Closed
Bug 1205708
Opened 9 years ago
Closed 9 years ago
Assertion failure: !errorString_, at js/src/asmjs/AsmJSValidate.cpp:2096 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
People
(Reporter: decoder, Assigned: bbouvier)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,ignore])
Attachments
(1 file)
3.54 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision e7d613b3bcfe (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --baseline-eager --ion-extra-checks --ion-eager): var lfcode = new Array(); var lfRunTypeId = -1; lfcode.push = loadFile; oomAfterAllocations(10, 2); lfcode.push(` function mod(stdlib, ffi, heap) { "use asm"; function f3(k) { k = k | 0; } function g3(k) {} `); function loadFile(lfVarx) { switch (lfRunTypeId) { default: evaluate(lfVarx, { }); } } Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0000000000536dcd in (anonymous namespace)::ModuleValidator::failOffset ( this=0x7fff7df2da30, offset=<optimized out>, str=<optimized out>) at js/src/asmjs/AsmJSValidate.cpp:2096 To enable execution of this file add add-auto-load-safe-path /home/ubuntu/mozilla-central/js/src/debug64/dist/bin/js-gdb.py line to your configuration file "/home/ubuntu/.gdbinit". To completely disable this security protection add set auto-load safe-path / line to your configuration file "/home/ubuntu/.gdbinit". For more information about this security protection see the "Auto-loading safe path" section in the GDB manual. E.g., run from the shell: info "(gdb)Auto-loading safe path" #0 0x0000000000536dcd in (anonymous namespace)::ModuleValidator::failOffset (this=0x7fff7df2da30, offset=<optimized out>, str=<optimized out>) at js/src/asmjs/AsmJSValidate.cpp:2096 #1 0x000000000043fb16 in CheckFunctions (m=..., results=results@entry=0x7fff7df2d980) at js/src/asmjs/AsmJSValidate.cpp:11045 #2 0x00000000005b52a3 in CheckModule (compilationTimeReport=0x7fff7df2d960, moduleOut=0x7fff7df2d970, stmtList=0x7fff7df2da30, parser=..., cx=0x7f1d6ae06800) at js/src/asmjs/AsmJSValidate.cpp:12388 #3 js::ValidateAsmJS (cx=0x7f1d6ae06800, parser=..., stmtList=stmtList@entry=0x7f1d6ae8b6b0, validated=validated@entry=0x7fff7df2dd60) at js/src/asmjs/AsmJSValidate.cpp:12472 #4 0x00000000004c21ca in js::frontend::Parser<js::frontend::FullParseHandler>::asmJS (this=this@entry=0x7fff7df2f0d0, list=0x7f1d6ae8b6b0) at js/src/frontend/Parser.cpp:2987 #5 0x00000000004d630f in js::frontend::Parser<js::frontend::FullParseHandler>::maybeParseDirective (this=this@entry=0x7fff7df2f0d0, list=list@entry=0x7f1d6ae8b6b0, pn=pn@entry=0x7f1d6ae8b720, cont=cont@entry=0x7fff7df2dde0) at js/src/frontend/Parser.cpp:3062 #6 0x00000000004f3414 in js::frontend::Parser<js::frontend::FullParseHandler>::statements (this=this@entry=0x7fff7df2f0d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3128 #7 0x00000000004f377b in js::frontend::Parser<js::frontend::FullParseHandler>::functionBody (this=this@entry=0x7fff7df2f0d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, kind=kind@entry=js::frontend::Statement, type=type@entry=js::frontend::Parser<js::frontend::FullParseHandler>::StatementListBody) at js/src/frontend/Parser.cpp:1141 #8 0x00000000004f3cf0 in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBodyGeneric (this=this@entry=0x7fff7df2f0d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, pn=pn@entry=0x7f1d6ae8b288, fun=fun@entry=..., kind=kind@entry=js::frontend::Statement) at js/src/frontend/Parser.cpp:2809 #9 0x00000000004cb2c5 in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBody (this=this@entry=0x7fff7df2f0d0, inHandling=inHandling@entry=js::frontend::InAllowed, pn=0x7f1d6ae8b288, fun=..., fun@entry=..., kind=kind@entry=js::frontend::Statement, generatorKind=generatorKind@entry=js::NotGenerator, inheritedDirectives=..., newDirectives=newDirectives@entry=0x7fff7df2e400) at js/src/frontend/Parser.cpp:2613 #10 0x00000000004f40da in js::frontend::Parser<js::frontend::FullParseHandler>::functionDef (this=this@entry=0x7fff7df2f0d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, funName=..., funName@entry=..., kind=kind@entry=js::frontend::Statement, generatorKind=generatorKind@entry=js::NotGenerator, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:2443 #11 0x00000000004f43a9 in js::frontend::Parser<js::frontend::FullParseHandler>::functionStmt (this=this@entry=0x7fff7df2f0d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, defaultHandling=defaultHandling@entry=js::frontend::NameRequired) at js/src/frontend/Parser.cpp:2893 #12 0x00000000004f2f2d in js::frontend::Parser<js::frontend::FullParseHandler>::statement (this=this@entry=0x7fff7df2f0d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:6718 #13 0x000000000062668b in BytecodeCompiler::compileScript (this=this@entry=0x7fff7df2ea60, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:588 #14 0x0000000000626be3 in js::frontend::CompileScript (cx=cx@entry=0x7f1d6ae06800, alloc=<optimized out>, scopeChain=..., enclosingStaticScope=..., enclosingStaticScope@entry=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=source_@entry=0x0, extraSct=extraSct@entry=0x7fff7df2fad0, sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:807 #15 0x0000000000b8db04 in Evaluate (cx=cx@entry=0x7f1d6ae06800, scope=..., staticScope=..., staticScope@entry=..., optionsArg=..., srcBuf=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4446 #16 0x0000000000b8ddd4 in JS::Evaluate (cx=cx@entry=0x7f1d6ae06800, options=..., bytes=<optimized out>, length=3860, rval=rval@entry=...) at js/src/jsapi.cpp:4503 #17 0x0000000000b8e0f7 in Evaluate (rval=..., filename=<optimized out>, optionsArg=..., cx=0x7f1d6ae06800, cx@entry=0x7fff7df2fce0) at js/src/jsapi.cpp:4520 #18 JS::Evaluate (cx=cx@entry=0x7f1d6ae06800, optionsArg=..., filename=<optimized out>, rval=..., rval@entry=...) at js/src/jsapi.cpp:4556 #19 0x0000000000486751 in LoadScript (cx=0x7f1d6ae06800, argc=<optimized out>, vp=0x7fff7df2ffc8, scriptRelative=false) at js/src/shell/js.cpp:785 #20 0x00007f1d6a1747ff in ?? () #21 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7fff7df2da30 140735306455600 rcx 0x7f1d6b16588d 139764327405709 rdx 0x0 0 rsi 0x7f1d6b43a9d0 139764330375632 rdi 0x7f1d6b4391c0 139764330369472 rbp 0x7fff7df2d710 140735306454800 rsp 0x7fff7df2d6f0 140735306454768 r8 0x7f1d6c4aa780 139764347611008 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7f1d6b436be0 139764330359776 r11 0x0 0 r12 0x7fff7df2d840 140735306455104 r13 0x7f1d6ae05c00 139764323867648 r14 0x7fff7df2d810 140735306455056 r15 0x0 0 rip 0x536dcd <(anonymous namespace)::ModuleValidator::failOffset(uint32_t, char const*)+141> => 0x536dcd <(anonymous namespace)::ModuleValidator::failOffset(uint32_t, char const*)+141>: movl $0x830,0x0 0x536dd8 <(anonymous namespace)::ModuleValidator::failOffset(uint32_t, char const*)+152>: callq 0x4982c0 <abort()>
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150911071052" and the hash "9394c5f63b56b784dcdb9f70fa0b7f428bdf4d8c". The "bad" changeset has the timestamp "20150911071250" and the hash "9c1c2581ad6501c9a8a36920043856d46ec19c20". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=9394c5f63b56b784dcdb9f70fa0b7f428bdf4d8c&tochange=9c1c2581ad6501c9a8a36920043856d46ec19c20
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 2•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision de0e763b5210).
Assignee | ||
Comment 3•9 years ago
|
||
(In reply to Fuzzing Team from comment #2) > JSBugMon: The testcase found in this bug no longer reproduces (tried > revision de0e763b5210). And yet, it moves! So the error is the following: there's an OOM on the helper thread, but validation has already failed on the main thread. So we already have an errorString_ and we try to clobber it (not security-sensitive). I thought we could assume that if the main thread didn't set an error, then the error **must** have occurred on the helper thread; but that's actually not the case. When we hit a syntax error that would be thrown even on "normal" JS, then we just silently return false from asm.js (to not throw the SyntaxError twice).
Updated•9 years ago
|
Attachment #8663627 -
Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/da185719b98e
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•