1219954 - Crash [@ js::AutoStableStringChars::initTwoByte]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

// jsfunfuzz-generated
function g() {};
// Adapted from randomly chosen test: js/src/jit-test/tests/gc/bug-1208994.js
eval("\
    \"use strict\";\
    g = (function() {\
        \"use asm\";\
        function f() {}\
        return f;\
    })();\
    oomTest(() => getBacktrace({\
        thisprops: true\
    }));\
");

crashes js debug shell on m-c changeset 1fbc958f7557 with --fuzzing-safe --no-threads --no-ion --no-baseline at js::AutoStableStringChars::initTwoByte

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 1fbc958f7557

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/9c365490d4ce
user:        Jon Coppeard
date:        Tue Oct 13 13:37:07 2015 +0100
summary:     Bug 1212469 - Make oomTest() into a shell function r=nbp

Jon, is bug 1212469 a likely regressor? (I tried removing oomTest but it didn't seem to reproduce)

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x347a71, 0x000000010078bbd3 js-dbg-64-dm-darwin-1fbc958f7557`js::AutoStableStringChars::initTwoByte(JSContext*, JSString*) [inlined] JSString::isLinear(this=0x0000000000000000) const at String.h:371, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010078bbd3 js-dbg-64-dm-darwin-1fbc958f7557`js::AutoStableStringChars::initTwoByte(JSContext*, JSString*) [inlined] JSString::isLinear(this=0x0000000000000000) const at String.h:371
    frame #1: 0x000000010078bbd3 js-dbg-64-dm-darwin-1fbc958f7557`js::AutoStableStringChars::initTwoByte(JSContext*, JSString*) [inlined] JSString::ensureLinear(this=0x0000000000000000, cx=<unavailable>) at String.h:1234
    frame #2: 0x000000010078bbd3 js-dbg-64-dm-darwin-1fbc958f7557`js::AutoStableStringChars::initTwoByte(this=0x00007fff5fbfbb28, cx=0x0000000102c45400, s=0x0000000000000000) + 19 at String.cpp:912
    frame #3: 0x00000001004fc7a9 js-dbg-64-dm-darwin-1fbc958f7557`js::FindBody(cx=0x0000000102c45400, fun=<unavailable>, src=<unavailable>, bodyStart=0x00007fff5fbfbc60, bodyEnd=0x00007fff5fbfbc58) + 265 at jsfun.cpp:869
    frame #4: 0x00000001000c5068 js-dbg-64-dm-darwin-1fbc958f7557`AppendUseStrictSource(cx=<unavailable>, fun=<unavailable>, src=<unavailable>, out=0x00007fff5fbfbcd8) + 40 at AsmJSLink.cpp:1143
(lldb)

Comment 2

[Jon Coppeard (:jonco)]

Attachment: bug1219954-asmjs-fun-to-string

Patch to check the result of ScriptSource::substring().

Comment 3

[Benjamin Bouvier [:bbouvier] (inactive)]

Comment on attachment 8681186 [details] [diff] [review]
bug1219954-asmjs-fun-to-string

Review of attachment 8681186 [details] [diff] [review]:
-----------------------------------------------------------------

Stealing, as it's trivial and I *think* I wrote this code. Thanks!

Comment 4

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/d3cab4bc33b0

Comment 5

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/d3cab4bc33b0

Comment 6

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/releases/mozilla-b2g44_v2_5/rev/d3cab4bc33b0

Comment 7

[Carsten Book [:Tomcat]]

removing the b2g 2.5 flag since this commit has been reverted due to an incorrect merge, sorry for the confusion