1177122 - Assertion failure: (extractBuffer(&data, &size)), at js/src/vm/StructuredClone.cpp:725 with OOM

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 2694ff2ace6a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

var a = [new Boolean(true),];
for (var i = 0; i < a.length; i++) {
    var x = a[i];
    oomAfterAllocations(1);
    var y = deserialize(serialize(x));
}


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000745442 in JSStructuredCloneWriter::~JSStructuredCloneWriter (this=0x7fffd2bd23a0, __in_chrg=<optimized out>) at js/src/vm/StructuredClone.cpp:725
#1  0x00000000007733aa in WriteStructuredClone (cx=cx@entry=0x7fd65801b330, v=..., v@entry=..., bufp=bufp@entry=0x7fffd2bd2820, nbytesp=nbytesp@entry=0x7fffd2bd2828, cb=cb@entry=0x0, cbClosure=<optimized out>, transferable=...) at js/src/vm/StructuredClone.cpp:370
#2  0x00000000007735ca in JS_WriteStructuredClone (cx=cx@entry=0x7fd65801b330, value=value@entry=..., bufp=bufp@entry=0x7fffd2bd2820, nbytesp=nbytesp@entry=0x7fffd2bd2828, optionalCallbacks=optionalCallbacks@entry=0x0, closure=closure@entry=0x0, transferable=transferable@entry=...) at js/src/vm/StructuredClone.cpp:1905
#3  0x0000000000773716 in JSAutoStructuredCloneBuffer::write (this=this@entry=0x7fffd2bd2820, cx=cx@entry=0x7fd65801b330, value=..., transferable=..., optionalCallbacks=optionalCallbacks@entry=0x0, closure=closure@entry=0x0) at js/src/vm/StructuredClone.cpp:2074
#4  0x00000000005920a3 in Serialize (cx=0x7fd65801b330, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1762
#5  0x0000000000696982 in js::CallJSNative (cx=0x7fd65801b330, native=0x592020 <Serialize(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:235
#6  0x0000000000686102 in js::Invoke (cx=cx@entry=0x7fd65801b330, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:709
#7  0x0000000000678292 in Interpret (cx=cx@entry=0x7fd65801b330, state=...) at js/src/vm/Interpreter.cpp:2962
#8  0x0000000000685b03 in js::RunScript (cx=cx@entry=0x7fd65801b330, state=...) at js/src/vm/Interpreter.cpp:653
#9  0x00000000006862bb in js::Invoke (cx=cx@entry=0x7fd65801b330, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:729
#10 0x0000000000687e89 in js::Invoke (cx=cx@entry=0x7fd65801b330, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fffd2bd4568, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:766
#11 0x00000000008b46aa in js::jit::DoCallFallback (cx=0x7fd65801b330, frame=0x7fffd2bd4598, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffd2bd4558, res=...) at js/src/jit/BaselineIC.cpp:9855
#12 0x00007fd65957fbdf in ?? ()
[...]
#22 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffd2bd23a0	140736728998816
rcx	0x7fd6583ce88d	140558580115597
rdx	0x0	0
rsi	0x7fd6586a39d0	140558583085520
rdi	0x7fd6586a21c0	140558583079360
rbp	0x7fffd2bd2350	140736728998736
rsp	0x7fffd2bd2300	140736728998656
r8	0x7fd659713780	140558600320896
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fd65869fbe0	140558583069664
r11	0x0	0
r12	0x7fffd2bd23a8	140736728998824
r13	0x7fffd2bd2380	140736728998784
r14	0x0	0
r15	0x0	0
rip	0x745442 <JSStructuredCloneWriter::~JSStructuredCloneWriter()+850>
=> 0x745442 <JSStructuredCloneWriter::~JSStructuredCloneWriter()+850>:	movl   $0x2d5,0x0
   0x74544d <JSStructuredCloneWriter::~JSStructuredCloneWriter()+861>:	callq  0x494da0 <abort()>

Comment 1

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150524152820" and the hash "5f7e75cf1891".
The "bad" changeset has the timestamp "20150524171021" and the hash "004de000947c".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=5f7e75cf1891&tochange=004de000947c

Comment 2

[Lars T Hansen [:lth]]

Reproduces in current m-i, also with no runtime flags and and with --no-ion --no-baseline.

Comment 3

[Hannes Verschore [:h4writer]]

Attachment: Patch

Comment 4

[Tom S [:evilpie]]

Comment on attachment 8670732 [details] [diff] [review]
Patch

Review of attachment 8670732 [details] [diff] [review]:
-----------------------------------------------------------------

I am not sure this is a good idea. Seems like just always crashing would be simpler and avoid problems if something else changes.

Comment 5

[Tom S [:evilpie]]

Comment on attachment 8670732 [details] [diff] [review]
Patch

Review of attachment 8670732 [details] [diff] [review]:
-----------------------------------------------------------------

Let's just always crash when extractBuffer fails.

Comment 6

[Lars T Hansen [:lth]]

Attachment: bug1177122-sc-writer-oom.patch

A simpler solution.

Comment 7

[Lars T Hansen [:lth]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/b31170d704caf2bb09c184b5655a6165a4469273
Bug 1177122 - handle OOM in JSStructuredCloneWriter destructor.  r=evilpie

Comment 8

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/b31170d704ca