1211949 - Crash [@ js::NativeObject::setLastProperty] with OOM

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central-oom (https://github.com/nbp/gecko-dev/tree/oom) revision c119c16978b4f08f5e0c1269b52b9fdd9085be5f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --baseline-eager --ion-offthread-compile=off --ion-extra-checks main.js):

See attachment.


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::NativeObject::setLastProperty (this=0x0, cx=cx@entry=0x7ffff6907400, shape=0x7ffff7e91240) at js/src/vm/NativeObject.cpp:288
#0  js::NativeObject::setLastProperty (this=0x0, cx=cx@entry=0x7ffff6907400, shape=0x7ffff7e91240) at js/src/vm/NativeObject.cpp:288
#1  0x000000000070de79 in js::ObjectGroup::newPlainObject (cx=cx@entry=0x7ffff6907400, properties=<optimized out>, nproperties=<optimized out>, newKind=newKind@entry=js::TenuredObject) at js/src/vm/ObjectGroup.cpp:1338
#2  0x0000000000620bb5 in js::frontend::ParseNode::getConstantValue (this=this@entry=0x7ffff6990ea0, cx=cx@entry=0x7ffff6907400, allowObjects=allowObjects@entry=js::frontend::ParseNode::AllowObjects, vp=..., compare=0x7fffffffb010, ncompare=ncompare@entry=0, newKind=newKind@entry=js::TenuredObject) at js/src/frontend/BytecodeEmitter.cpp:4729
#3  0x0000000000620f52 in js::frontend::ParseNode::getConstantValue (this=this@entry=0x7ffff6990df8, cx=0x7ffff6907400, allowObjects=allowObjects@entry=js::frontend::ParseNode::AllowObjects, vp=..., vp@entry=..., compare=compare@entry=0x0, ncompare=ncompare@entry=0, newKind=newKind@entry=js::TenuredObject) at js/src/frontend/BytecodeEmitter.cpp:4670
#4  0x00000000006213d4 in js::frontend::BytecodeEmitter::emitSingletonInitialiser (this=this@entry=0x7fffffffc470, pn=pn@entry=0x7ffff6990df8) at js/src/frontend/BytecodeEmitter.cpp:4751
#5  0x000000000062e27b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc470, pn=pn@entry=0x7ffff6990df8) at js/src/frontend/BytecodeEmitter.cpp:7930
#6  0x000000000063b4ab in js::frontend::BytecodeEmitter::emitCallOrNew (this=0x7fffffffc470, pn=0x7ffff6990f10) at js/src/frontend/BytecodeEmitter.cpp:6748
#7  0x000000000062dbab in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7fffffffc470, pn=pn@entry=0x7ffff6990f10) at js/src/frontend/BytecodeEmitter.cpp:7861
#8  0x000000000063953f in js::frontend::BytecodeEmitter::emitStatement (this=this@entry=0x7fffffffc470, pn=pn@entry=0x7ffff6990698) at js/src/frontend/BytecodeEmitter.cpp:6413
#9  0x000000000062db9b in js::frontend::BytecodeEmitter::emitTree (this=0x7fffffffc470, pn=0x7ffff6990698) at js/src/frontend/BytecodeEmitter.cpp:7699
#10 0x000000000062e630 in BytecodeCompiler::prepareAndEmitTree (this=this@entry=0x7fffffffb7d0, ppn=ppn@entry=0x7fffffffb410, pc=...) at js/src/frontend/BytecodeCompiler.cpp:387
#11 0x000000000062eaea in BytecodeCompiler::compileScript (this=this@entry=0x7fffffffb7d0, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:606
#12 0x000000000062efd3 in js::frontend::CompileScript (cx=cx@entry=0x7ffff6907400, alloc=<optimized out>, scopeChain=..., enclosingStaticScope=..., enclosingStaticScope@entry=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=source_@entry=0x0, extraSct=extraSct@entry=0x7fffffffc830, sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:808
#13 0x0000000000b848cb in Evaluate (cx=cx@entry=0x7ffff6907400, scope=..., staticScope=staticScope@entry=..., optionsArg=..., srcBuf=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4537
#14 0x0000000000b84ba4 in JS::Evaluate (cx=cx@entry=0x7ffff6907400, options=..., bytes=<optimized out>, length=3050, rval=rval@entry=...) at js/src/jsapi.cpp:4594
#15 0x0000000000b84ece in Evaluate (rval=..., filename=<optimized out>, optionsArg=..., cx=0x7ffff6907400, cx@entry=0x7fffffffca40) at js/src/jsapi.cpp:4611
#16 JS::Evaluate (cx=cx@entry=0x7ffff6907400, optionsArg=..., filename=<optimized out>, rval=..., rval@entry=...) at js/src/jsapi.cpp:4647
#17 0x0000000000485741 in LoadScript (cx=0x7ffff6907400, argc=<optimized out>, vp=0x7fffffffcd28, scriptRelative=false) at js/src/shell/js.cpp:797
#18 0x00007ffff7ff57f8 in ?? ()
#19 0x00000000ffffffff in ?? ()
#20 0x00007fffffffcd00 in ?? ()
#21 0x0000000000000000 in ?? ()
rax	0x7fffffffac60	140737488333920
rbx	0x7ffff6907400	140737330050048
rcx	0x7ffff7dd5320	140737351865120
rdx	0x7ffff7e91240	140737352634944
rsi	0x7ffff6907400	140737330050048
rdi	0x0	0
rbp	0x7fffffffaac0	140737488333504
rsp	0x7fffffffaaa0	140737488333472
r8	0x0	0
r9	0x7ffff6907420	140737330050080
r10	0x1	1
r11	0x206	518
r12	0x0	0
r13	0x7ffff69b3980	140737330755968
r14	0x7ffff7e92550	140737352639824
r15	0x3	3
rip	0x6f127e <js::NativeObject::setLastProperty(js::ExclusiveContext*, js::Shape*)+14>
=> 0x6f127e <js::NativeObject::setLastProperty(js::ExclusiveContext*, js::Shape*)+14>:	mov    0x8(%rdi),%rax
   0x6f1282 <js::NativeObject::setLastProperty(js::ExclusiveContext*, js::Shape*)+18>:	test   %rax,%rax

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Nicolas B. Pierron [:nbp]]

I am unable to reproduce :(

Comment 3

[Lars T Hansen [:lth]]

Reproduces on Mac OS X, also in the debugger, here:

   372 	  public:
   373 	    Shape* lastProperty() const {
-> 374 	        MOZ_ASSERT(shape_);
   375 	        return shape_;
   376 	    }
   377

Comment 4

[Lars T Hansen [:lth]]

Missing null pointer check in ObjectGroup::newPlainObject().

Comment 5

[Lars T Hansen [:lth]]

Patch is on oom branch.

Comment 6

[Lars T Hansen [:lth]]

Attachment: bug1211949-nullcheck.patch

Comment 7

[Lars T Hansen [:lth]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/34ea1b7a28ff79db15306b46c2d084c674da43bf
Bug 1211949 - check for allocation failure. r=nbp

Comment 8

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/34ea1b7a28ff