Assertion failure: !cx->compartment()->hasObjectPendingMetadata(), at js/src/jsobjinlines.h:317 or Assertion failure: !cxArg->compartment()->hasObjectPendingMetadata(), at js/src/jsobjinlines.h:281

RESOLVED FIXED in Firefox 44

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Assigned: arai)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla44
x86_64
Linux
assertion, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox44 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision d1bb0de19476 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

var length = 4294967295;
var array = new Array(length);
array.splice(100);


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00000000008e6d78 in JSObject::create (cx=0x7fc4cd206c00, kind=js::gc::OBJECT8, heap=js::gc::TenuredHeap, shape=..., group=...) at js/src/jsobjinlines.h:317
#1  0x00000000008c1efc in NewObject (cx=0x7fc4cd206c00, group=..., kind=js::gc::OBJECT8, newKind=js::GenericObject, initialShapeFlags=<optimized out>) at js/src/jsobj.cpp:685
#2  0x00000000008c2295 in js::NewObjectWithGivenTaggedProto (cxArg=cxArg@entry=0x7fc4cd206c00, clasp=clasp@entry=0x1bb0cc0 <js::SavedFrame::class_>, proto=..., allocKind=js::gc::OBJECT8, newKind=newKind@entry=js::GenericObject, initialShapeFlags=initialShapeFlags@entry=0) at js/src/jsobj.cpp:746
#3  0x0000000000a6f12a in NewObjectWithGivenTaggedProto (initialShapeFlags=0, newKind=js::GenericObject, proto=..., clasp=0x1bb0cc0 <js::SavedFrame::class_>, cx=0x7fc4cd206c00) at js/src/jsobjinlines.h:613
#4  NewObjectWithGivenProto (newKind=js::GenericObject, proto=..., clasp=0x1bb0cc0 <js::SavedFrame::class_>, cx=0x7fc4cd206c00) at js/src/jsobjinlines.h:648
#5  js::SavedStacks::createFrameFromLookup (this=this@entry=0x7fc4cd2698a8, cx=cx@entry=0x7fc4cd206c00, lookup=..., lookup@entry=...) at js/src/vm/SavedStacks.cpp:1238
#6  0x0000000000a6f3f6 in js::SavedStacks::getOrCreateSavedFrame (this=this@entry=0x7fc4cd2698a8, cx=cx@entry=0x7fc4cd206c00, lookup=lookup@entry=...) at js/src/vm/SavedStacks.cpp:1212
#7  0x0000000000a70478 in js::SavedStacks::insertFrames (this=this@entry=0x7fc4cd2698a8, cx=cx@entry=0x7fc4cd206c00, iter=..., frame=..., frame@entry=..., maxFrameCount=124, maxFrameCount@entry=128) at js/src/vm/SavedStacks.cpp:1120
#8  0x0000000000a707db in js::SavedStacks::saveCurrentStack (this=0x7fc4cd2698a8, cx=cx@entry=0x7fc4cd206c00, frame=frame@entry=..., maxFrameCount=128) at js/src/vm/SavedStacks.cpp:933
#9  0x0000000000840962 in JS::CaptureCurrentStack (cx=cx@entry=0x7fc4cd206c00, stackp=..., stackp@entry=..., maxFrameCount=maxFrameCount@entry=128) at js/src/jsapi.cpp:6433
#10 0x000000000086eab3 in CaptureStack (stack=..., cx=0x7fc4cd206c00) at js/src/jsexn.cpp:280
#11 js::ErrorToException (cx=cx@entry=0x7fc4cd206c00, message=message@entry=0x7fc4caf1ab80 "allocation size overflow", reportp=reportp@entry=0x7fffbe8242c0, callback=<optimized out>, userRef=<optimized out>) at js/src/jsexn.cpp:572
#12 0x000000000086ed3e in ReportError (cx=0x7fc4cd206c00, message=0x7fc4caf1ab80 "allocation size overflow", reportp=0x7fffbe8242c0, callback=<optimized out>, userRef=<optimized out>) at js/src/jscntxt.cpp:230
#13 0x000000000087129a in js::ReportErrorNumberVA (cx=0x7fc4cd206c00, flags=flags@entry=0, callback=0x85ce60 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0, errorNumber=106, argumentsType=argumentsType@entry=js::ArgumentsAreASCII, ap=ap@entry=0x7fffbe824388) at js/src/jscntxt.cpp:754
#14 0x000000000083d5fb in JS_ReportErrorNumberVA (cx=<optimized out>, errorCallback=<optimized out>, userRef=<optimized out>, errorNumber=<optimized out>, ap=ap@entry=0x7fffbe824388) at js/src/jsapi.cpp:5525
#15 0x000000000083d686 in JS_ReportErrorNumber (cx=cx@entry=0x7fc4cd206c00, errorCallback=errorCallback@entry=0x85ce60 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=106) at js/src/jsapi.cpp:5514
#16 0x0000000000456475 in js::ReportAllocationOverflow (cxArg=0x7fc4cd206c00) at js/src/jscntxt.cpp:383
#17 0x0000000000a17287 in js::NativeObject::goodElementsAllocationAmount (cx=cx@entry=0x7fc4cd206c00, reqCapacity=reqCapacity@entry=4294967195, length=<optimized out>, goodAmount=goodAmount@entry=0x7fffbe8244d0) at js/src/vm/NativeObject.cpp:680
#18 0x0000000000a1732c in js::NativeObject::growElements (this=this@entry=0x7fc4cb5002b0, cx=0x7fc4cd206c00, reqCapacity=4294967195) at js/src/vm/NativeObject.cpp:768
#19 0x000000000051394b in ensureElements (capacity=<optimized out>, cx=<optimized out>, this=0x7fc4cb5002b0) at js/src/vm/NativeObject.h:916
#20 EnsureNewArrayElements (cx=<optimized out>, obj=0x7fc4cb5002b0, length=<optimized out>) at js/src/jsarray.cpp:3305
#21 0x000000000051b714 in NewArray<4294967295u> (cxArg=0x7fc4cd206c00, length=<optimized out>, protoArg=..., newKind=<optimized out>) at js/src/jsarray.cpp:3344
#22 0x000000000051bbf6 in NewArrayTryUseGroup<4294967295u> (cx=0x7fc4cd206c00, group=..., length=4294967195, newKind=js::GenericObject, forceAnalyze=<optimized out>) at js/src/jsarray.cpp:3514
#23 0x000000000051c087 in NewArrayTryReuseGroup<4294967295u> (cx=cx@entry=0x7fc4cd206c00, obj=<optimized out>, length=length@entry=4294967195, newKind=newKind@entry=js::GenericObject, forceAnalyze=forceAnalyze@entry=false) at js/src/jsarray.cpp:3566
#24 0x0000000000522eaf in NewFullyAllocatedArrayTryReuseGroup (forceAnalyze=false, newKind=js::GenericObject, length=4294967195, obj=<optimized out>, cx=0x7fc4cd206c00) at js/src/jsarray.cpp:3573
#25 js::array_splice_impl (cx=0x7fc4cd206c00, argc=1, vp=0x7fc4cb3ff228, returnValueIsUsed=<optimized out>) at js/src/jsarray.cpp:2412
#26 0x00000000009e3be2 in js::CallJSNative (cx=0x7fc4cd206c00, native=0x5233a0 <array_splice(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#27 0x00000000009e0720 in js::Invoke (cx=cx@entry=0x7fc4cd206c00, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:773
#28 0x00000000009d1da2 in Interpret (cx=cx@entry=0x7fc4cd206c00, state=...) at js/src/vm/Interpreter.cpp:3098
#29 0x00000000009dff2b in js::RunScript (cx=cx@entry=0x7fc4cd206c00, state=...) at js/src/vm/Interpreter.cpp:714
#30 0x00000000009e277c in js::ExecuteKernel (cx=cx@entry=0x7fc4cd206c00, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_DIRECT_EVAL, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffbe825538) at js/src/vm/Interpreter.cpp:989
#31 0x00000000005b7821 in js::DirectEvalStringFromIon (cx=0x7fc4cd206c00, scopeobj=..., callerScript=..., thisValue=..., newTargetValue=..., str=..., pc=0x7fc4cd26e114 "{", vp=...) at js/src/builtin/Eval.cpp:451
#32 0x00007fc4ce6dc4ed in ?? ()
#33 0x00007fc4cd26e114 in ?? ()
#34 0x00007fffbe825538 in ?? ()
#35 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x1	1
rcx	0x7fc4cd52888d	140483235055757
rdx	0x0	0
rsi	0x7fc4cd7fd9d0	140483238025680
rdi	0x7fc4cd7fc1c0	140483238019520
rbp	0x7fffbe823280	140736389591680
rsp	0x7fffbe823220	140736389591584
r8	0x7fc4ce86d780	140483255261056
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fc4cd7f9be0	140483238009824
r11	0x0	0
r12	0x7fffbe8232b0	140736389591728
r13	0x7fffbe823350	140736389591888
r14	0x7fc4cd206c00	140483231771648
r15	0x7fffbe823350	140736389591888
rip	0x8e6d78 <JSObject::create(js::ExclusiveContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::ObjectGroup*>)+1688>
=> 0x8e6d78 <JSObject::create(js::ExclusiveContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::ObjectGroup*>)+1688>:	movl   $0x13d,0x0
   0x8e6d83 <JSObject::create(js::ExclusiveContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::ObjectGroup*>)+1699>:	callq  0x4a51d0 <abort()>
(Reporter)

