Closed Bug 1238577 Opened 9 years ago Closed 9 years ago

Crash [@ js::jit::AssertValidStringPtr] with OOM and ES6 Class

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1242279
Tracking Flags:
Tracking Status
firefox45 --- fixed
firefox46 --- fixed
firefox-esr45 --- fixed

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

The following testcase crashes on mozilla-central revision 6020a4cb41a7 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-offthread-compile=off --ion-eager): var lfcode = new Array(); lfcode.push(""); oomTest(() => new class {}({ thisprops : gc() && delete addDebuggee.enabled })); for (var i = 0; i < 10000; ++i) { var file = lfcode.shift(); } Backtrace: Program received signal SIGSEGV, Segmentation fault. js::jit::AssertValidStringPtr (cx=0x7ffff6907800, str=0x0) at js/src/jit/VMFunctions.cpp:1167 #0 js::jit::AssertValidStringPtr (cx=0x7ffff6907800, str=0x0) at js/src/jit/VMFunctions.cpp:1167 #1 0x00007ffff7fd30e0 in ?? () #2 0x0000000000000001 in ?? () #3 0x00007fffffffcd78 in ?? () #4 0x00007ffff6907800 in ?? () #5 0x0000000000000000 in ?? () rax 0x7ece40 8310336 rbx 0x0 0 rcx 0x7ffff6907800 140737330051072 rdx 0x0 0 rsi 0x0 0 rdi 0x7ffff6907800 140737330051072 rbp 0x7fffffffcd50 140737488342352 rsp 0x7fffffffcd20 140737488342304 r8 0xe6f46f 15135855 r9 0xe75d76 15162742 r10 0x7ffff3155750 140737271650128 r11 0x7ffff695d1e8 140737330401768 r12 0x7ffff6907800 140737330051072 r13 0x0 0 r14 0x204 516 r15 0x7ffff6907800 140737330051072 rip 0x7ece6b <js::jit::AssertValidStringPtr(JSContext*, JSString*)+43> => 0x7ece6b <js::jit::AssertValidStringPtr(JSContext*, JSString*)+43>: mov 0xffff8(%r13),%rax 0x7ece72 <js::jit::AssertValidStringPtr(JSContext*, JSString*)+50>: cmp %rax,(%rdi) Marking s-s until investigated because the test uses GC and crash indicates that a string pointer might be invalid (although it looks like 0x0 in the trace).
Eric, looks like it might be Class related.
Flags: needinfo?(efaustbmo)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/d1b7ec38dedc user: Jan de Mooij date: Thu Jan 07 14:01:52 2016 +0100 summary: Bug 1236546 - Don't deoptimize in ObjectGroup::defaultNewGroup when we have a null proto. r=bhackett This iteration took 294.470 seconds to run.
NI? from bisection.
Flags: needinfo?(jdemooij)
JSBugMon is wrong; this is a much older TI OOM bug. The TypeScript::Monitor call in ArrayShiftDense is not invalidating the script, because we lost a freeze constraint. I verified the patch in bug 1242279 fixes this.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jdemooij)
Flags: needinfo?(efaustbmo)
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.