Closed Bug 1212389 Opened 9 years ago Closed 8 years ago

Assertion failure: result ([OOM] Is it really infallible?), at js/src/ds/LifoAlloc.h:281

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED WONTFIX

People

(Reporter: decoder, Assigned: nbp)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:ignore][js-oom2015])

Attachments

(1 file)

The following testcase crashes on mozilla-central-oom (https://github.com/nbp/gecko-dev/tree/oom) revision 3af20e1a0618bbb2eb4d0f1c072da365558858a0 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

var x = [];
for (var i = 1; i <= 6778; ++i)
x.push(i);
x = x.join("|");
evaluate("oomAfterAllocations(30); var re = /" + x + "/; result = re.exec('6777');");



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000005bc3f2 in js::LifoAlloc::allocInfallible (this=0x7ffff693c310, n=64) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/ds/LifoAlloc.h:281
#0  0x00000000005bc3f2 in js::LifoAlloc::allocInfallible (this=0x7ffff693c310, n=64) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/ds/LifoAlloc.h:281
#1  0x00000000008503ae in newInfallible<js::Vector<js::irregexp::TextElement, 1ul, js::LifoAllocPolicy<(js::Fallibility)1> >, js::LifoAlloc&> (this=0x7ffff693c310) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/ds/LifoAlloc.h:411
#2  js::irregexp::RegExpAtom::ToNode (this=0x7ffff424fa60, compiler=0x7fffffff99d0, on_success=0x7ffff41021d8) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/irregexp/RegExpEngine.cpp:1796
#3  0x0000000000850f76 in js::irregexp::RegExpDisjunction::ToNode (this=<optimized out>, compiler=0x7fffffff99d0, on_success=0x7ffff41021d8) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/irregexp/RegExpEngine.cpp:1820
#4  0x0000000000845291 in js::irregexp::RegExpCapture::ToNode (body=0x7ffff4102180, index=index@entry=0, compiler=compiler@entry=0x7fffffff99d0, on_success=<optimized out>) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/irregexp/RegExpEngine.cpp:2145
#5  0x0000000000853f92 in js::irregexp::CompilePattern (cx=cx@entry=0x7ffff6907400, shared=shared@entry=0x7ffff69f3d70, data=data@entry=0x7fffffffa9d0, sample=sample@entry=..., is_global=is_global@entry=false, ignore_case=<optimized out>, is_ascii=true, match_only=false, force_bytecode=force_bytecode@entry=false, sticky=false) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/irregexp/RegExpEngine.cpp:1677
#6  0x00000000006d66d5 in js::RegExpShared::compile (this=this@entry=0x7ffff69f3d70, cx=cx@entry=0x7ffff6907400, pattern=..., pattern@entry=..., input=..., input@entry=..., mode=mode@entry=js::RegExpShared::Normal, force=force@entry=js::RegExpShared::DontForceByteCode) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/RegExpObject.cpp:601
#7  0x00000000006d6a91 in js::RegExpShared::compile (this=0x7ffff69f3d70, cx=0x7ffff6907400, input=..., mode=js::RegExpShared::Normal, force=js::RegExpShared::DontForceByteCode) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/RegExpObject.cpp:570
#8  0x00000000006d6c55 in js::RegExpShared::compileIfNecessary (this=this@entry=0x7ffff69f3d70, cx=cx@entry=0x7ffff6907400, input=..., input@entry=..., mode=mode@entry=js::RegExpShared::Normal, force=force@entry=js::RegExpShared::DontForceByteCode) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/RegExpObject.cpp:623
#9  0x00000000006d6cba in js::RegExpShared::execute (this=this@entry=0x7ffff69f3d70, cx=cx@entry=0x7ffff6907400, input=input@entry=..., start=start@entry=0, matches=matches@entry=0x7fffffffb260) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/RegExpObject.cpp:635
#10 0x0000000000c9a598 in ExecuteRegExpImpl (cx=cx@entry=0x7ffff6907400, res=res@entry=0x7ffff6993aa0, re=..., input=input@entry=..., searchIndex=0, matches=matches@entry=0x7fffffffb260) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/builtin/RegExp.cpp:98
#11 0x0000000000c9c602 in js::ExecuteRegExp (cx=cx@entry=0x7ffff6907400, regexp=..., string=..., string@entry=..., matches=matches@entry=0x7fffffffb260, staticsUpdate=staticsUpdate@entry=js::UpdateRegExpStatics) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/builtin/RegExp.cpp:812
#12 0x0000000000c9d6b4 in regexp_exec_impl (cx=cx@entry=0x7ffff6907400, regexp=..., regexp@entry=..., string=string@entry=..., staticsUpdate=staticsUpdate@entry=js::UpdateRegExpStatics, rval=...) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/builtin/RegExp.cpp:852
#13 0x0000000000c9dc49 in regexp_exec_impl (args=..., cx=0x7ffff6907400) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/builtin/RegExp.cpp:872
#14 CallNonGenericMethod (Test=0xc9dd20 <IsRegExpObject(JS::Handle<JS::Value>)>, args=..., Impl=0xc9d810 <regexp_exec_impl(JSContext*, JS::CallArgs const&)>, cx=0x7ffff6907400) at ../../dist/include/js/CallNonGenericMethod.h:110
#15 js::regexp_exec (cx=0x7ffff6907400, argc=<optimized out>, vp=<optimized out>) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/builtin/RegExp.cpp:879
#16 0x0000000000711d62 in js::CallJSNative (cx=0x7ffff6907400, native=0xc9db00 <js::regexp_exec(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jscntxtinlines.h:235
#17 0x0000000000707413 in js::Invoke (cx=cx@entry=0x7ffff6907400, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/Interpreter.cpp:768
#18 0x00000000006f9301 in Interpret (cx=cx@entry=0x7ffff6907400, state=...) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/Interpreter.cpp:3072
#19 0x0000000000706c13 in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/Interpreter.cpp:709
#20 0x000000000070cc84 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907400, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, evalInFrame=evalInFrame@entry=..., result=result@entry=0x7fffffffc408) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/Interpreter.cpp:983
#21 0x000000000070cfd9 in js::Execute (cx=cx@entry=0x7ffff6907400, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x7fffffffc408) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/Interpreter.cpp:1018
#22 0x0000000000b7867b in ExecuteScript (cx=cx@entry=0x7ffff6907400, scope=..., script=..., rval=0x7fffffffc408) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jsapi.cpp:4453
#23 0x0000000000b7876f in JS_ExecuteScript (cx=cx@entry=0x7ffff6907400, scriptArg=..., scriptArg@entry=..., rval=..., rval@entry=...) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jsapi.cpp:4478
#24 0x0000000000488420 in Evaluate (cx=0x7ffff6907400, argc=<optimized out>, vp=0x7fffffffc408) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/shell/js.cpp:1251
#25 0x0000000000711d62 in js::CallJSNative (cx=0x7ffff6907400, native=0x487e30 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jscntxtinlines.h:235
#26 0x0000000000707413 in js::Invoke (cx=cx@entry=0x7ffff6907400, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/Interpreter.cpp:768
#27 0x000000000070802d in js::Invoke (cx=cx@entry=0x7ffff6907400, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffc8b8, rval=..., rval@entry=...) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/Interpreter.cpp:823
#28 0x00000000008d7f1b in js::jit::DoCallFallback (cx=0x7ffff6907400, frame=0x7fffffffc8f8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc8a8, res=...) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jit/BaselineIC.cpp:8903
#29 0x00007ffff7feef9f in ?? ()
[...]
#51 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff433e000	140737290428416
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffff9740	140737488328512
rsp	0x7fffffff9710	140737488328464
r8	0x7ffff7fcc780	140737353926528
r9	0x694c2f73642f6372	7587491644861014898
r10	0x7fffffff94d0	140737488327888
r11	0x7ffff6c27ee0	140737333329632
r12	0x40	64
r13	0x7ffff433efd0	140737290432464
r14	0x7ffff693c310	140737330266896
r15	0x7ffff433f010	140737290432528
rip	0x5bc3f2 <js::LifoAlloc::allocInfallible(unsigned long)+242>
=> 0x5bc3f2 <js::LifoAlloc::allocInfallible(unsigned long)+242>:	movl   $0x119,0x0
   0x5bc3fd <js::LifoAlloc::allocInfallible(unsigned long)+253>:	callq  0x4984d0 <abort()>
Assignee: nobody → nicolas.b.pierron
Blocks: 991249
Comment on attachment 8670899 [details] [diff] [review]
part 1 - RegExpEngine: Check ToNode function results and ensure that we have enough ballast space in for loops.

Review of attachment 8670899 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry for the delay.

irregexp assumes that allocations are infallible and if we want to change that assumption then it should be done comprehensively and not piecemeal like in this patch.  Such a project would be imo a waste of time (I believe we should be moving in the opposite direction, and have more infallible allocations like in the rest of the browser) and in addition would make importing irregexp changes from upstream harder.
Attachment #8670899 - Flags: review?(bhackett1024) → review-
Summary: Assertion failure: result ([OOM] Is it really infallible?), at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/ds/LifoAlloc.h:281 → Assertion failure: result ([OOM] Is it really infallible?), at js/src/ds/LifoAlloc.h:281
OOM in the regexp compiler are critical failure, so far.
The LifoAlloc instrumentation got changed to reflect this fact.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: