Crash [@ EncodeLatin1] with OOM

RESOLVED FIXED in Firefox 48

Status

()

--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: decoder, Assigned: jonco)

Tracking

(Blocks: 2 bugs, {crash, regression, testcase})

Trunk
mozilla48
x86_64
Linux
crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox47 wontfix, firefox48 fixed)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
The following testcase crashes on mozilla-central revision e15383656900 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

for (lfLocal in this)
  toPrimitive = Date.prototype[Symbol.toPrimitive];
  assertThrowsInstanceOf(() =>  0);
  obj = {};
  oomAfterAllocations(10);
  assertThrowsInstanceOf(() => toPrimitive.call(obj, "boolean"));
function assertThrowsInstanceOf(f) {
  f();
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
EncodeLatin1 (cx=cx@entry=0x7ffff6907800, str=str@entry=0x0) at js/src/jsapi.cpp:5059
#0  EncodeLatin1 (cx=cx@entry=0x7ffff6907800, str=str@entry=0x0) at js/src/jsapi.cpp:5059
#1  0x00000000008b44f6 in JS_EncodeString (cx=cx@entry=0x7ffff6907800, str=0x0) at js/src/jsapi.cpp:5085
#2  0x00000000008f9b0b in encodeLatin1 (this=<optimized out>, str=<optimized out>, cx=<optimized out>) at js/src/jsapi.h:4626
#3  js::ValueToSourceForError (cx=cx@entry=0x7ffff6907800, val=..., bytes=...) at js/src/jsexn.cpp:1059
#4  0x00000000008b9915 in JS::GetFirstArgumentAsTypeHint (cx=cx@entry=0x7ffff6907800, args=..., result=result@entry=0x7fffffffaf40) at js/src/jsapi.cpp:1690
#5  0x00000000008f3571 in date_toPrimitive (cx=0x7ffff6907800, argc=1, vp=0x7ffff45b1198) at js/src/jsdate.cpp:2999
#6  0x0000000000ac0722 in js::CallJSNative (cx=0x7ffff6907800, native=0x8f34f0 <date_toPrimitive(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#7  0x0000000000ab9a71 in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:478
#8  0x00000000008fa49b in js::fun_call (cx=0x7ffff6907800, argc=<optimized out>, vp=0x7ffff45b1198) at js/src/jsfun.cpp:1205
#9  0x0000000000ac0722 in js::CallJSNative (cx=0x7ffff6907800, native=0x8fa3f0 <js::fun_call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#41 0x0000000000000000 in ?? ()
rax	0x7ffff695d000	140737330401280
rbx	0x7ffff6907800	140737330051072
rcx	0x7ffff7dd5320	140737351865120
rdx	0x7ffff7fdfad0	140737354005200
rsi	0x0	0
rdi	0x7ffff6907800	140737330051072
rbp	0x7fffffffad00	140737488334080
rsp	0x7fffffffac30	140737488333872
r8	0x14	20
r9	0x7ffff6a002f8	140737331069688
r10	0x1	1
r11	0x2	2
r12	0x7fffffffad10	140737488334096
r13	0x7ffff6907800	140737330051072
r14	0x0	0
r15	0x7ffff45b11a8	140737292997032
rip	0x8b425a <EncodeLatin1(js::ExclusiveContext*, JSString*)+26>
=> 0x8b425a <EncodeLatin1(js::ExclusiveContext*, JSString*)+26>:	testb  $0x3f,(%rsi)
   0x8b425d <EncodeLatin1(js::ExclusiveContext*, JSString*)+29>:	jne    0x8b4368 <EncodeLatin1(js::ExclusiveContext*, JSString*)+296>

Updated

3 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

3 years ago
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a0dd5a83ba36
user:        Jan de Mooij
date:        Thu Jul 24 11:56:43 2014 +0200
summary:     Bug 1031529 part 2 - Remove JS_THREADSAFE #ifdefs everywhere. r=bhackett

changeset:   https://hg.mozilla.org/mozilla-central/rev/6426fef52f51
user:        Jan de Mooij
date:        Thu Jul 24 11:56:45 2014 +0200
summary:     Bug 1031529 part 3 - Step defining JS_THREADSAFE, remove --disable-threadsafe. r=glandium

This iteration took 141.402 seconds to run.
This regression window is probably not accurate as it should probably hail from prior to that.

Setting needinfo? from Jon for this OOM bug as a fallback.
Flags: needinfo?(jcoppeard)
(Assignee)

Comment 3

3 years ago
Created attachment 8727347 [details] [diff] [review]
bug1253124-source-oom

Patch to check returned pointers in a couple of places.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8727347 - Flags: review?(jdemooij)

Updated

3 years ago
Attachment #8727347 - Flags: review?(jdemooij) → review+

Comment 5

3 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/7e3fc275d763
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox48: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48

Comment 6

3 years ago
Decoder, could you please verify this issue is fixed as expected on a latest Nightly build? Thanks!
Flags: needinfo?(choller)

Comment 7

3 years ago
Hi Jonco, Jandem: Should we consider uplifting this to Aurora47? Is it low risk enough to do that?
Flags: needinfo?(jdemooij)
Flags: needinfo?(jcoppeard)

Comment 8

3 years ago
Just noticed the whiteboard tag, removing NI as the verification ought to happen automatically.
Flags: needinfo?(choller)
(Assignee)

Comment 9

3 years ago
(In reply to Ritu Kothari (:ritu) from comment #7)
Yes, let's do it.
Flags: needinfo?(jdemooij)
Flags: needinfo?(jcoppeard)
(Assignee)

Comment 10

3 years ago
(In reply to Jon Coppeard (:jonco) from comment #9)
Although TBH, there's not that likely that this will be hit in practice.  Did you have a particular reason for wanting to uplift this?
Flags: needinfo?(rkothari)
(In reply to Jon Coppeard (:jonco) from comment #10)
> (In reply to Jon Coppeard (:jonco) from comment #9)
> Although TBH, there's not that likely that this will be hit in practice. 
> Did you have a particular reason for wanting to uplift this?

Mainly since it was tagged as a crash. But if the likelihood of hitting this crash is very low and the risk associated with the fix is medium/high, we can just let it right the trains. It seems to me like you are leaning towards doing that and it sounds like a good idea to me.
Flags: needinfo?(rkothari)

Updated

3 years ago
status-firefox47: affected → wontfix
You need to log in before you can comment on or make changes to this bug.