Closed Bug 1240527 Opened 8 years ago Closed 8 years ago

Assertion failure: pdata, at js/src/vm/RegExpStatics.cpp:33 with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox46 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

regexp.patch
1.08 KB, patch
nbp
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 8cb42e7a16b4 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks):

offThreadCompileScript(`
 oomTest(() => "".search(/d/));
 fullcompartmentchecks(3);
`);
runOffThreadScript();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000abb225 in resc_trace (trc=<optimized out>, obj=<optimized out>) at js/src/vm/RegExpStatics.cpp:33
#0  0x0000000000abb225 in resc_trace (trc=<optimized out>, obj=<optimized out>) at js/src/vm/RegExpStatics.cpp:33
#1  0x000000000094c0f1 in JSObject::traceChildren (this=0x7ffff7e7a070, trc=0x7fffffffd388) at js/src/jsobj.cpp:3861
#2  0x0000000000903b1a in js::gc::GCRuntime::checkForCompartmentMismatches (this=this@entry=0x7ffff695d420) at js/src/jsgc.cpp:3931
#3  0x00000000009235a5 in js::gc::GCRuntime::beginMarkPhase (this=this@entry=0x7ffff695d420, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:3960
#4  0x0000000000925974 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff695d420, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6086
#5  0x0000000000926890 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff695d420, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6342
#6  0x0000000000926dc1 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff695d420, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6448
#7  0x0000000000926ff3 in js::gc::GCRuntime::gc (this=this@entry=0x7ffff695d420, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6506
#8  0x00000000008d3c1c in js::DestroyContext (cx=0x7ffff6907800, mode=js::DCM_FORCE_GC) at js/src/jscntxt.cpp:181
#9  0x00000000008d3e6e in JS_DestroyContext (cx=<optimized out>) at js/src/jsapi.cpp:580
#10 0x000000000047db9f in DestroyContext (withGC=true, cx=0x7ffff6907800) at js/src/shell/js.cpp:6089
#11 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6994
rax	0x0	0
rbx	0x0	0
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffd2d0	140737488343760
rsp	0x7fffffffd2c0	140737488343744
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffd080	140737488343168
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff7e7a070	140737352540272
r13	0x7fffffffd388	140737488343944
r14	0x4	4
r15	0x7fffffffd388	140737488343944
rip	0xabb225 <resc_trace(JSTracer*, JSObject*)+181>
=> 0xabb225 <resc_trace(JSTracer*, JSObject*)+181>:	movl   $0x21,0x0
   0xabb230 <resc_trace(JSTracer*, JSObject*)+192>:	callq  0x4a2e10 <abort()>
Attached patch regexp.patchSplinter Review 
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED

        Attachment #8709075 -
        Flags: review?(nicolas.b.pierron)

    
    

    
  
Comment on attachment 8709075 [details] [diff] [review]
regexp.patch

Review of attachment 8709075 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/vm/RegExpStatics.cpp
@@ +30,5 @@
>  resc_trace(JSTracer* trc, JSObject* obj)
>  {
>      void* pdata = obj->as<RegExpStaticsObject>().getPrivate();
> +    if (pdata)
> +        static_cast<RegExpStatics*>(pdata)->mark(trc);

I guess this case is possible if we OOM inside RegExpStatics::create, right?

        Attachment #8709075 -
        Flags: review?(nicolas.b.pierron) → review+

    
    

    
  
(In reply to Nicolas B. Pierron [:nbp] from comment #2)
> I guess this case is possible if we OOM inside RegExpStatics::create, right?

Yes indeed.

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/bdaf35f4626f
Status: ASSIGNED → RESOLVED
Closed: 8 years ago

          status-firefox46:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: