Closed Bug 1212390 Opened 6 years ago Closed 6 years ago

Assertion failure: maxAllocations >= 0 && maxAllocations < (4294967295U), at ../../../dist/include/js/Utility.h:209 with OOM

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla44
Tracking Status
firefox44 --- fixed

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:ignore][js-oom2015])

The following testcase crashes on mozilla-central-oom (https://github.com/nbp/gecko-dev/tree/oom) revision 3af20e1a0618bbb2eb4d0f1c072da365558858a0 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager --ion-extra-checks --ion-check-range-analysis):

oomAtAllocation(-3);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000491e90 in js::AutoEnterOOMUnsafeRegion::~AutoEnterOOMUnsafeRegion (this=<optimized out>, __in_chrg=<optimized out>) at ../../../dist/include/js/Utility.h:209
#0  0x0000000000491e90 in js::AutoEnterOOMUnsafeRegion::~AutoEnterOOMUnsafeRegion (this=<optimized out>, __in_chrg=<optimized out>) at ../../../dist/include/js/Utility.h:209
#1  0x00000000008648f5 in ~DebugOnly (this=0x7fffffffd270, __in_chrg=<optimized out>) at ../../dist/include/mozilla/DebugOnly.h:82
#2  js::Nursery::collect (this=this@entry=0x7ffff693c460, rt=<optimized out>, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT, pretenureGroups=pretenureGroups@entry=0x0) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/gc/Nursery.cpp:429
#3  0x0000000000b3e6e5 in js::gc::GCRuntime::minorGCImpl (this=this@entry=0x7ffff693c408, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT, pretenureGroups=pretenureGroups@entry=0x0) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jsgc.cpp:6591
#4  0x0000000000b83259 in evictNursery (reason=JS::gcreason::DESTROY_CONTEXT, this=this@entry=0x7ffff693c408) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/gc/GCRuntime.h:611
#5  js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff693c408, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jsgc.cpp:6152
#6  0x0000000000b8389e in js::gc::GCRuntime::collect (this=this@entry=0x7ffff693c408, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jsgc.cpp:6352
#7  0x0000000000b83bf3 in js::gc::GCRuntime::gc (this=0x7ffff693c408, gckind=<optimized out>, reason=JS::gcreason::DESTROY_CONTEXT) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jsgc.cpp:6417
#8  0x0000000000b847cc in js::DestroyContext (cx=0x7ffff6907400, mode=js::DCM_FORCE_GC) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jscntxt.cpp:186
#9  0x0000000000b849be in JS_DestroyContext (cx=<optimized out>) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jsapi.cpp:799
#10 0x0000000000477872 in DestroyContext (withGC=true, cx=0x7ffff6907400) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/shell/js.cpp:5748
#11 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/shell/js.cpp:6588
rax	0x0	0
rbx	0x7ffff693c460	140737330267232
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffd0e0	140737488343264
rsp	0x7fffffffd0e0	140737488343264
r8	0x7ffff7fcc780	140737353926528
r9	0x736a2f6564756c63	8316511774416661603
r10	0x7fffffffcea0	140737488342688
r11	0x7ffff6c27ee0	140737333329632
r12	0x7ffff693c000	140737330266112
r13	0x7fffffffd420	140737488344096
r14	0x72b	1835
r15	0x3	3
rip	0x491e90 <js::AutoEnterOOMUnsafeRegion::~AutoEnterOOMUnsafeRegion()+112>
=> 0x491e90 <js::AutoEnterOOMUnsafeRegion::~AutoEnterOOMUnsafeRegion()+112>:	movl   $0xd1,0x0
   0x491e9b <js::AutoEnterOOMUnsafeRegion::~AutoEnterOOMUnsafeRegion()+123>:	callq  0x4984d0 <abort()>
Not actually an OOM bug - just a missing check in OOMAtAllocation that the argument is nonnegative.  It should just throw in that case, or do nothing.

Should check other APIs in that file (TestingFunctions.cpp) too for similar issues.
You need to log in before you can comment on or make changes to this bug.