Assertion failure: defined_, at js/src/asmjs/AsmJSValidate.cpp:1424 with OOM

RESOLVED FIXED in Firefox 43

Status

()

defect
--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: decoder, Assigned: bbouvier)

Tracking

(Blocks 2 bugs, {assertion, regression, testcase})

Trunk
mozilla43
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox43 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment, 1 obsolete attachment)

Reporter

Description

4 years ago
The following testcase crashes on mozilla-central revision c69e31de9aec (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks):

var lfcode = new Array();
lfcode.push = loadFile;
oomAfterAllocations(50, 2);
lfcode.push(`
        "use asm";
        function f() {
            return +pow(.0, .0)
`);
function loadFile(lfVarx) {
            eval("(function() { " + lfVarx + " })();");
}


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000000042d61c in (anonymous namespace)::ModuleValidator::Func::srcBegin (this=<optimized out>, this=<optimized out>) at js/src/asmjs/AsmJSValidate.cpp:1424
#1  0x000000000043fdc1 in srcBegin (this=<optimized out>, this=<optimized out>) at js/src/asmjs/AsmJSValidate.cpp:1424
#2  CheckFunctions (m=..., results=results@entry=0x7fff2462f620) at js/src/asmjs/AsmJSValidate.cpp:11043
#3  0x00000000005c2543 in CheckModule (compilationTimeReport=0x7fff2462f600, moduleOut=0x7fff2462f610, stmtList=0x7fff2462fa00, parser=..., cx=<optimized out>) at js/src/asmjs/AsmJSValidate.cpp:12386
#4  js::ValidateAsmJS (cx=<optimized out>, parser=..., stmtList=stmtList@entry=0x7f206028b140, validated=validated@entry=0x7fff2462fa00) at js/src/asmjs/AsmJSValidate.cpp:12470
#5  0x00000000004c582a in js::frontend::Parser<js::frontend::FullParseHandler>::asmJS (this=this@entry=0x7fff246317d0, list=0x7f206028b140) at js/src/frontend/Parser.cpp:2987
#6  0x00000000004da1af in js::frontend::Parser<js::frontend::FullParseHandler>::maybeParseDirective (this=this@entry=0x7fff246317d0, list=list@entry=0x7f206028b140, pn=pn@entry=0x7f206028b1b0, cont=cont@entry=0x7fff2462fa80) at js/src/frontend/Parser.cpp:3062
#7  0x00000000004f7c6c in js::frontend::Parser<js::frontend::FullParseHandler>::statements (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3128
#8  0x00000000004f7feb in js::frontend::Parser<js::frontend::FullParseHandler>::functionBody (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, kind=kind@entry=js::frontend::Expression, type=type@entry=js::frontend::Parser<js::frontend::FullParseHandler>::StatementListBody) at js/src/frontend/Parser.cpp:1141
#9  0x00000000004f8577 in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBodyGeneric (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, pn=pn@entry=0x7f206028b020, fun=fun@entry=..., kind=kind@entry=js::frontend::Expression) at js/src/frontend/Parser.cpp:2809
#10 0x00000000004ceb29 in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBody (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, pn=0x7f206028b020, fun=..., fun@entry=..., kind=kind@entry=js::frontend::Expression, generatorKind=generatorKind@entry=js::NotGenerator, inheritedDirectives=..., newDirectives=newDirectives@entry=0x7fff246300b0) at js/src/frontend/Parser.cpp:2613
#11 0x00000000004f8a7a in js::frontend::Parser<js::frontend::FullParseHandler>::functionDef (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, funName=..., funName@entry=..., kind=kind@entry=js::frontend::Expression, generatorKind=generatorKind@entry=js::NotGenerator, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictInvoked) at js/src/frontend/Parser.cpp:2443
#12 0x00000000004f9057 in js::frontend::Parser<js::frontend::FullParseHandler>::functionExpr (this=this@entry=0x7fff246317d0, invoked=js::frontend::Parser<js::frontend::FullParseHandler>::PredictInvoked) at js/src/frontend/Parser.cpp:2925
#13 0x00000000004fcdda in js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tt=<optimized out>, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictInvoked) at js/src/frontend/Parser.cpp:9148
#14 0x00000000004fec14 in js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tt=js::frontend::TOK_FUNCTION, allowCallSyntax=allowCallSyntax@entry=true, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictInvoked) at js/src/frontend/Parser.cpp:8450
#15 0x00000000004ff8c4 in js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictInvoked) at js/src/frontend/Parser.cpp:7376
#16 0x00000000004ffae6 in js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1 (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictInvoked) at js/src/frontend/Parser.cpp:6895
#17 0x00000000004ffd3e in js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1 (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictInvoked) at js/src/frontend/Parser.cpp:6947
#18 0x00000000004f91eb in js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictInvoked) at js/src/frontend/Parser.cpp:7062
#19 0x00000000004f988f in js::frontend::Parser<js::frontend::FullParseHandler>::expr (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictInvoked) at js/src/frontend/Parser.cpp:6763
