Closed
Bug 1254203
Opened 9 years ago
Closed 9 years ago
Crash [@ js::jit::SnapshotIterator::maybeRead] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
People
(Reporter: decoder, Assigned: nbp)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file)
|
1.20 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision b6acf4d4fc20 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --disable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager):
gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
var o = {}
Object.defineProperty(o, "p", {
get: function() {
return arguments.callee.caller.caller;
}
});
function f() {
function g() {
return o.p;
}
return g();
}
for (var k = 0; k < 2; k--) f("x");
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
js::jit::SnapshotIterator::maybeRead (this=this@entry=0xffffbe9c, a=..., fallback=...) at js/src/jit/JitFrames.cpp:1905
#0 js::jit::SnapshotIterator::maybeRead (this=this@entry=0xffffbe9c, a=..., fallback=...) at js/src/jit/JitFrames.cpp:1905
#1 0x0821c294 in js::jit::InlineFrameIterator::callee (this=this@entry=0xffffbfe4, fallback=...) at js/src/jit/JitFrames.cpp:2391
#2 0x08548a11 in js::FrameIter::callee (this=this@entry=0xffffbf80, cx=cx@entry=0xf7a75040) at js/src/vm/Stack.cpp:1099
#3 0x0838d43c in CallerGetterImpl (cx=cx@entry=0xf7a75040, args=...) at js/src/jsfun.cpp:264
#4 0x0838d613 in CallNonGenericMethod<IsFunction, CallerGetterImpl> (args=..., cx=0xf7a75040) at js/src/optarmsim/dist/include/js/CallNonGenericMethod.h:100
#5 CallerGetter (cx=0xf7a75040, argc=argc@entry=0, vp=vp@entry=0xf59fff18) at js/src/jsfun.cpp:296
#6 0x0834e09f in js::jit::Simulator::softwareInterrupt (this=0xf7a1c000, instr=0xf56fd7b4) at js/src/jit/arm/Simulator-arm.cpp:2339
#7 0x0834e5bd in js::jit::Simulator::decodeType7 (this=this@entry=0xf7a1c000, instr=instr@entry=0xf56fd7b4) at js/src/jit/arm/Simulator-arm.cpp:3482
[...]
#23 main (argc=5, argv=0xffffcc44, envp=0xffffcc5c) at js/src/shell/js.cpp:7250
eax 0x0 0
ebx 0x94993e4 155816932
ecx 0xf55c9c00 -178480128
edx 0xf55c9834 -178481100
esi 0xffffbe88 -16760
edi 0xffffbe9c -16740
ebp 0xffffbe68 4294950504
esp 0xffffbe40 4294950464
eip 0x821c229 <js::jit::SnapshotIterator::maybeRead(js::jit::RValueAllocation const&, js::jit::MaybeReadFallback&)+217>
=> 0x821c229 <js::jit::SnapshotIterator::maybeRead(js::jit::RValueAllocation const&, js::jit::MaybeReadFallback&)+217>: movl $0x771,0x0
0x821c233 <js::jit::SnapshotIterator::maybeRead(js::jit::RValueAllocation const&, js::jit::MaybeReadFallback&)+227>: call 0x8090500 <abort()>
|
Assignee | |
Updated•9 years ago
|
Flags: needinfo?(nicolas.b.pierron)
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
||
Comment 1•9 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/7f84fe59708a
user: Nicolas B. Pierron
date: Mon Dec 22 20:31:53 2014 +0100
summary: Bug 1113940 - Disable the object metadata callback in order to avoid recover instructions re-entry. r=bhackett
(I had to use some tweaks to get this range w/an intermittent testcase, e.g. retrying 99 times with a timeout of 5 seconds):
time ~/funfuzz/autobisect-js/autoBisect.py -p "--fuzzing-safe --thread-count=2 --ion-eager 1254203.js" -b "--enable-debug --enable-more-deterministic --32 --enable-simulator=arm --enable-arm-simulator" -s dc4b163f7db7 -e f50a771d7d1b -k -i range 1 99 crashes --timeout=5
Nicolas, is bug 1113940 a likely regressor?
Blocks: 1113940
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → nicolas.b.pierron
|
|
Assignee | |
Comment 3•9 years ago
|
||
I am able to reproduce it on x86, and x64, and also without the arm simulator.
Hardware: ARM → All
|
|
Assignee | |
Comment 4•9 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)
> Nicolas, is bug 1113940 a likely regressor?
No, this location is an uncacthable oom at the moment, because handling it would have huge ripples in the JS engine.
I will mark it as such and replace the current MOZ_CRASH.
|
|
Assignee | |
Comment 5•9 years ago
|
||
Attachment #8733454 -
Flags: review?(jdemooij)
|
||
Updated•9 years ago
|
Attachment #8733454 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Updated•9 years ago
|
Flags: needinfo?(nicolas.b.pierron)
|
||
Comment 7•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox48:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
|
||
Comment 8•9 years ago
|
||
Patch converts a MOZ_CRASH to a crash that the fuzzers understand. No need to uplift. WONTFIX 47.
You need to log in
before you can comment on or make changes to this bug.
Description
•