1216599 - Assertion failure: p, at js/src/proxy/Proxy.cpp:648 with OOM

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 4f4615ffec6a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --fuzzing-safe --thread-count=2 --arm-asm-nop-fill=1 --ion-extra-checks --ion-offthread-compile=off --ion-check-range-analysis --ion-eager --baseline-eager):

oomTest(() => {
    var g = newGlobal();
    g.eval([1, 2, 3, 4, 5]);
});
fullcompartmentchecks(true);


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.

#0  0x085a4a3d in js::ProxyObject::trace (trc=0xffa33654, obj=0xf514b870) at js/src/proxy/Proxy.cpp:648
#1  0x08527d97 in JSObject::traceChildren (this=0xf514b870, trc=0xffa33654) at js/src/jsobj.cpp:3705
#2  0x087fcf59 in operator()<JSObject> (this=<synthetic pointer>, thing=<optimized out>, trc=<optimized out>) at js/src/gc/Tracer.cpp:195
#3  DispatchTraceKindTyped<TraceChildrenFunctor, JSTracer*&, void*&> (traceKind=JS::Object, f=...) at ../../dist/include/js/TraceKind.h:117
#4  js::TraceChildren (trc=<optimized out>, trc@entry=0xffa33654, thing=<optimized out>, kind=kind@entry=JS::Object) at js/src/gc/Tracer.cpp:204
#5  0x084e3201 in js::gc::GCRuntime::checkForCompartmentMismatches (this=this@entry=0xf7228214) at js/src/jsgc.cpp:3816
#6  0x08502829 in js::gc::GCRuntime::beginMarkPhase (this=this@entry=0xf7228214, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:3845
#7  0x08504aed in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0xf7228214, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:5948
#8  0x08505ab9 in js::gc::GCRuntime::gcCycle (this=this@entry=0xf7228214, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6222
#9  0x08505f4b in js::gc::GCRuntime::collect (this=this@entry=0xf7228214, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6338
#10 0x08506282 in js::gc::GCRuntime::gc (this=this@entry=0xf7228214, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6402
#11 0x084b5b80 in js::DestroyContext (cx=cx@entry=0xf7274020, mode=mode@entry=js::DCM_FORCE_GC) at js/src/jscntxt.cpp:186
#12 0x084b5dc8 in JS_DestroyContext (cx=cx@entry=0xf7274020) at js/src/jsapi.cpp:797
#13 0x080d9e73 in DestroyContext (withGC=true, cx=<optimized out>) at js/src/shell/js.cpp:5810
#14 main (argc=11, argv=0xffa33d64, envp=0xffa33d94) at js/src/shell/js.cpp:6663
eax	0x0	0
ebx	0x97cc434	159171636
ecx	0xf75e588c	-144811892
edx	0x0	0
esi	0xf514b870	-183191440
edi	0xffa33654	-6080940
ebp	0xffa33588	4288886152
esp	0xffa33520	4288886048
eip	0x85a4a3d <js::ProxyObject::trace(JSTracer*, JSObject*)+765>
=> 0x85a4a3d <js::ProxyObject::trace(JSTracer*, JSObject*)+765>:	movl   $0x288,0x0
   0x85a4a47 <js::ProxyObject::trace(JSTracer*, JSObject*)+775>:	call   0x80fd4d0 <abort()>

Comment 1

[Lars T Hansen [:lth]]

Not ARM specific, fails also on Linux x86 and Linux x64 (debug builds) without the --arm-asm-nop-fill=1 command line argument.

Comment 2

[Christian Holler (:decoder)]

JSBugMon can't process this properly with the architecture specification missing. Setting it back to ARM although this test also reproduces on x86.

Comment 3

[Fuzzing Team]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 29258f59e545).

Comment 4

[Terrence Cole [:terrence]]

Looks like oomTest. Could you take a look, Jon?

Comment 5

[Jon Coppeard (:jonco)]

I verified that this was fixed by the changes in bug 1215678.

Comment 6

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

FIXED by bug 1215678. We'd prefer to mark FIXED if the fix is known.