Closed Bug 1193102 Opened 9 years ago Closed 9 years ago

Crash [@ js::NewObjectCache::invalidateEntriesForShape] with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox42 --- affected
firefox44 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

Attachments

(1 file)

Patch
1.08 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 943b79d9c65f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

var lfcode = new Array();
lfcode.push = loadFile;
lfcode.push(`
oomAfterAllocations(10);
assertEq(/alpha@/.test(stack), true);
`);
function loadFile(lfVarx) {
    var lfGlobal = newGlobal();
    lfGlobal.offThreadCompileScript(lfVarx);
    lfGlobal.runOffThreadScript();
}


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  js::NewObjectCache::invalidateEntriesForShape (this=<optimized out>, 
    cx=cx@entry=0x7f8408b06800, shape=..., shape@entry=..., 
    proto=proto@entry=...)
    at js/src/vm/Runtime.h:303
To enable execution of this file add
	add-auto-load-safe-path /home/ubuntu/mozilla-central/js/src/debug64/dist/bin/js-gdb.py
line to your configuration file "/home/ubuntu/.gdbinit".
To completely disable this security protection add
	set auto-load safe-path /
line to your configuration file "/home/ubuntu/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
	info "(gdb)Auto-loading safe path"
#0  js::NewObjectCache::invalidateEntriesForShape (this=<optimized out>, cx=cx@entry=0x7f8408b06800, shape=..., shape@entry=..., proto=proto@entry=...) at js/src/vm/Runtime.h:303
#1  0x00000000007337fe in js::EmptyShape::insertInitialShape (cx=cx@entry=0x7f8408b06800, shape=shape@entry=..., proto=proto@entry=...) at js/src/vm/Shape.cpp:1591
#2  0x000000000073b9da in ensureInitialCustomShape<js::RegExpObject> (obj=..., cx=0x7f8408b06800) at js/src/vm/Shape-inl.h:130
#3  js::RegExpObject::init (this=<optimized out>, cx=0x7f8408b06800, source=..., flags=js::NoFlags) at js/src/vm/RegExpObject.cpp:342
#4  0x000000000073ba93 in js::RegExpObjectBuilder::build (this=this@entry=0x7fff629728b0, source=..., source@entry=..., shared=...) at js/src/vm/RegExpObject.cpp:87
#5  0x000000000073be9f in js::RegExpObjectBuilder::clone (this=this@entry=0x7fff629728b0, other=other@entry=...) at js/src/vm/RegExpObject.cpp:132
#6  0x000000000073bfb2 in js::CloneRegExpObject (cx=cx@entry=0x7f8408b06800, obj_=0x7f84062630a0) at js/src/vm/RegExpObject.cpp:988
#7  0x00000000006afb0a in Interpret (cx=cx@entry=0x7f8408b06800, state=...) at js/src/vm/Interpreter.cpp:3263
#8  0x00000000006b692b in js::RunScript (cx=cx@entry=0x7f8408b06800, state=...) at js/src/vm/Interpreter.cpp:714
#9  0x00000000006c9eb9 in js::ExecuteKernel (cx=cx@entry=0x7f8408b06800, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x7fff62973508) at js/src/vm/Interpreter.cpp:955
#10 0x00000000006ca233 in js::Execute (cx=cx@entry=0x7f8408b06800, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x7fff62973508) at js/src/vm/Interpreter.cpp:989
#11 0x0000000000ac8f8b in ExecuteScript (cx=cx@entry=0x7f8408b06800, scope=..., script=..., rval=0x7fff62973508) at js/src/jsapi.cpp:4374
#12 0x0000000000ac907f in JS_ExecuteScript (cx=cx@entry=0x7f8408b06800, scriptArg=..., scriptArg@entry=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4399
#13 0x000000000047ff81 in runOffThreadScript (cx=0x7f8408b06800, argc=<optimized out>, vp=0x7fff62973508) at js/src/shell/js.cpp:3352
#14 0x00000000006cff72 in js::CallJSNative (cx=0x7f8408b06800, native=0x47fe70 <runOffThreadScript(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#15 0x00000000006b7012 in js::Invoke (cx=cx@entry=0x7f8408b06800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:773
