Closed Bug 1223021 Opened 9 years ago Closed 9 years ago

Assertion failure: uintptr_t(obj) > 0x1000 || uintptr_t(obj) == 0x42, at ../../dist/include/js/Value.h:606

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla45
Tracking Flags:
Tracking Status
firefox45 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect,ignore])

Attachments

(1 file)

bug1223021-box-this-oom
519 bytes, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision b41b92c09fcf (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --no-threads):

function f() {
    oomAfterAllocations(1);
    return this === null;
};
if (!f.apply(9)) {}


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0863eec1 in OBJECT_TO_JSVAL_IMPL (obj=<optimized out>) at ../../dist/include/js/Value.h:606
#1  0x08644bef in setObject (obj=..., this=0xffb57118) at ../../dist/include/js/Value.h:1098
#2  setObject (obj=..., this=<synthetic pointer>) at ../../dist/include/js/Value.h:1797
#3  js::BoxNonStrictThis (cx=cx@entry=0xf7177020, thisv=thisv@entry=..., vp=vp@entry=...) at js/src/vm/Interpreter.cpp:102
#4  0x08225417 in js::ComputeThis (cx=0xf7177020, frame=...) at js/src/vm/Interpreter-inl.h:67
#5  0x0865b5a9 in Interpret (cx=cx@entry=0xf7177020, state=...) at js/src/vm/Interpreter.cpp:2513
#6  0x08666e5d in js::RunScript (cx=cx@entry=0xf7177020, state=...) at js/src/vm/Interpreter.cpp:430
#7  0x086671d6 in js::Invoke (cx=cx@entry=0xf7177020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:507
#8  0x08525a06 in js::fun_call (cx=cx@entry=0xf7177020, argc=1, vp=vp@entry=0xf51e20f8) at js/src/jsfun.cpp:1192
#9  0x0853ef4d in js::fun_apply (cx=0xf7177020, argc=1, vp=0xf51e20f8) at js/src/jsfun.cpp:1210
#10 0x0866a91a in js::CallJSNative (cx=0xf7177020, native=0x853ed10 <js::fun_apply(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#11 0x08667107 in js::Invoke (cx=0xf7177020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:489
#12 0x08660312 in Interpret (cx=cx@entry=0xf7177020, state=...) at js/src/vm/Interpreter.cpp:2798
#13 0x08666e5d in js::RunScript (cx=cx@entry=0xf7177020, state=...) at js/src/vm/Interpreter.cpp:430
#14 0x0866946a in js::ExecuteKernel (cx=cx@entry=0xf7177020, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_DIRECT_EVAL, evalInFrame=..., evalInFrame@entry=..., result=0xffb586d0) at js/src/vm/Interpreter.cpp:703
#15 0x0821a95d in EvalKernel (cx=cx@entry=0xf7177020, args=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., scopeobj=..., scopeobj@entry=..., pc=0xf7139c8b "{") at js/src/builtin/Eval.cpp:353
#16 0x0821b004 in js::DirectEval (cx=cx@entry=0xf7177020, args=...) at js/src/builtin/Eval.cpp:475
#17 0x088b7405 in js::jit::DoCallFallback (cx=0xf7177020, frame=0xffb58710, stub_=0xf711f270, argc=1, vp=0xffb586d0, res=...) at js/src/jit/BaselineIC.cpp:9014
#18 0xf73cf6ce in ?? ()
[...]
eax	0x0	0
ebx	0x983742c	159609900
ecx	0xf758988c	-145188724
edx	0x0	0
esi	0xffb57144	-4886204
edi	0xf7177054	-149458860
ebp	0xffb57088	4290080904
esp	0xffb57070	4290080880
eip	0x863eec1 <OBJECT_TO_JSVAL_IMPL(JSObject*)+65>
=> 0x863eec1 <OBJECT_TO_JSVAL_IMPL(JSObject*)+65>:	movl   $0x25e,0x0
   0x863eecb <OBJECT_TO_JSVAL_IMPL(JSObject*)+75>:	call   0x8102ba0 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision e1ef2be156de).
This was an unchecked OOM in js::BoxNonStrictThis() which was fixed by bug 1125423.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Actually, that bug does lots more besides so probably should be a dupe of this.  Also, we should add an testcase for this.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
s/should/shouldn't/ above.

Here's a testcase.
Assignee: nobody → jcoppeard
Attachment #8685485 - Flags: review?(jdemooij)
Comment on attachment 8685485 [details] [diff] [review]
bug1223021-box-this-oom

Review of attachment 8685485 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for adding the test!
Attachment #8685485 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/7e14c82224c1
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
status-firefox45: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: