "min.js", cx=0x7ffff691b4e0) at js/src/shell/js.cpp:468
#18 Process (cx=cx@entry=0x7ffff691b4e0, filename=0x7fffffffdfc9 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:598
#19 0x000000000047140b in ProcessArgs (op=0x7fffffffda40, cx=0x7ffff691b4e0) at js/src/shell/js.cpp:5802
#20 Shell (envp=<optimized out>, op=0x7fffffffda40, cx=0x7ffff691b4e0) at js/src/shell/js.cpp:6071
#21 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6393
rax	0x0	0
rbx	0x7ffff695d800	140737330403328
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffc390	140737488339856
rsp	0x7fffffffc300	140737488339712
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffc0c0	140737488339136
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff695d800	140737330403328
r13	0x7ffff695db40	140737330404160
r14	0x0	0
r15	0x7ffff51e9158	140737305809240
rip	0xb99098 <js::WeakMapBase::~WeakMapBase()+856>
=> 0xb99098 <js::WeakMapBase::~WeakMapBase()+856>:	movl   $0x2a,0x0
   0xb990a3 <js::WeakMapBase::~WeakMapBase()+867>:	callq  0x48ec30 <abort()>
Comment 1 User image Jan de Mooij [:jandem] 2015-05-18 10:38:58 PDT
Sorry for another NI request but according to decoder this one also blocks OOM testing, and I don't know who else is familiar with weakmaps.

Here Debugger::init() OOms, so we call ~Debugger -> ... -> ~WeakMapBase, where we assert the weakmap is not in the list.

The Debugger object has various weakmaps and I think Debugger::init() will add them to the list, but I'm not sure how this unlinking is supposed to work... Is that usually done in WeakMapBase::sweepCompartment? Or somewhere else?

Should we unlink the debugger's weakmaps in ~Debugger?
Comment 2 User image Christian Holler (:decoder) 2015-05-18 16:23:47 PDT
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a0dd5a83ba36
user:        Jan de Mooij
date:        Thu Jul 24 11:56:43 2014 +0200
summary:     Bug 1031529 part 2 - Remove JS_THREADSAFE #ifdefs everywhere. r=bhackett

changeset:   https://hg.mozilla.org/mozilla-central/rev/6426fef52f51
user:        Jan de Mooij
date:        Thu Jul 24 11:56:45 2014 +0200
summary:     Bug 1031529 part 3 - Step defining JS_THREADSAFE, remove --disable-threadsafe. r=glandium

This iteration took 72.604 seconds to run.
Comment 3 User image Jon Coppeard (:jonco) 2015-05-19 09:14:10 PDT
This is fixed by the patch in bug 1165966.

*** This bug has been marked as a duplicate of bug 1165966 ***

Note You need to log in before you can comment on or make changes to this bug.