Closed
Bug 1253124
Opened 9 years ago
Closed 9 years ago
Crash [@ EncodeLatin1] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
People
(Reporter: decoder, Assigned: jonco)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
2.24 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision e15383656900 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):
for (lfLocal in this)
toPrimitive = Date.prototype[Symbol.toPrimitive];
assertThrowsInstanceOf(() => 0);
obj = {};
oomAfterAllocations(10);
assertThrowsInstanceOf(() => toPrimitive.call(obj, "boolean"));
function assertThrowsInstanceOf(f) {
f();
}
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
EncodeLatin1 (cx=cx@entry=0x7ffff6907800, str=str@entry=0x0) at js/src/jsapi.cpp:5059
#0 EncodeLatin1 (cx=cx@entry=0x7ffff6907800, str=str@entry=0x0) at js/src/jsapi.cpp:5059
#1 0x00000000008b44f6 in JS_EncodeString (cx=cx@entry=0x7ffff6907800, str=0x0) at js/src/jsapi.cpp:5085
#2 0x00000000008f9b0b in encodeLatin1 (this=<optimized out>, str=<optimized out>, cx=<optimized out>) at js/src/jsapi.h:4626
#3 js::ValueToSourceForError (cx=cx@entry=0x7ffff6907800, val=..., bytes=...) at js/src/jsexn.cpp:1059
#4 0x00000000008b9915 in JS::GetFirstArgumentAsTypeHint (cx=cx@entry=0x7ffff6907800, args=..., result=result@entry=0x7fffffffaf40) at js/src/jsapi.cpp:1690
#5 0x00000000008f3571 in date_toPrimitive (cx=0x7ffff6907800, argc=1, vp=0x7ffff45b1198) at js/src/jsdate.cpp:2999
#6 0x0000000000ac0722 in js::CallJSNative (cx=0x7ffff6907800, native=0x8f34f0 <date_toPrimitive(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#7 0x0000000000ab9a71 in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:478
#8 0x00000000008fa49b in js::fun_call (cx=0x7ffff6907800, argc=<optimized out>, vp=0x7ffff45b1198) at js/src/jsfun.cpp:1205
#9 0x0000000000ac0722 in js::CallJSNative (cx=0x7ffff6907800, native=0x8fa3f0 <js::fun_call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#41 0x0000000000000000 in ?? ()
rax 0x7ffff695d000 140737330401280
rbx 0x7ffff6907800 140737330051072
rcx 0x7ffff7dd5320 140737351865120
rdx 0x7ffff7fdfad0 140737354005200
rsi 0x0 0
rdi 0x7ffff6907800 140737330051072
rbp 0x7fffffffad00 140737488334080
rsp 0x7fffffffac30 140737488333872
r8 0x14 20
r9 0x7ffff6a002f8 140737331069688
r10 0x1 1
r11 0x2 2
r12 0x7fffffffad10 140737488334096
r13 0x7ffff6907800 140737330051072
r14 0x0 0
r15 0x7ffff45b11a8 140737292997032
rip 0x8b425a <EncodeLatin1(js::ExclusiveContext*, JSString*)+26>
=> 0x8b425a <EncodeLatin1(js::ExclusiveContext*, JSString*)+26>: testb $0x3f,(%rsi)
0x8b425d <EncodeLatin1(js::ExclusiveContext*, JSString*)+29>: jne 0x8b4368 <EncodeLatin1(js::ExclusiveContext*, JSString*)+296>
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset: https://hg.mozilla.org/mozilla-central/rev/a0dd5a83ba36
user: Jan de Mooij
date: Thu Jul 24 11:56:43 2014 +0200
summary: Bug 1031529 part 2 - Remove JS_THREADSAFE #ifdefs everywhere. r=bhackett
changeset: https://hg.mozilla.org/mozilla-central/rev/6426fef52f51
user: Jan de Mooij
date: Thu Jul 24 11:56:45 2014 +0200
summary: Bug 1031529 part 3 - Step defining JS_THREADSAFE, remove --disable-threadsafe. r=glandium
This iteration took 141.402 seconds to run.
This regression window is probably not accurate as it should probably hail from prior to that.
Setting needinfo? from Jon for this OOM bug as a fallback.
Flags: needinfo?(jcoppeard)
|
Assignee | |
Comment 3•9 years ago
|
||
Patch to check returned pointers in a couple of places.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8727347 -
Flags: review?(jdemooij)
|
||
Updated•9 years ago
|
Attachment #8727347 -
Flags: review?(jdemooij) → review+
|
||
Comment 5•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox48:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Decoder, could you please verify this issue is fixed as expected on a latest Nightly build? Thanks!
Flags: needinfo?(choller)
Hi Jonco, Jandem: Should we consider uplifting this to Aurora47? Is it low risk enough to do that?
Flags: needinfo?(jdemooij)
Flags: needinfo?(jcoppeard)
Just noticed the whiteboard tag, removing NI as the verification ought to happen automatically.
Flags: needinfo?(choller)
|
|
Assignee | |
Comment 9•9 years ago
|
||
(In reply to Ritu Kothari (:ritu) from comment #7)
Yes, let's do it.
Flags: needinfo?(jdemooij)
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Comment 10•9 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #9)
Although TBH, there's not that likely that this will be hit in practice. Did you have a particular reason for wanting to uplift this?
Flags: needinfo?(rkothari)
(In reply to Jon Coppeard (:jonco) from comment #10)
> (In reply to Jon Coppeard (:jonco) from comment #9)
> Although TBH, there's not that likely that this will be hit in practice.
> Did you have a particular reason for wanting to uplift this?
Mainly since it was tagged as a crash. But if the likelihood of hitting this crash is very low and the risk associated with the fix is medium/high, we can just let it right the trains. It seems to me like you are leaning towards doing that and it sounds like a good idea to me.
Flags: needinfo?(rkothari)
You need to log in
before you can comment on or make changes to this bug.
Description
•