As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 1177122 - Assertion failure: (extractBuffer(&data, &size)), at js/src/vm/StructuredClone.cpp:725 with OOM
: Assertion failure: (extractBuffer(&data, &size)), at js/src/vm/StructuredClon...
Status: RESOLVED FIXED
[jsbugmon:update]
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla44
Assigned To: Lars T Hansen [:lth]
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz 912928
  Show dependency treegraph
 
Reported: 2015-06-24 10:33 PDT by Christian Holler (:decoder)
Modified: 2015-10-08 14:31 PDT (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
affected
fixed


Attachments
Patch (3.71 KB, patch)
2015-10-07 04:05 PDT, Hannes Verschore [:h4writer]
evilpies: review-
Details | Diff | Splinter Review
bug1177122-sc-writer-oom.patch (1.29 KB, patch)
2015-10-08 02:22 PDT, Lars T Hansen [:lth]
evilpies: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2015-06-24 10:33:13 PDT
The following testcase crashes on mozilla-central revision 2694ff2ace6a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

var a = [new Boolean(true),];
for (var i = 0; i < a.length; i++) {
    var x = a[i];
    oomAfterAllocations(1);
    var y = deserialize(serialize(x));
}


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000745442 in JSStructuredCloneWriter::~JSStructuredCloneWriter (this=0x7fffd2bd23a0, __in_chrg=<optimized out>) at js/src/vm/StructuredClone.cpp:725
#1  0x00000000007733aa in WriteStructuredClone (cx=cx@entry=0x7fd65801b330, v=..., v@entry=..., bufp=bufp@entry=0x7fffd2bd2820, nbytesp=nbytesp@entry=0x7fffd2bd2828, cb=cb@entry=0x0, cbClosure=<optimized out>, transferable=...) at js/src/vm/StructuredClone.cpp:370
#2  0x00000000007735ca in JS_WriteStructuredClone (cx=cx@entry=0x7fd65801b330, value=value@entry=..., bufp=bufp@entry=0x7fffd2bd2820, nbytesp=nbytesp@entry=0x7fffd2bd2828, optionalCallbacks=optionalCallbacks@entry=0x0, closure=closure@entry=0x0, transferable=transferable@entry=...) at js/src/vm/StructuredClone.cpp:1905
#3  0x0000000000773716 in JSAutoStructuredCloneBuffer::write (this=this@entry=0x7fffd2bd2820, cx=cx@entry=0x7fd65801b330, value=..., transferable=..., optionalCallbacks=optionalCallbacks@entry=0x0, closure=closure@entry=0x0) at js/src/vm/StructuredClone.cpp:2074
#4  0x00000000005920a3 in Serialize (cx=0x7fd65801b330, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1762
#5  0x0000000000696982 in js::CallJSNative (cx=0x7fd65801b330, native=0x592020 <Serialize(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:235
#6  0x0000000000686102 in js::Invoke (cx=cx@entry=0x7fd65801b330, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:709
#7  0x0000000000678292 in Interpret (cx=cx@entry=0x7fd65801b330, state=...) at js/src/vm/Interpreter.cpp:2962
#8  0x0000000000685b03 in js::RunScript (cx=cx@entry=0x7fd65801b330, state=...) at js/src/vm/Interpreter.cpp:653
#9  0x00000000006862bb in js::Invoke (cx=cx@entry=0x7fd65801b330, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:729
#10 0x0000000000687e89 in js::Invoke (cx=cx@entry=0x7fd65801b330, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fffd2bd4568, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:766
#11 0x00000000008b46aa in js::jit::DoCallFallback (cx=0x7fd65801b330, frame=0x7fffd2bd4598, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffd2bd4558, res=...) at js/src/jit/BaselineIC.cpp:9855
#12 0x00007fd65957fbdf in ?? ()
[...]
#22 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffd2bd23a0	140736728998816
rcx	0x7fd6583ce88d	140558580115597
rdx	0x0	0
rsi	0x7fd6586a39d0	140558583085520
rdi	0x7fd6586a21c0	140558583079360
rbp	0x7fffd2bd2350	140736728998736
rsp	0x7fffd2bd2300	140736728998656
r8	0x7fd659713780	140558600320896
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fd65869fbe0	140558583069664
r11	0x0	0
r12	0x7fffd2bd23a8	140736728998824
r13	0x7fffd2bd2380	140736728998784
r14	0x0	0
r15	0x0	0
rip	0x745442 <JSStructuredCloneWriter::~JSStructuredCloneWriter()+850>
=> 0x745442 <JSStructuredCloneWriter::~JSStructuredCloneWriter()+850>:	movl   $0x2d5,0x0
   0x74544d <JSStructuredCloneWriter::~JSStructuredCloneWriter()+861>:	callq  0x494da0 <abort()>
Comment 1 User image Christian Holler (:decoder) 2015-06-24 15:29:56 PDT
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150524152820" and the hash "5f7e75cf1891".
The "bad" changeset has the timestamp "20150524171021" and the hash "004de000947c".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=5f7e75cf1891&tochange=004de000947c
Comment 2 User image Lars T Hansen [:lth] 2015-10-06 05:18:18 PDT
Reproduces in current m-i, also with no runtime flags and and with --no-ion --no-baseline.
Comment 3 User image Hannes Verschore [:h4writer] 2015-10-07 04:05:26 PDT
Created attachment 8670732 [details] [diff] [review]
Patch
Comment 4 User image Tom Schuster [:evilpie] 2015-10-07 04:57:34 PDT
Comment on attachment 8670732 [details] [diff] [review]
Patch

Review of attachment 8670732 [details] [diff] [review]:
-----------------------------------------------------------------

I am not sure this is a good idea. Seems like just always crashing would be simpler and avoid problems if something else changes.
Comment 5 User image Tom Schuster [:evilpie] 2015-10-08 02:07:15 PDT
Comment on attachment 8670732 [details] [diff] [review]
Patch

Review of attachment 8670732 [details] [diff] [review]:
-----------------------------------------------------------------

Let's just always crash when extractBuffer fails.
Comment 6 User image Lars T Hansen [:lth] 2015-10-08 02:22:14 PDT
Created attachment 8671252 [details] [diff] [review]
bug1177122-sc-writer-oom.patch

A simpler solution.
Comment 7 User image Lars T Hansen [:lth] 2015-10-08 02:26:09 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/b31170d704caf2bb09c184b5655a6165a4469273
Bug 1177122 - handle OOM in JSStructuredCloneWriter destructor.  r=evilpie
Comment 8 User image Wes Kocher (:KWierso) 2015-10-08 14:31:46 PDT
https://hg.mozilla.org/mozilla-central/rev/b31170d704ca

Note You need to log in before you can comment on or make changes to this bug.