#20 0x0000000000500155 in js::frontend::Parser<js::frontend::FullParseHandler>::parenExprOrGeneratorComprehension (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:9280
#21 0x00000000004fcd90 in js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tt=<optimized out>, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:9164
#22 0x00000000004fec14 in js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tt=js::frontend::TOK_LP, allowCallSyntax=allowCallSyntax@entry=true, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:8450
#23 0x00000000004ff8c4 in js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:7376
#24 0x00000000004ffae6 in js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1 (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:6895
#25 0x00000000004ffd3e in js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1 (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:6947
#26 0x00000000004f91eb in js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:7062
#27 0x00000000004f988f in js::frontend::Parser<js::frontend::FullParseHandler>::expr (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:6763
#28 0x00000000004fa4d3 in js::frontend::Parser<js::frontend::FullParseHandler>::expressionStatement (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:4947
#29 0x00000000004f756d in js::frontend::Parser<js::frontend::FullParseHandler>::statement (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:6655
#30 0x0000000000635b3f in BytecodeCompiler::compileScript (this=this@entry=0x7fff24631150, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:588
#31 0x00000000006360a3 in js::frontend::CompileScript (cx=cx@entry=0x7f2060206800, alloc=<optimized out>, scopeChain=..., enclosingStaticScope=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=source_@entry=0x0, extraSct=extraSct@entry=0x7fff246321f0, sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:807
#32 0x0000000000aeb839 in Evaluate (cx=cx@entry=0x7f2060206800, scope=..., staticScope=..., staticScope@entry=..., optionsArg=..., srcBuf=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4446
#33 0x0000000000aebbc4 in JS::Evaluate (cx=cx@entry=0x7f2060206800, options=..., bytes=<optimized out>, length=211, rval=rval@entry=...) at js/src/jsapi.cpp:4503
#34 0x0000000000b121c6 in Evaluate (rval=..., filename=0x7f205e240ec0 "/home/ubuntu/work/work-2015-09-15-11-07-31/mutant32344_testBug989166.js", optionsArg=..., cx=0x7f2060206800, cx@entry=0x7fff24632440) at js/src/jsapi.cpp:4520
#35 JS::Evaluate (cx=cx@entry=0x7f2060206800, optionsArg=..., filename=<optimized out>, rval=rval@entry=...) at js/src/jsapi.cpp:4556
#36 0x000000000048811e in LoadScript (cx=0x7f2060206800, argc=<optimized out>, vp=0x7fff24632738, scriptRelative=false) at js/src/shell/js.cpp:785
#37 0x00007f20616e6d68 in ?? ()
#38 0x0000000000000008 in ?? ()
#39 0x00007fff24632710 in ?? ()
#40 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fff2462f6d0	140733803853520
rcx	0x7f206052c88d	139777031719053
rdx	0x0	0
rsi	0x7f20608019d0	139777034688976
rdi	0x7f20608001c0	139777034682816
rbp	0x7fff2462f3b0	140733803852720
rsp	0x7fff2462f3b0	140733803852720
r8	0x7f2061871780	139777051924352
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7f20607fdbe0	139777034673120
r11	0x0	0
r12	0x7fff2462f4e0	140733803853024
r13	0x7f2060205c00	139777028414464
r14	0x7fff2462f4b0	140733803852976
r15	0x7f205e3cf600	139776996734464
rip	0x42d61c <(anonymous namespace)::ModuleValidator::Func::srcBegin() const+28>
=> 0x42d61c <(anonymous namespace)::ModuleValidator::Func::srcBegin() const+28>:	movl   $0x590,0x0
   0x42d627 <(anonymous namespace)::ModuleValidator::Func::srcBegin() const+39>:	callq  0x49b880 <abort()>

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

4 years ago
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150911071052" and the hash "9394c5f63b56b784dcdb9f70fa0b7f428bdf4d8c".
The "bad" changeset has the timestamp "20150911071250" and the hash "9c1c2581ad6501c9a8a36920043856d46ec19c20".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=9394c5f63b56b784dcdb9f70fa0b7f428bdf4d8c&tochange=9c1c2581ad6501c9a8a36920043856d46ec19c20
Assignee

Comment 2

4 years ago
Fortunately, bug 1181612 will bring type sanity to this line of code, by removing the reinterpret cast.
Assignee: nobody → benj
Status: NEW → ASSIGNED
Attachment #8661344 - Flags: review?(luke)

Updated

4 years ago
Attachment #8661344 - Flags: review?(luke) → review+
Assignee: benj → hv1989
Attachment #8661707 - Flags: review?(benj)
Comment on attachment 8661707 [details] [diff] [review]
maybeFunc contains AsmFunction

Apparently too late ;)
Attachment #8661707 - Attachment is obsolete: true
Attachment #8661707 - Flags: review?(benj)
https://hg.mozilla.org/mozilla-central/rev/2590668bd232
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla43

Updated

4 years ago
Assignee: hv1989 → benj
You need to log in before you can comment on or make changes to this bug.