#16 0x00000000006b7f59 in js::Invoke (cx=cx@entry=0x7f8408b06800, thisv=..., fval=..., argc=<optimized out>, argv=0x7fff62973a08, rval=...) at js/src/vm/Interpreter.cpp:828
#17 0x0000000000be5874 in js::DirectProxyHandler::call (this=this@entry=0x1b2aac0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7f8408b06800, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77
#18 0x0000000000bea192 in js::CrossCompartmentWrapper::call (this=0x1b2aac0 <js::CrossCompartmentWrapper::singleton>, cx=0x7f8408b06800, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289
#19 0x0000000000be33d2 in js::Proxy::call (cx=cx@entry=0x7f8408b06800, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:391
#20 0x0000000000be348e in js::proxy_Call (cx=0x7f8408b06800, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:697
#21 0x00000000006cff72 in js::CallJSNative (cx=0x7f8408b06800, native=0xbe33f0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#22 0x00000000006b72ab in js::Invoke (cx=cx@entry=0x7f8408b06800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:761
#23 0x00000000006b7f59 in js::Invoke (cx=cx@entry=0x7f8408b06800, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fff62973e98, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:828
#24 0x00000000008dceba in js::jit::DoCallFallback (cx=0x7f8408b06800, frame=0x7fff62973ec8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fff62973e88, res=...) at js/src/jit/BaselineIC.cpp:10028
#25 0x00007f840a048bdf in ?? ()
#26 0x0000000000000008 in ?? ()
#27 0x00007fff62973e40 in ?? ()
#28 0xfff9000000000000 in ?? ()
#29 0x0000000001b41980 in js::jit::DoSpreadCallFallbackInfo ()
#30 0x00007f8406d54a90 in ?? ()
#31 0x00007f840a04c323 in ?? ()
#32 0x0000000000000802 in ?? ()
#33 0x00007fff62973ec8 in ?? ()
#34 0x00007f8408ba7420 in ?? ()
#35 0x0000000000000000 in ?? ()
rax	0x7f84078a6388	140205038920584
rbx	0x7f8408b06800	140205058189312
rcx	0x0	0
rdx	0xc7ce0c7ce0c7ce0d	-4049285284472828403
rsi	0x7f8408b400d8	140205058425048
rdi	0x7fff62972590	140734847460752
rbp	0x7fff62972610	140734847460880
rsp	0x7fff62972580	140734847460736
r8	0x9	9
r9	0x7f8408b3e920	140205058418976
r10	0x27	39
r11	0x0	0
r12	0x7fff629725c0	140734847460800
r13	0x1ae63e0	28206048
r14	0x7fff62972710	140734847461136
r15	0x7fff629725a0	140734847460768
rip	0x7333b7 <js::NewObjectCache::invalidateEntriesForShape(JSContext*, JS::Handle<js::Shape*>, JS::Handle<JSObject*>)+359>
=> 0x7333b7 <js::NewObjectCache::invalidateEntriesForShape(JSContext*, JS::Handle<js::Shape*>, JS::Handle<JSObject*>)+359>:	mov    (%rcx),%rsi
   0x7333ba <js::NewObjectCache::invalidateEntriesForShape(JSContext*, JS::Handle<js::Shape*>, JS::Handle<JSObject*>)+362>:	mov    %rsi,%rax
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, failed due to error (try manually).
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f2f8cb92dce4).
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Can't reproduce this on tip. Will try the original revision.
Attached patch PatchSplinter Review 
NewObjectCache::invalidateEntriesForShape tries to invalidate entries corresponding to a particular shape. When the defaultNewGroup call OOMs though, I think the simplest way to handle that is to purge the whole cache and recover.
Attachment #8670206 - Flags: review?(bhackett1024)
Attachment #8670206 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/df765ccd9e52
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: