Closed
Bug 1212389
Opened 9 years ago
Closed 8 years ago
Assertion failure: result ([OOM] Is it really infallible?), at js/src/ds/LifoAlloc.h:281
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: decoder, Assigned: nbp)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:ignore][js-oom2015])
Attachments
(1 file)
11.07 KB,
patch
|
bhackett1024
:
review-
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central-oom (https://github.com/nbp/gecko-dev/tree/oom) revision 3af20e1a0618bbb2eb4d0f1c072da365558858a0 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2): var x = []; for (var i = 1; i <= 6778; ++i) x.push(i); x = x.join("|"); evaluate("oomAfterAllocations(30); var re = /" + x + "/; result = re.exec('6777');"); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000005bc3f2 in js::LifoAlloc::allocInfallible (this=0x7ffff693c310, n=64) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/ds/LifoAlloc.h:281 #0 0x00000000005bc3f2 in js::LifoAlloc::allocInfallible (this=0x7ffff693c310, n=64) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/ds/LifoAlloc.h:281 #1 0x00000000008503ae in newInfallible<js::Vector<js::irregexp::TextElement, 1ul, js::LifoAllocPolicy<(js::Fallibility)1> >, js::LifoAlloc&> (this=0x7ffff693c310) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/ds/LifoAlloc.h:411 #2 js::irregexp::RegExpAtom::ToNode (this=0x7ffff424fa60, compiler=0x7fffffff99d0, on_success=0x7ffff41021d8) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/irregexp/RegExpEngine.cpp:1796 #3 0x0000000000850f76 in js::irregexp::RegExpDisjunction::ToNode (this=<optimized out>, compiler=0x7fffffff99d0, on_success=0x7ffff41021d8) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/irregexp/RegExpEngine.cpp:1820 #4 0x0000000000845291 in js::irregexp::RegExpCapture::ToNode (body=0x7ffff4102180, index=index@entry=0, compiler=compiler@entry=0x7fffffff99d0, on_success=<optimized out>) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/irregexp/RegExpEngine.cpp:2145 #5 0x0000000000853f92 in js::irregexp::CompilePattern (cx=cx@entry=0x7ffff6907400, shared=shared@entry=0x7ffff69f3d70, data=data@entry=0x7fffffffa9d0, sample=sample@entry=..., is_global=is_global@entry=false, ignore_case=<optimized out>, is_ascii=true, match_only=false, force_bytecode=force_bytecode@entry=false, sticky=false) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/irregexp/RegExpEngine.cpp:1677 #6 0x00000000006d66d5 in js::RegExpShared::compile (this=this@entry=0x7ffff69f3d70, cx=cx@entry=0x7ffff6907400, pattern=..., pattern@entry=..., input=..., input@entry=..., mode=mode@entry=js::RegExpShared::Normal, force=force@entry=js::RegExpShared::DontForceByteCode) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/RegExpObject.cpp:601 #7 0x00000000006d6a91 in js::RegExpShared::compile (this=0x7ffff69f3d70, cx=0x7ffff6907400, input=..., mode=js::RegExpShared::Normal, force=js::RegExpShared::DontForceByteCode) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/RegExpObject.cpp:570 #8 0x00000000006d6c55 in js::RegExpShared::compileIfNecessary (this=this@entry=0x7ffff69f3d70, cx=cx@entry=0x7ffff6907400, input=..., input@entry=..., mode=mode@entry=js::RegExpShared::Normal, force=force@entry=js::RegExpShared::DontForceByteCode) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/RegExpObject.cpp:623 #9 0x00000000006d6cba in js::RegExpShared::execute (this=this@entry=0x7ffff69f3d70, cx=cx@entry=0x7ffff6907400, input=input@entry=..., start=start@entry=0, matches=matches@entry=0x7fffffffb260) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/RegExpObject.cpp:635 #10 0x0000000000c9a598 in ExecuteRegExpImpl (cx=cx@entry=0x7ffff6907400, res=res@entry=0x7ffff6993aa0, re=..., input=input@entry=..., searchIndex=0, matches=matches@entry=0x7fffffffb260) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/builtin/RegExp.cpp:98 #11 0x0000000000c9c602 in js::ExecuteRegExp (cx=cx@entry=0x7ffff6907400, regexp=..., string=..., string@entry=..., matches=matches@entry=0x7fffffffb260, staticsUpdate=staticsUpdate@entry=js::UpdateRegExpStatics) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/builtin/RegExp.cpp:812 #12 0x0000000000c9d6b4 in regexp_exec_impl (cx=cx@entry=0x7ffff6907400, regexp=..., regexp@entry=..., string=string@entry=..., staticsUpdate=staticsUpdate@entry=js::UpdateRegExpStatics, rval=...) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/builtin/RegExp.cpp:852 #13 0x0000000000c9dc49 in regexp_exec_impl (args=..., cx=0x7ffff6907400) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/builtin/RegExp.cpp:872 #14 CallNonGenericMethod (Test=0xc9dd20 <IsRegExpObject(JS::Handle<JS::Value>)>, args=..., Impl=0xc9d810 <regexp_exec_impl(JSContext*, JS::CallArgs const&)>, cx=0x7ffff6907400) at ../../dist/include/js/CallNonGenericMethod.h:110 #15 js::regexp_exec (cx=0x7ffff6907400, argc=<optimized out>, vp=<optimized out>) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/builtin/RegExp.cpp:879 #16 0x0000000000711d62 in js::CallJSNative (cx=0x7ffff6907400, native=0xc9db00 <js::regexp_exec(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jscntxtinlines.h:235 #17 0x0000000000707413 in js::Invoke (cx=cx@entry=0x7ffff6907400, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/Interpreter.cpp:768 #18 0x00000000006f9301 in Interpret (cx=cx@entry=0x7ffff6907400, state=...) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/Interpreter.cpp:3072 #19 0x0000000000706c13 in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/Interpreter.cpp:709 #20 0x000000000070cc84 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907400, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, evalInFrame=evalInFrame@entry=..., result=result@entry=0x7fffffffc408) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/Interpreter.cpp:983 #21 0x000000000070cfd9 in js::Execute (cx=cx@entry=0x7ffff6907400, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x7fffffffc408) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/Interpreter.cpp:1018 #22 0x0000000000b7867b in ExecuteScript (cx=cx@entry=0x7ffff6907400, scope=..., script=..., rval=0x7fffffffc408) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jsapi.cpp:4453 #23 0x0000000000b7876f in JS_ExecuteScript (cx=cx@entry=0x7ffff6907400, scriptArg=..., scriptArg@entry=..., rval=..., rval@entry=...) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jsapi.cpp:4478 #24 0x0000000000488420 in Evaluate (cx=0x7ffff6907400, argc=<optimized out>, vp=0x7fffffffc408) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/shell/js.cpp:1251 #25 0x0000000000711d62 in js::CallJSNative (cx=0x7ffff6907400, native=0x487e30 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jscntxtinlines.h:235 #26 0x0000000000707413 in js::Invoke (cx=cx@entry=0x7ffff6907400, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/Interpreter.cpp:768 #27 0x000000000070802d in js::Invoke (cx=cx@entry=0x7ffff6907400, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffc8b8, rval=..., rval@entry=...) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/vm/Interpreter.cpp:823 #28 0x00000000008d7f1b in js::jit::DoCallFallback (cx=0x7ffff6907400, frame=0x7fffffffc8f8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc8a8, res=...) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jit/BaselineIC.cpp:8903 #29 0x00007ffff7feef9f in ?? () [...] #51 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff433e000 140737290428416 rcx 0x7ffff6ca588d 140737333844109 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffff9740 140737488328512 rsp 0x7fffffff9710 140737488328464 r8 0x7ffff7fcc780 140737353926528 r9 0x694c2f73642f6372 7587491644861014898 r10 0x7fffffff94d0 140737488327888 r11 0x7ffff6c27ee0 140737333329632 r12 0x40 64 r13 0x7ffff433efd0 140737290432464 r14 0x7ffff693c310 140737330266896 r15 0x7ffff433f010 140737290432528 rip 0x5bc3f2 <js::LifoAlloc::allocInfallible(unsigned long)+242> => 0x5bc3f2 <js::LifoAlloc::allocInfallible(unsigned long)+242>: movl $0x119,0x0 0x5bc3fd <js::LifoAlloc::allocInfallible(unsigned long)+253>: callq 0x4984d0 <abort()>
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → nicolas.b.pierron
Assignee | ||
Comment 1•9 years ago
|
||
Attachment #8670899 -
Flags: review?(bhackett1024)
Comment 2•9 years ago
|
||
Comment on attachment 8670899 [details] [diff] [review] part 1 - RegExpEngine: Check ToNode function results and ensure that we have enough ballast space in for loops. Review of attachment 8670899 [details] [diff] [review]: ----------------------------------------------------------------- Sorry for the delay. irregexp assumes that allocations are infallible and if we want to change that assumption then it should be done comprehensively and not piecemeal like in this patch. Such a project would be imo a waste of time (I believe we should be moving in the opposite direction, and have more infallible allocations like in the rest of the browser) and in addition would make importing irregexp changes from upstream harder.
Attachment #8670899 -
Flags: review?(bhackett1024) → review-
Reporter | ||
Updated•9 years ago
|
Summary: Assertion failure: result ([OOM] Is it really infallible?), at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/ds/LifoAlloc.h:281 → Assertion failure: result ([OOM] Is it really infallible?), at js/src/ds/LifoAlloc.h:281
Assignee | ||
Comment 3•8 years ago
|
||
OOM in the regexp compiler are critical failure, so far. The LifoAlloc instrumentation got changed to reflect this fact.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•