Closed Bug 1242812 Opened 4 years ago Closed 4 years ago

Assertion failure: (vec.resize(n * 2)), at js/src/jsarray.cpp:1910 with OOM

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla47
Tracking Status
firefox46 --- wontfix
firefox47 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 5f7c184ccd80 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks --ion-offthread-compile=off):

var lfcode = new Array();
oomTest(() => { let a = [2147483651]; [-1, 0, 1, 31, 32].sort(); });



Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000000051d36a in js::array_sort (cx=0x7fe982f07000, argc=<optimized out>, vp=<optimized out>) at js/src/jsarray.cpp:1910
#1  0x0000000000a52a62 in js::CallJSNative (cx=0x7fe982f07000, native=0x51ae70 <js::array_sort(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#2  0x0000000000a4f5b7 in js::Invoke (cx=cx@entry=0x7fe982f07000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475
#3  0x0000000000a3f7b2 in Interpret (cx=cx@entry=0x7fe982f07000, state=...) at js/src/vm/Interpreter.cpp:2798
#4  0x0000000000a4f348 in js::RunScript (cx=cx@entry=0x7fe982f07000, state=...) at js/src/vm/Interpreter.cpp:425
#5  0x0000000000a4f67c in js::Invoke (cx=cx@entry=0x7fe982f07000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:493
#6  0x0000000000a51039 in js::Invoke (cx=cx@entry=0x7fe982f07000, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:527
#7  0x00000000008e3154 in JS_CallFunction (cx=cx@entry=0x7fe982f07000, obj=..., fun=..., fun@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2848
#8  0x0000000000a6790b in OOMTest (cx=0x7fe982f07000, argc=<optimized out>, vp=0x7fe980e4e138) at js/src/builtin/TestingFunctions.cpp:1218
#9  0x0000000000a52a62 in js::CallJSNative (cx=0x7fe982f07000, native=0xa67550 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#21 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x5	5
rcx	0x7fe9832e588d	140640904960141
rdx	0x0	0
rsi	0x7fe9835ba9d0	140640907930064
rdi	0x7fe9835b91c0	140640907923904
rbp	0x7fff31d430e0	140734029377760
rsp	0x7fff31d42d60	140734029376864
r8	0x7fe98462a780	140640925165440
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fe9835b6be0	140640907914208
r11	0x0	0
r12	0x7fff31d42eb0	140734029377200
r13	0x7fe980e4e1c8	140640866591176
r14	0x7fe982f07000	140640900902912
r15	0x1	1
rip	0x51d36a <js::array_sort(JSContext*, unsigned int, JS::Value*)+9466>
=> 0x51d36a <js::array_sort(JSContext*, unsigned int, JS::Value*)+9466>:	movl   $0x776,0x0
   0x51d375 <js::array_sort(JSContext*, unsigned int, JS::Value*)+9477>:	callq  0x4a2d60 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781".
The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1
Not sure who to set needinfo? here. Morgan recently touched jsarray.cpp, so setting needinfo? as a start. Please feel free to pass this on if needed.
Flags: needinfo?(winter2718)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3)
> Not sure who to set needinfo? here. Morgan recently touched jsarray.cpp, so
> setting needinfo? as a start. Please feel free to pass this on if needed.

I recently added a call into builtin/Array.js from the array_sort function in jsarray.cpp. Looking at my diff, I see that I removed a call to FastInvokeGuard: http://hg.mozilla.org/integration/mozilla-inbound/rev/1c4b0a89fd5b#l5.84

This could be our problem, I'm going to seek some advice and investigate.
Flags: needinfo?(winter2718)
This is a similar problem as the one addressed by mrrrgn's fix in bug 1238582.  We need to update the other vector methods that simulate OOM to check the vector's reserved size, if present.
Assignee: nobody → jcoppeard
Attachment #8717899 - Flags: review?(jwalden+bmo)
Comment on attachment 8717899 [details] [diff] [review]
bug1242812-vector-simulated-oom

Review of attachment 8717899 [details] [diff] [review]:
-----------------------------------------------------------------

Nice.  Thanks for cleaning up the slop in the previous work here, I should have seen this was a systemic problem requiring a systemic fix.  The encapsulation into a single checking method is quite nice.
Attachment #8717899 - Flags: review?(jwalden+bmo) → review+
https://hg.mozilla.org/mozilla-central/rev/426548283299
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
Too late for assertion fixes in 46.
Depends on: 1261308
No longer depends on: 1261308
You need to log in before you can comment on or make changes to this bug.