Closed
Bug 1193102
Opened 9 years ago
Closed 9 years ago
Crash [@ js::NewObjectCache::invalidateEntriesForShape] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
People
(Reporter: decoder, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
Attachments
(1 file)
1.08 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 943b79d9c65f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2): var lfcode = new Array(); lfcode.push = loadFile; lfcode.push(` oomAfterAllocations(10); assertEq(/alpha@/.test(stack), true); `); function loadFile(lfVarx) { var lfGlobal = newGlobal(); lfGlobal.offThreadCompileScript(lfVarx); lfGlobal.runOffThreadScript(); } Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 js::NewObjectCache::invalidateEntriesForShape (this=<optimized out>, cx=cx@entry=0x7f8408b06800, shape=..., shape@entry=..., proto=proto@entry=...) at js/src/vm/Runtime.h:303 To enable execution of this file add add-auto-load-safe-path /home/ubuntu/mozilla-central/js/src/debug64/dist/bin/js-gdb.py line to your configuration file "/home/ubuntu/.gdbinit". To completely disable this security protection add set auto-load safe-path / line to your configuration file "/home/ubuntu/.gdbinit". For more information about this security protection see the "Auto-loading safe path" section in the GDB manual. E.g., run from the shell: info "(gdb)Auto-loading safe path" #0 js::NewObjectCache::invalidateEntriesForShape (this=<optimized out>, cx=cx@entry=0x7f8408b06800, shape=..., shape@entry=..., proto=proto@entry=...) at js/src/vm/Runtime.h:303 #1 0x00000000007337fe in js::EmptyShape::insertInitialShape (cx=cx@entry=0x7f8408b06800, shape=shape@entry=..., proto=proto@entry=...) at js/src/vm/Shape.cpp:1591 #2 0x000000000073b9da in ensureInitialCustomShape<js::RegExpObject> (obj=..., cx=0x7f8408b06800) at js/src/vm/Shape-inl.h:130 #3 js::RegExpObject::init (this=<optimized out>, cx=0x7f8408b06800, source=..., flags=js::NoFlags) at js/src/vm/RegExpObject.cpp:342 #4 0x000000000073ba93 in js::RegExpObjectBuilder::build (this=this@entry=0x7fff629728b0, source=..., source@entry=..., shared=...) at js/src/vm/RegExpObject.cpp:87 #5 0x000000000073be9f in js::RegExpObjectBuilder::clone (this=this@entry=0x7fff629728b0, other=other@entry=...) at js/src/vm/RegExpObject.cpp:132 #6 0x000000000073bfb2 in js::CloneRegExpObject (cx=cx@entry=0x7f8408b06800, obj_=0x7f84062630a0) at js/src/vm/RegExpObject.cpp:988 #7 0x00000000006afb0a in Interpret (cx=cx@entry=0x7f8408b06800, state=...) at js/src/vm/Interpreter.cpp:3263 #8 0x00000000006b692b in js::RunScript (cx=cx@entry=0x7f8408b06800, state=...) at js/src/vm/Interpreter.cpp:714 #9 0x00000000006c9eb9 in js::ExecuteKernel (cx=cx@entry=0x7f8408b06800, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x7fff62973508) at js/src/vm/Interpreter.cpp:955 #10 0x00000000006ca233 in js::Execute (cx=cx@entry=0x7f8408b06800, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x7fff62973508) at js/src/vm/Interpreter.cpp:989 #11 0x0000000000ac8f8b in ExecuteScript (cx=cx@entry=0x7f8408b06800, scope=..., script=..., rval=0x7fff62973508) at js/src/jsapi.cpp:4374 #12 0x0000000000ac907f in JS_ExecuteScript (cx=cx@entry=0x7f8408b06800, scriptArg=..., scriptArg@entry=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4399 #13 0x000000000047ff81 in runOffThreadScript (cx=0x7f8408b06800, argc=<optimized out>, vp=0x7fff62973508) at js/src/shell/js.cpp:3352 #14 0x00000000006cff72 in js::CallJSNative (cx=0x7f8408b06800, native=0x47fe70 <runOffThreadScript(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #15 0x00000000006b7012 in js::Invoke (cx=cx@entry=0x7f8408b06800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:773 #16 0x00000000006b7f59 in js::Invoke (cx=cx@entry=0x7f8408b06800, thisv=..., fval=..., argc=<optimized out>, argv=0x7fff62973a08, rval=...) at js/src/vm/Interpreter.cpp:828 #17 0x0000000000be5874 in js::DirectProxyHandler::call (this=this@entry=0x1b2aac0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7f8408b06800, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77 #18 0x0000000000bea192 in js::CrossCompartmentWrapper::call (this=0x1b2aac0 <js::CrossCompartmentWrapper::singleton>, cx=0x7f8408b06800, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289 #19 0x0000000000be33d2 in js::Proxy::call (cx=cx@entry=0x7f8408b06800, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:391 #20 0x0000000000be348e in js::proxy_Call (cx=0x7f8408b06800, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:697 #21 0x00000000006cff72 in js::CallJSNative (cx=0x7f8408b06800, native=0xbe33f0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #22 0x00000000006b72ab in js::Invoke (cx=cx@entry=0x7f8408b06800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:761 #23 0x00000000006b7f59 in js::Invoke (cx=cx@entry=0x7f8408b06800, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fff62973e98, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:828 #24 0x00000000008dceba in js::jit::DoCallFallback (cx=0x7f8408b06800, frame=0x7fff62973ec8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fff62973e88, res=...) at js/src/jit/BaselineIC.cpp:10028 #25 0x00007f840a048bdf in ?? () #26 0x0000000000000008 in ?? () #27 0x00007fff62973e40 in ?? () #28 0xfff9000000000000 in ?? () #29 0x0000000001b41980 in js::jit::DoSpreadCallFallbackInfo () #30 0x00007f8406d54a90 in ?? () #31 0x00007f840a04c323 in ?? () #32 0x0000000000000802 in ?? () #33 0x00007fff62973ec8 in ?? () #34 0x00007f8408ba7420 in ?? () #35 0x0000000000000000 in ?? () rax 0x7f84078a6388 140205038920584 rbx 0x7f8408b06800 140205058189312 rcx 0x0 0 rdx 0xc7ce0c7ce0c7ce0d -4049285284472828403 rsi 0x7f8408b400d8 140205058425048 rdi 0x7fff62972590 140734847460752 rbp 0x7fff62972610 140734847460880 rsp 0x7fff62972580 140734847460736 r8 0x9 9 r9 0x7f8408b3e920 140205058418976 r10 0x27 39 r11 0x0 0 r12 0x7fff629725c0 140734847460800 r13 0x1ae63e0 28206048 r14 0x7fff62972710 140734847461136 r15 0x7fff629725a0 140734847460768 rip 0x7333b7 <js::NewObjectCache::invalidateEntriesForShape(JSContext*, JS::Handle<js::Shape*>, JS::Handle<JSObject*>)+359> => 0x7333b7 <js::NewObjectCache::invalidateEntriesForShape(JSContext*, JS::Handle<js::Shape*>, JS::Handle<JSObject*>)+359>: mov (%rcx),%rsi 0x7333ba <js::NewObjectCache::invalidateEntriesForShape(JSContext*, JS::Handle<js::Shape*>, JS::Handle<JSObject*>)+362>: mov %rsi,%rax
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, failed due to error (try manually).
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 2•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f2f8cb92dce4).
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Assignee | ||
Comment 3•9 years ago
|
||
Can't reproduce this on tip. Will try the original revision.
Assignee | ||
Comment 4•9 years ago
|
||
NewObjectCache::invalidateEntriesForShape tries to invalidate entries corresponding to a particular shape. When the defaultNewGroup call OOMs though, I think the simplest way to handle that is to purge the whole cache and recover.
Attachment #8670206 -
Flags: review?(bhackett1024)
Updated•9 years ago
|
Attachment #8670206 -
Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/df765ccd9e52
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•