1180049 - Crash [@ js::TemporaryTypeSet::convertDoubleElements] with OOM

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision f5e3bacfb60e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-eager):

var y = new Array();
var foo = {};
var bar = {};
var results = [];
for each(let [key, _L71] in oomAfterAllocations(100))
results.push(key + ":" + value);
function f(x) {}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::TemporaryTypeSet::convertDoubleElements (this=0x0, constraints=constraints@entry=0x7ffff69ad1c0) at js/src/vm/TypeInference.cpp:2168
#0  js::TemporaryTypeSet::convertDoubleElements (this=0x0, constraints=constraints@entry=0x7ffff69ad1c0) at js/src/vm/TypeInference.cpp:2168
#1  0x00000000009af18e in js::jit::MNewArray::MNewArray (this=0x7ffff69af960, constraints=0x7ffff69ad1c0, count=<optimized out>, templateConst=<optimized out>, initialHeap=<optimized out>, pc=0x7ffff47be8f1 "R") at js/src/jit/MIR.cpp:4108
#2  0x00000000009bc773 in New (pc=0x7ffff47be8f1 "R", initialHeap=<optimized out>, templateConst=0x7ffff69af8b8, count=0, constraints=<optimized out>, alloc=...) at js/src/jit/MIR.h:2914
#3  js::jit::IonBuilder::inlineArray (this=0x7ffff69ad258, callInfo=...) at js/src/jit/MCallOptimize.cpp:593
#4  0x00000000009545bd in js::jit::IonBuilder::inlineSingleCall (this=0x7ffff69ad258, callInfo=..., targetArg=<optimized out>) at js/src/jit/IonBuilder.cpp:5186
#5  0x0000000000955bec in js::jit::IonBuilder::inlineCallsite (this=this@entry=0x7ffff69ad258, targets=..., callInfo=...) at js/src/jit/IonBuilder.cpp:5250
#6  0x0000000000955f85 in js::jit::IonBuilder::jsop_call (this=this@entry=0x7ffff69ad258, argc=0, constructing=<optimized out>) at js/src/jit/IonBuilder.cpp:6128
#7  0x000000000094efe5 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff69ad258, op=op@entry=JSOP_NEW) at js/src/jit/IonBuilder.cpp:1788
#8  0x0000000000950010 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff69ad258) at js/src/jit/IonBuilder.cpp:1453
#9  0x0000000000950455 in js::jit::IonBuilder::build (this=0x7ffff69ad258) at js/src/jit/IonBuilder.cpp:859
#10 0x0000000000953070 in js::jit::IonCompile (cx=cx@entry=0x7ffff691b4e0, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffcd88, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::Optimization_Normal) at js/src/jit/Ion.cpp:1998
#11 0x0000000000958b14 in js::jit::Compile (cx=cx@entry=0x7ffff691b4e0, script=..., script@entry=..., osrFrame=osrFrame@entry=0x7fffffffcd88, osrPc=osrPc@entry=0x7ffff47be9c5 "\343\201QLM\a\377\377\377\202QNș\210\004\225\210\004\225\210\004\225\210\004ʘ\a\210\t\230\001\210\004ψ\004Ɉ\v\220\210\004Ј\b\220\210\004Ј\b\220\210\004ψ\f\220̈\034\322\060\200", constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2221
#12 0x0000000000958da1 in js::jit::CanEnterAtBranch (cx=cx@entry=0x7ffff691b4e0, script=0x7ffff7e60128, osrFrame=osrFrame@entry=0x7fffffffcd88, pc=pc@entry=0x7ffff47be9c5 "\343\201QLM\a\377\377\377\202QNș\210\004\225\210\004\225\210\004\225\210\004ʘ\a\210\t\230\001\210\004ψ\004Ɉ\v\220\210\004Ј\b\220\210\004Ј\b\220\210\004ψ\f\220̈\034\322\060\200") at js/src/jit/Ion.cpp:2303
#13 0x0000000000845586 in EnsureCanEnterIon (stub=<optimized out>, jitcodePtr=<synthetic pointer>, pc=0x7ffff47be9c5 "\343\201QLM\a\377\377\377\202QNș\210\004\225\210\004\225\210\004\225\210\004ʘ\a\210\t\230\001\210\004ψ\004Ɉ\v\220\210\004Ј\b\220\210\004Ј\b\220\210\004ψ\f\220̈\034\322\060\200", script=..., frame=0x7fffffffcd88, cx=0x7ffff691b4e0) at js/src/jit/BaselineIC.cpp:103
#14 js::jit::DoWarmUpCounterFallback (cx=0x7ffff691b4e0, frame=0x7fffffffcd88, stub=<optimized out>, infoPtr=0x7fffffffcd40) at js/src/jit/BaselineIC.cpp:267
#15 0x00007ffff7feffd9 in ?? ()
[...]
#26 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff69af960	140737330739552
rcx	0x7ffff7dd5320	140737351865120
rdx	0x1bba09c	29073564
rsi	0x7ffff69ad1c0	140737330729408
rdi	0x0	0
rbp	0x7fffffffc3a0	140737488339872
rsp	0x7fffffffc340	140737488339776
r8	0x0	0
r9	0x7ffff47be8f1	140737295149297
r10	0x1	1
r11	0x7ffff4604740	140737293338432
r12	0x0	0
r13	0xfffb7fffffffffff	-1266637395197953
r14	0x7fffffffffff	140737488355327
r15	0x7ffff47be8f1	140737295149297
rip	0x76a714 <js::TemporaryTypeSet::convertDoubleElements(js::CompilerConstraintList*)+20>
=> 0x76a714 <js::TemporaryTypeSet::convertDoubleElements(js::CompilerConstraintList*)+20>:	mov    (%rdi),%ecx
   0x76a716 <js::TemporaryTypeSet::convertDoubleElements(js::CompilerConstraintList*)+22>:	test   $0x41,%ch

Comment 1

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a0dd5a83ba36
user:        Jan de Mooij
date:        Thu Jul 24 11:56:43 2014 +0200
summary:     Bug 1031529 part 2 - Remove JS_THREADSAFE #ifdefs everywhere. r=bhackett

changeset:   https://hg.mozilla.org/mozilla-central/rev/6426fef52f51
user:        Jan de Mooij
date:        Thu Jul 24 11:56:45 2014 +0200
summary:     Bug 1031529 part 3 - Step defining JS_THREADSAFE, remove --disable-threadsafe. r=glandium

This iteration took 0.259 seconds to run.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This bisection result might not be accurate.

Comment 3

[Jan de Mooij [:jandem]]

Attachment: Patch

Missing OOM check in MNewArray's constructor.

Comment 4

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/4106e0aaeae5

Comment 5

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/4106e0aaeae5