Crash [@ js::jit::IonBuilder::replaceTypeSet] with OOM

RESOLVED DUPLICATE of bug 1191756

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 1191756
2 years ago
2 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, regression, testcase})

Trunk
x86_64
Linux
crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox42 affected)

Details

(Whiteboard: [jsbugmon:update,bisect], crash signature)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision d3228c82badd (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-eager --ion-offthread-compile=off):

if (typeof isSurrogatePair === 'undefined') {
    var isSurrogatePair = function isSurrogatePair(s) {
        return s.length == 2 && isHighSurrogate(s[0]) && isLowSurrogate(s[1]);
    }
}
function test(s, expectedCodePoints) {
    for (var v of s) {
        assertEq(v.length, isSurrogatePair(v) ? 2 : 1);
        oomAfterAllocations(100);
        singleHighSurrogate = !isSurrogatePair(v) && isHighSurrogate(v);
    }
}
test('abc', 3);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::jit::IonBuilder::replaceTypeSet (this=0x7ffff69b51a8, subject=0x7ffff69b7690, type=0x0, test=0x7ffff69b7c48) at js/src/jit/IonBuilder.cpp:3416
#0  js::jit::IonBuilder::replaceTypeSet (this=0x7ffff69b51a8, subject=0x7ffff69b7690, type=0x0, test=0x7ffff69b7c48) at js/src/jit/IonBuilder.cpp:3416
#1  0x0000000000948196 in js::jit::IonBuilder::improveTypesAtTest (this=this@entry=0x7ffff69b51a8, ins=0x7ffff69b7690, trueBranch=<optimized out>, test=test@entry=0x7ffff69b7c48) at js/src/jit/IonBuilder.cpp:3837
#2  0x000000000095e3ff in js::jit::IonBuilder::jsop_andor (this=0x7ffff69b51a8, op=op@entry=JSOP_AND) at js/src/jit/IonBuilder.cpp:4192
#3  0x000000000098b356 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff69b51a8, op=op@entry=JSOP_AND) at js/src/jit/IonBuilder.cpp:1668
#4  0x000000000098c020 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff69b51a8) at js/src/jit/IonBuilder.cpp:1505
#5  0x000000000098c465 in js::jit::IonBuilder::build (this=0x7ffff69b51a8) at js/src/jit/IonBuilder.cpp:904
#6  0x000000000098f080 in js::jit::IonCompile (cx=cx@entry=0x7ffff6907000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x0, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::Optimization_Normal) at js/src/jit/Ion.cpp:2013
#7  0x0000000000994b94 in js::jit::Compile (cx=cx@entry=0x7ffff6907000, script=..., script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2236
#8  0x0000000000994dc6 in js::jit::CanEnter (cx=cx@entry=0x7ffff6907000, state=...) at js/src/jit/Ion.cpp:2390
#9  0x00000000006bbbc5 in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:637
#10 0x00000000006bc234 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:738
#11 0x00000000006bddc6 in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffc178, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:775
#12 0x00000000008e833a in js::jit::DoCallFallback (cx=0x7ffff6907000, frame=0x7fffffffc1d8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc168, res=...) at js/src/jit/BaselineIC.cpp:9867
#13 0x00007ffff7feebdf in ?? ()
[...]
#39 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff69b7690	140737330771600
rcx	0x7ffff69b7c48	140737330773064
rdx	0x0	0
rsi	0x7ffff69b7690	140737330771600
rdi	0x7ffff69b51a8	140737330762152
rbp	0x7fffffffb2a0	140737488335520
rsp	0x7fffffffb230	140737488335408
r8	0x0	0
r9	0x53b8	21432
r10	0x4	4
r11	0x4	4
r12	0x7ffff69b51a8	140737330762152
r13	0x7fffffffb2d0	140737488335568
r14	0x7ffff69b7c48	140737330773064
r15	0x7ffff69b5ac8	140737330764488
rip	0x933541 <js::jit::IonBuilder::replaceTypeSet(js::jit::MDefinition*, js::TemporaryTypeSet*, js::jit::MTest*)+17>
=> 0x933541 <js::jit::IonBuilder::replaceTypeSet(js::jit::MDefinition*, js::TemporaryTypeSet*, js::jit::MTest*)+17>:	mov    (%rdx),%eax
   0x933543 <js::jit::IonBuilder::replaceTypeSet(js::jit::MDefinition*, js::TemporaryTypeSet*, js::jit::MTest*)+19>:	mov    %rdx,-0x58(%rbp)
Can't reproduce with the patch in bug 1191756, and it's the same signature and the stack trace resembles the one in bug 1191756. Closing as dup.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1191756
You need to log in before you can comment on or make changes to this bug.