Closed Bug 1232676 Opened 9 years ago Closed 8 years ago

Crash [@ js::ExclusiveContext::addPendingCompileError] with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox46 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

Patch
2.03 KB, patch
jonco
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 749f9328dd76 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

oomTest(() => {
    offThreadCompileScript("function a(x) {");
    runOffThreadScript();
});



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff5cc3700 (LWP 41702)]
0x0000000000a10d68 in js::ExclusiveContext::addPendingCompileError (this=0x7ffff45028b0) at js/src/vm/HelperThreads.cpp:1342
#0  0x0000000000a10d68 in js::ExclusiveContext::addPendingCompileError (this=0x7ffff45028b0) at js/src/vm/HelperThreads.cpp:1342
#1  0x0000000000bc0425 in js::frontend::TokenStream::reportCompileErrorNumberVA (this=0x7ffff5cc1ec0, offset=14, flags=0, errorNumber=164, args=0x7ffff5cc0fc8) at js/src/frontend/TokenStream.cpp:620
#2  0x00000000004e3bc7 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::report (this=this@entry=0x7ffff5cc1e90, kind=kind@entry=js::frontend::ParseError, strict=strict@entry=false, pn=pn@entry=js::frontend::SyntaxParseHandler::NodeFailure, errorNumber=<optimized out>) at js/src/frontend/Parser.cpp:599
#3  0x00000000004f76d6 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::functionArgsAndBodyGeneric (this=this@entry=0x7ffff5cc1e90, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, pn=pn@entry=js::frontend::SyntaxParseHandler::NodeGeneric, fun=..., fun@entry=..., kind=kind@entry=js::frontend::Statement) at js/src/frontend/Parser.cpp:2977
#4  0x00000000004d72a5 in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBody (this=this@entry=0x7ffff5cc23e0, inHandling=inHandling@entry=js::frontend::InAllowed, pn=0x7ffff3c60058, fun=..., fun@entry=..., kind=kind@entry=js::frontend::Statement, generatorKind=generatorKind@entry=js::NotGenerator, inheritedDirectives=..., newDirectives=newDirectives@entry=0x7ffff5cc1600) at js/src/frontend/Parser.cpp:2766
#5  0x00000000004ffdda in js::frontend::Parser<js::frontend::FullParseHandler>::functionDef (this=this@entry=0x7ffff5cc23e0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, funName=..., funName@entry=..., kind=kind@entry=js::frontend::Statement, generatorKind=generatorKind@entry=js::NotGenerator, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:2634
#6  0x00000000005000a9 in js::frontend::Parser<js::frontend::FullParseHandler>::functionStmt (this=this@entry=0x7ffff5cc23e0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, defaultHandling=defaultHandling@entry=js::frontend::NameRequired) at js/src/frontend/Parser.cpp:3083
#7  0x00000000004fec3d in js::frontend::Parser<js::frontend::FullParseHandler>::statement (this=this@entry=0x7ffff5cc23e0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:6908
#8  0x00000000004ff141 in js::frontend::Parser<js::frontend::FullParseHandler>::statements (this=this@entry=0x7ffff5cc23e0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3306
#9  0x00000000004d68ba in js::frontend::Parser<js::frontend::FullParseHandler>::globalBody (this=this@entry=0x7ffff5cc23e0) at js/src/frontend/Parser.cpp:1055
#10 0x0000000000b9f778 in BytecodeCompiler::compileScript (this=this@entry=0x7ffff5cc1d70, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:527
#11 0x0000000000b9fdeb in js::frontend::CompileScript (cx=cx@entry=0x7ffff45028b0, alloc=alloc@entry=0x7ffff46d77c8, scopeChain=scopeChain@entry=..., enclosingStaticScope=..., enclosingStaticScope@entry=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=source_@entry=0x0, extraSct=extraSct@entry=0x0, sourceObjectOut=sourceObjectOut@entry=0x7ffff46d7838) at js/src/frontend/BytecodeCompiler.cpp:738
#12 0x0000000000a12547 in js::HelperThread::handleParseWorkload (this=this@entry=0x7ffff6933800) at js/src/vm/HelperThreads.cpp:1388
#13 0x0000000000a13b0e in js::HelperThread::threadLoop (this=0x7ffff6933800) at js/src/vm/HelperThreads.cpp:1584
#14 0x0000000000a94ee1 in nspr::Thread::ThreadRoutine (arg=0x7ffff692e160) at js/src/vm/PosixNSPR.cpp:45
#15 0x00007ffff7bc4182 in start_thread (arg=0x7ffff5cc3700) at pthread_create.c:312
#16 0x00007ffff6cb3fbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
rax	0x0	0
rbx	0x7ffff5cc0ac0	140737317178048
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7ffff5cc09e0	140737317177824
rsp	0x7ffff5cc09a0	140737317177760
r8	0x7ffff5cc3700	140737317189376
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7ffff5cc0760	140737317177184
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff45028b0	140737292282032
r13	0xa4	164
r14	0x7ffff5cc1ec0	140737317183168
r15	0x0	0
rip	0xa10d68 <js::ExclusiveContext::addPendingCompileError()+536>
=> 0xa10d68 <js::ExclusiveContext::addPendingCompileError()+536>:	movl   $0x53e,0x0
   0xa10d73 <js::ExclusiveContext::addPendingCompileError()+547>:	callq  0x4a3db0 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/de72e2291ae8
user:        Jan de Mooij
date:        Wed Dec 09 22:55:50 2015 -0500
summary:     Bug 1225396 part 3 - Make %GeneratorPrototype% inherit from %IteratorPrototype%. r=jorendorff

This iteration took 276.877 seconds to run.
Jan, is bug 1225396 a likely regressor?
Blocks: 1225396
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review 
I don't see how bug 1225396 is related but here's a patch.

In addPendingCompileError we have to use AutoEnterOOMUnsafeRegion instead of MOZ_CRASH. We were also missing an OOM check in TraceLogger code.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8699443 - Flags: review?(jcoppeard)
No longer blocks: 1225396
Attachment #8699443 - Flags: review?(jcoppeard) → review+
https://hg.mozilla.org/mozilla-central/rev/a2af02211477
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox46: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
Blocks: 1265667
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: