Closed Bug 1238577 Opened 8 years ago Closed 8 years ago

Crash [@ js::jit::AssertValidStringPtr] with OOM and ES6 Class

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1242279
Tracking Flags:
Tracking Status
firefox45 --- fixed
firefox46 --- fixed
firefox-esr45 --- fixed

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

The following testcase crashes on mozilla-central revision 6020a4cb41a7 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-offthread-compile=off --ion-eager):

var lfcode = new Array();
lfcode.push("");
oomTest(() => new class {}({ thisprops : gc() && delete addDebuggee.enabled }));
for (var i = 0; i < 10000; ++i) {
  var file = lfcode.shift();
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::jit::AssertValidStringPtr (cx=0x7ffff6907800, str=0x0) at js/src/jit/VMFunctions.cpp:1167
#0  js::jit::AssertValidStringPtr (cx=0x7ffff6907800, str=0x0) at js/src/jit/VMFunctions.cpp:1167
#1  0x00007ffff7fd30e0 in ?? ()
#2  0x0000000000000001 in ?? ()
#3  0x00007fffffffcd78 in ?? ()
#4  0x00007ffff6907800 in ?? ()
#5  0x0000000000000000 in ?? ()
rax	0x7ece40	8310336
rbx	0x0	0
rcx	0x7ffff6907800	140737330051072
rdx	0x0	0
rsi	0x0	0
rdi	0x7ffff6907800	140737330051072
rbp	0x7fffffffcd50	140737488342352
rsp	0x7fffffffcd20	140737488342304
r8	0xe6f46f	15135855
r9	0xe75d76	15162742
r10	0x7ffff3155750	140737271650128
r11	0x7ffff695d1e8	140737330401768
r12	0x7ffff6907800	140737330051072
r13	0x0	0
r14	0x204	516
r15	0x7ffff6907800	140737330051072
rip	0x7ece6b <js::jit::AssertValidStringPtr(JSContext*, JSString*)+43>
=> 0x7ece6b <js::jit::AssertValidStringPtr(JSContext*, JSString*)+43>:	mov    0xffff8(%r13),%rax
   0x7ece72 <js::jit::AssertValidStringPtr(JSContext*, JSString*)+50>:	cmp    %rax,(%rdi)


Marking s-s until investigated because the test uses GC and crash indicates that a string pointer might be invalid (although it looks like 0x0 in the trace).
Eric, looks like it might be Class related.
Flags: needinfo?(efaustbmo)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d1b7ec38dedc
user:        Jan de Mooij
date:        Thu Jan 07 14:01:52 2016 +0100
summary:     Bug 1236546 - Don't deoptimize in ObjectGroup::defaultNewGroup when we have a null proto. r=bhackett

This iteration took 294.470 seconds to run.
NI? from bisection.
Flags: needinfo?(jdemooij)
JSBugMon is wrong; this is a much older TI OOM bug.

The TypeScript::Monitor call in ArrayShiftDense is not invalidating the script, because we lost a freeze constraint. I verified the patch in bug 1242279 fixes this.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jdemooij)
Flags: needinfo?(efaustbmo)
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.