Crash [@ js::jit::SnapshotIterator::maybeRead] with OOM

RESOLVED FIXED in Firefox 48

Status

()

defect
--
critical
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: decoder, Assigned: nbp)

Tracking

(Blocks 2 bugs, {crash, regression, testcase})

Trunk
mozilla48
All
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox47 wontfix, firefox48 fixed)

Details

(Whiteboard: [jsbugmon:], crash signature)

Attachments

(1 attachment)

The following testcase crashes on mozilla-central revision b6acf4d4fc20 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --disable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager):

gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
var o = {}
Object.defineProperty(o, "p", {
    get: function() {
        return arguments.callee.caller.caller;
    }
});
function f() {
  function g() { 
    return o.p;
  }
  return g();
}
for (var k = 0; k < 2; k--) f("x");



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::jit::SnapshotIterator::maybeRead (this=this@entry=0xffffbe9c, a=..., fallback=...) at js/src/jit/JitFrames.cpp:1905
#0  js::jit::SnapshotIterator::maybeRead (this=this@entry=0xffffbe9c, a=..., fallback=...) at js/src/jit/JitFrames.cpp:1905
#1  0x0821c294 in js::jit::InlineFrameIterator::callee (this=this@entry=0xffffbfe4, fallback=...) at js/src/jit/JitFrames.cpp:2391
#2  0x08548a11 in js::FrameIter::callee (this=this@entry=0xffffbf80, cx=cx@entry=0xf7a75040) at js/src/vm/Stack.cpp:1099
#3  0x0838d43c in CallerGetterImpl (cx=cx@entry=0xf7a75040, args=...) at js/src/jsfun.cpp:264
#4  0x0838d613 in CallNonGenericMethod<IsFunction, CallerGetterImpl> (args=..., cx=0xf7a75040) at js/src/optarmsim/dist/include/js/CallNonGenericMethod.h:100
#5  CallerGetter (cx=0xf7a75040, argc=argc@entry=0, vp=vp@entry=0xf59fff18) at js/src/jsfun.cpp:296
#6  0x0834e09f in js::jit::Simulator::softwareInterrupt (this=0xf7a1c000, instr=0xf56fd7b4) at js/src/jit/arm/Simulator-arm.cpp:2339
#7  0x0834e5bd in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a1c000, instr=instr@entry=0xf56fd7b4) at js/src/jit/arm/Simulator-arm.cpp:3482
[...]
#23 main (argc=5, argv=0xffffcc44, envp=0xffffcc5c) at js/src/shell/js.cpp:7250
eax	0x0	0
ebx	0x94993e4	155816932
ecx	0xf55c9c00	-178480128
edx	0xf55c9834	-178481100
esi	0xffffbe88	-16760
edi	0xffffbe9c	-16740
ebp	0xffffbe68	4294950504
esp	0xffffbe40	4294950464
eip	0x821c229 <js::jit::SnapshotIterator::maybeRead(js::jit::RValueAllocation const&, js::jit::MaybeReadFallback&)+217>
=> 0x821c229 <js::jit::SnapshotIterator::maybeRead(js::jit::RValueAllocation const&, js::jit::MaybeReadFallback&)+217>:	movl   $0x771,0x0
   0x821c233 <js::jit::SnapshotIterator::maybeRead(js::jit::RValueAllocation const&, js::jit::MaybeReadFallback&)+227>:	call   0x8090500 <abort()>
Flags: needinfo?(nicolas.b.pierron)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7f84fe59708a
user:        Nicolas B. Pierron
date:        Mon Dec 22 20:31:53 2014 +0100
summary:     Bug 1113940 - Disable the object metadata callback in order to avoid recover instructions re-entry. r=bhackett

(I had to use some tweaks to get this range w/an intermittent testcase, e.g. retrying 99 times with a timeout of 5 seconds):

time ~/funfuzz/autobisect-js/autoBisect.py -p "--fuzzing-safe --thread-count=2 --ion-eager 1254203.js" -b "--enable-debug --enable-more-deterministic --32 --enable-simulator=arm --enable-arm-simulator" -s dc4b163f7db7 -e f50a771d7d1b -k -i range 1 99 crashes --timeout=5

Nicolas, is bug 1113940 a likely regressor?
Blocks: 1113940
Assignee: nobody → nicolas.b.pierron
I am able to reproduce it on x86, and x64, and also without the arm simulator.
Hardware: ARM → All
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)
> Nicolas, is bug 1113940 a likely regressor?

No, this location is an uncacthable oom at the moment, because handling it would have huge ripples in the JS engine.

I will mark it as such and replace the current MOZ_CRASH.
Attachment #8733454 - Flags: review?(jdemooij) → review+
Flags: needinfo?(nicolas.b.pierron)
https://hg.mozilla.org/mozilla-central/rev/553e7909bae1
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Patch converts a MOZ_CRASH to a crash that the fuzzers understand. No need to uplift. WONTFIX 47.
You need to log in before you can comment on or make changes to this bug.