Updated

2 years ago
Summary: Assertion failure: !cx->compartment()->hasObjectPendingMetadata(), at js/src/jsobjinlines.h:317 → Assertion failure: !cx->compartment()->hasObjectPendingMetadata(), at js/src/jsobjinlines.h:317 or Assertion failure: !cxArg->compartment()->hasObjectPendingMetadata(), at js/src/jsobjinlines.h:281

Updated

2 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

2 years ago
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151009025847" and the hash "a13e919f927b216f911957da1fa70d95a2335f1f".
The "bad" changeset has the timestamp "20151009030332" and the hash "cfca615a83c3451149cfea12b451bc216b33e170".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a13e919f927b216f911957da1fa70d95a2335f1f&tochange=cfca615a83c3451149cfea12b451bc216b33e170
Needinfo based on comment 1
Flags: needinfo?(arai.unmht)
(Assignee)

Comment 3

2 years ago
Looks like any kind of exception that creates stack trace cannot be reported after cache.newObjectFromHit in NewArray.
https://dxr.mozilla.org/mozilla-central/rev/11ff0ccb7d59311df4c190d331c8b58c6e35a0c8/js/src/jsarray.cpp#3336
>            AutoSetNewObjectMetadata metadata(cx);
>            JSObject* obj = cache.newObjectFromHit(cx, entry, heap);
>            if (obj) {
>                /* Fixup the elements pointer and length, which may be incorrect. */
>                ArrayObject* arr = &obj->as<ArrayObject>();
>                arr->setFixedElements();
>                arr->setLength(cx, length);
>                if (maxLength > 0 &&
>                    !EnsureNewArrayElements(cx, arr, std::min(maxLength, length)))
>                {
>                    return nullptr;
>                }
>                return arr;
>            }

we might have to propagate the allocation error upto there or its callee in order to report it with ReportAllocationOverflow.
does it worth doing so?  or we should use ReportOutOfMemory instead as before?
Flags: needinfo?(jwalden+bmo)
KISS, just use ROOM.  Maybe worth filing an enhancement bug to report allocation overflow, tho -- would be a nice change, maybe it'll be easier to do at some point.
Flags: needinfo?(jwalden+bmo)
(Assignee)

Comment 5

2 years ago
Created attachment 8673220 [details] [diff] [review]
Use ReportOutOfMemory in NativeObject::goodElementsAllocationAmount.

Just replaced ReportAllocationOverflow with ReportOutOfMemory.
Assignee: nobody → arai.unmht
Flags: needinfo?(arai.unmht)
Attachment #8673220 - Flags: review?(jwalden+bmo)
Comment on attachment 8673220 [details] [diff] [review]
Use ReportOutOfMemory in NativeObject::goodElementsAllocationAmount.

Review of attachment 8673220 [details] [diff] [review]:
-----------------------------------------------------------------

Would be good to add the test, if possible, to guard against this breaking in the future.
Attachment #8673220 - Flags: review?(jwalden+bmo) → review+
(Assignee)

Comment 7

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/db69ddefd9eb5d35a7878f575265e095b633b246
Bug 1214049 - Use ReportOutOfMemory in NativeObject::goodElementsAllocationAmount. r=Waldo
https://hg.mozilla.org/mozilla-central/rev/db69ddefd9eb
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox44: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
(Assignee)

Updated

2 years ago
See Also: → bug 1214999
You need to log in before you can comment on or make changes to this bug.