Closed Bug 1211956 Opened 9 years ago Closed 9 years ago

Crash [@ base] with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox44 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:ignore][js-oom2015])

Crash Data

Attachments

(1 file)

checkshape.patch
1.07 KB, patch
bbouvier
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central-oom (https://github.com/nbp/gecko-dev/tree/oom) revision c119c16978b4f08f5e0c1269b52b9fdd9085be5f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe):

function TestCase(n, d, e, a)
this.type = (typeof window == 'undefined' ? 'shell' : 'browser');
var SECTION = "11.9.2";
new TestCase(SECTION, "void 0 == void 0", false, void 0 != void 0);
new TestCase(SECTION, "null == null", false, null != null);
new TestCase(SECTION, "NaN != NaN", true, Number.NaN != Number.NaN);
new TestCase(SECTION, "NaN != 0", true, "while (1");
new TestCase(SECTION, "0 != NaN", true, 0 != Number.NaN);
new TestCase(SECTION, "NaN != Infinity", true, Number.NaN != Number.POSITIVE_INFINITY);
new TestCase(SECTION, "Infinity != NaN", true, Number.POSITIVE_INFINITY != Number.NaN);
new TestCase(SECTION, "Number.MAX_VALUE != Number.MAX_VALUE", false, Number.MAX_VALUE != Number.MAX_VALUE);
new TestCase(SECTION, "Number.MIN_VALUE != Number.MIN_VALUE", false, Number.MIN_VALUE != Number.MIN_VALUE);
new TestCase(SECTION, "Number.POSITIVE_INFINITY != Number.POSITIVE_INFINITY", false, Number.POSITIVE_INFINITY != Number.POSITIVE_INFINITY);
new TestCase(SECTION, "Number.NEGATIVE_INFINITY != Number.NEGATIVE_INFINITY", false, Number.NEGATIVE_INFINITY != Number.NEGATIVE_INFINITY);
new TestCase(SECTION, "0 != 0", false, 0 != 0);
new TestCase(SECTION, "0 != -0", false, 0 != -0);
new TestCase(SECTION, "-0 != 0", false, -0 != 0);
new TestCase(SECTION, "-0 != -0", false, -0 != -0);
new TestCase(SECTION, "0.9 != 1", true, 0.9 != 1);
new TestCase(SECTION, "0.999999 != 1", true, 0.999999 != 1);
oomAfterAllocations(5);
new TestCase(SECTION, "0.9999999999999 != 1", true, 0.9999999999999 != 1);
new TestCase(SECTION, "true != true", false, true != true);
new TestCase(SECTION, "false != false", false, false != false);
new TestCase(SECTION, "true != false", true, true != false);


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000766d87 in base (this=0x0) at js/src/vm/Shape.h:820
#0  0x0000000000766d87 in base (this=0x0) at js/src/vm/Shape.h:820
#1  js::ReshapeForAllocKind (cx=cx@entry=0x7ffff6907400, shape=shape@entry=0x7ffff7e79e98, proto=..., allocKind=allocKind@entry=js::gc::OBJECT2) at js/src/vm/Shape.cpp:636
#2  0x0000000000777c10 in ChangeObjectFixedSlotCount (allocKind=js::gc::OBJECT2, obj=0x7ffff7e5f100, cx=0x7ffff6907400) at js/src/vm/TypeInference.cpp:3580
#3  js::TypeNewScript::maybeAnalyze (this=0x7ffff3e15b20, cx=cx@entry=0x7ffff6907400, group=0x7ffff7e5c6d0, regenerate=regenerate@entry=0x7fffffffcc80, force=force@entry=false) at js/src/vm/TypeInference.cpp:3691
#4  0x0000000000b92ba4 in js::CreateThisForFunctionWithProto (cx=cx@entry=0x7ffff6907400, callee=..., callee@entry=..., proto=proto@entry=..., newKind=newKind@entry=js::GenericObject) at js/src/jsobj.cpp:984
#5  0x0000000000b93332 in js::CreateThisForFunction (cx=cx@entry=0x7ffff6907400, callee=callee@entry=..., newKind=js::GenericObject) at js/src/jsobj.cpp:1019
#6  0x00000000006d5e4f in js::RunState::maybeCreateThisForConstructor (this=this@entry=0x7fffffffd248, cx=cx@entry=0x7ffff6907400) at js/src/vm/Interpreter.cpp:352
#7  0x00000000009b68b0 in js::jit::CanEnter (cx=cx@entry=0x7ffff6907400, state=...) at js/src/jit/Ion.cpp:2549
#8  0x00000000006f90bc in Interpret (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:3100
#9  0x0000000000707243 in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:709
#10 0x000000000070d2e4 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907400, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:983
#11 0x000000000070d639 in js::Execute (cx=cx@entry=0x7ffff6907400, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:1018
#12 0x0000000000b7929b in ExecuteScript (cx=cx@entry=0x7ffff6907400, scope=..., script=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4453
#13 0x0000000000b793bb in JS_ExecuteScript (cx=cx@entry=0x7ffff6907400, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4484
#14 0x0000000000428699 in RunFile (compileOnly=false, file=0x7ffff699d800, filename=0x7fffffffe18f "min.js", cx=0x7ffff6907400) at js/src/shell/js.cpp:468
#15 Process (cx=cx@entry=0x7ffff6907400, filename=0x7fffffffe18f "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:586
#16 0x0000000000477ce2 in ProcessArgs (op=0x7fffffffdb50, cx=0x7ffff6907400) at js/src/shell/js.cpp:5923
#17 Shell (envp=<optimized out>, op=0x7fffffffdb50, cx=0x7ffff6907400) at js/src/shell/js.cpp:6223
#18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6579
rax	0x0	0
rbx	0x7ffff6907400	140737330050048
rcx	0x7ffff7e2e138	140737352229176
rdx	0x0	0
rsi	0x44	68
rdi	0x7fffffffc840	140737488341056
rbp	0x7fffffffca40	140737488341568
rsp	0x7fffffffc880	140737488341120
r8	0x3c	60
r9	0x7ffff6956000	140737330372608
r10	0xaf4d764e	2941089358
r11	0x0	0
r12	0x0	0
r13	0x0	0
r14	0x7fffffffc940	140737488341312
r15	0x7fffffffc920	140737488341280
rip	0x766d87 <js::ReshapeForAllocKind(JSContext*, js::Shape*, js::TaggedProto, js::gc::AllocKind)+711>
=> 0x766d87 <js::ReshapeForAllocKind(JSContext*, js::Shape*, js::TaggedProto, js::gc::AllocKind)+711>:	mov    (%rdx),%rdx
   0x766d8a <js::ReshapeForAllocKind(JSContext*, js::Shape*, js::TaggedProto, js::gc::AllocKind)+714>:	testb  $0x1,0x10(%rdx)
Attached patch checkshape.patchSplinter Review 
r=h4writer over the shoulder
Assignee: nobody → benj
Status: NEW → ASSIGNED
Attachment #8670336 - Flags: review+
Really a supa-dupa-trivial fix, no risk at all, so setting checkin-needed without a try build to spare our resources.
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/41a93d3dc258
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: