Closed Bug 1232676 Opened 10 years ago Closed 10 years ago

Crash [@ js::ExclusiveContext::addPendingCompileError] with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox46 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

Patch
2.03 KB, patch
jonco
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 749f9328dd76 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2): oomTest(() => { offThreadCompileScript("function a(x) {"); runOffThreadScript(); }); Backtrace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff5cc3700 (LWP 41702)] 0x0000000000a10d68 in js::ExclusiveContext::addPendingCompileError (this=0x7ffff45028b0) at js/src/vm/HelperThreads.cpp:1342 #0 0x0000000000a10d68 in js::ExclusiveContext::addPendingCompileError (this=0x7ffff45028b0) at js/src/vm/HelperThreads.cpp:1342 #1 0x0000000000bc0425 in js::frontend::TokenStream::reportCompileErrorNumberVA (this=0x7ffff5cc1ec0, offset=14, flags=0, errorNumber=164, args=0x7ffff5cc0fc8) at js/src/frontend/TokenStream.cpp:620 #2 0x00000000004e3bc7 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::report (this=this@entry=0x7ffff5cc1e90, kind=kind@entry=js::frontend::ParseError, strict=strict@entry=false, pn=pn@entry=js::frontend::SyntaxParseHandler::NodeFailure, errorNumber=<optimized out>) at js/src/frontend/Parser.cpp:599 #3 0x00000000004f76d6 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::functionArgsAndBodyGeneric (this=this@entry=0x7ffff5cc1e90, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, pn=pn@entry=js::frontend::SyntaxParseHandler::NodeGeneric, fun=..., fun@entry=..., kind=kind@entry=js::frontend::Statement) at js/src/frontend/Parser.cpp:2977 #4 0x00000000004d72a5 in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBody (this=this@entry=0x7ffff5cc23e0, inHandling=inHandling@entry=js::frontend::InAllowed, pn=0x7ffff3c60058, fun=..., fun@entry=..., kind=kind@entry=js::frontend::Statement, generatorKind=generatorKind@entry=js::NotGenerator, inheritedDirectives=..., newDirectives=newDirectives@entry=0x7ffff5cc1600) at js/src/frontend/Parser.cpp:2766 #5 0x00000000004ffdda in js::frontend::Parser<js::frontend::FullParseHandler>::functionDef (this=this@entry=0x7ffff5cc23e0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, funName=..., funName@entry=..., kind=kind@entry=js::frontend::Statement, generatorKind=generatorKind@entry=js::NotGenerator, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:2634 #6 0x00000000005000a9 in js::frontend::Parser<js::frontend::FullParseHandler>::functionStmt (this=this@entry=0x7ffff5cc23e0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, defaultHandling=defaultHandling@entry=js::frontend::NameRequired) at js/src/frontend/Parser.cpp:3083 #7 0x00000000004fec3d in js::frontend::Parser<js::frontend::FullParseHandler>::statement (this=this@entry=0x7ffff5cc23e0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:6908 #8 0x00000000004ff141 in js::frontend::Parser<js::frontend::FullParseHandler>::statements (this=this@entry=0x7ffff5cc23e0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3306 #9 0x00000000004d68ba in js::frontend::Parser<js::frontend::FullParseHandler>::globalBody (this=this@entry=0x7ffff5cc23e0) at js/src/frontend/Parser.cpp:1055 #10 0x0000000000b9f778 in BytecodeCompiler::compileScript (this=this@entry=0x7ffff5cc1d70, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:527 #11 0x0000000000b9fdeb in js::frontend::CompileScript (cx=cx@entry=0x7ffff45028b0, alloc=alloc@entry=0x7ffff46d77c8, scopeChain=scopeChain@entry=..., enclosingStaticScope=..., enclosingStaticScope@entry=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=source_@entry=0x0, extraSct=extraSct@entry=0x0, sourceObjectOut=sourceObjectOut@entry=0x7ffff46d7838) at js/src/frontend/BytecodeCompiler.cpp:738 #12 0x0000000000a12547 in js::HelperThread::handleParseWorkload (this=this@entry=0x7ffff6933800) at js/src/vm/HelperThreads.cpp:1388 #13 0x0000000000a13b0e in js::HelperThread::threadLoop (this=0x7ffff6933800) at js/src/vm/HelperThreads.cpp:1584 #14 0x0000000000a94ee1 in nspr::Thread::ThreadRoutine (arg=0x7ffff692e160) at js/src/vm/PosixNSPR.cpp:45 #15 0x00007ffff7bc4182 in start_thread (arg=0x7ffff5cc3700) at pthread_create.c:312 #16 0x00007ffff6cb3fbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 rax 0x0 0 rbx 0x7ffff5cc0ac0 140737317178048 rcx 0x7ffff6ca53cd 140737333842893 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7ffff5cc09e0 140737317177824 rsp 0x7ffff5cc09a0 140737317177760 r8 0x7ffff5cc3700 140737317189376 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7ffff5cc0760 140737317177184 r11 0x7ffff6c27960 140737333328224 r12 0x7ffff45028b0 140737292282032 r13 0xa4 164 r14 0x7ffff5cc1ec0 140737317183168 r15 0x0 0 rip 0xa10d68 <js::ExclusiveContext::addPendingCompileError()+536> => 0xa10d68 <js::ExclusiveContext::addPendingCompileError()+536>: movl $0x53e,0x0 0xa10d73 <js::ExclusiveContext::addPendingCompileError()+547>: callq 0x4a3db0 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/de72e2291ae8 user: Jan de Mooij date: Wed Dec 09 22:55:50 2015 -0500 summary: Bug 1225396 part 3 - Make %GeneratorPrototype% inherit from %IteratorPrototype%. r=jorendorff This iteration took 276.877 seconds to run.
Jan, is bug 1225396 a likely regressor?
Blocks: 1225396
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review
I don't see how bug 1225396 is related but here's a patch. In addPendingCompileError we have to use AutoEnterOOMUnsafeRegion instead of MOZ_CRASH. We were also missing an OOM check in TraceLogger code.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8699443 - Flags: review?(jcoppeard)
No longer blocks: 1225396
Attachment #8699443 - Flags: review?(jcoppeard) → review+
https://hg.mozilla.org/mozilla-central/rev/a2af02211477
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox46: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
Blocks: 1265667
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: