Closed Bug 1260725 Opened 4 years ago Closed 4 years ago

Assertion failure: get() (dereferencing a UniquePtr containing nullptr), at dist/include/mozilla/UniquePtr.h:319

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: decoder, Assigned: fitzgen)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file, 1 obsolete file)

The following testcase crashes on mozilla-central revision d5d53a3b4e50 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads):

var dbg = new Debugger;
dbg.onNewGlobalObject = function(global) {
    dbg.memory.takeCensus({});
};
oomTest(function() {
    newGlobal({})
});


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000471752 in mozilla::UniquePtr<JS::ubi::CountType, JS::DeletePolicy<JS::ubi::CountType> >::operator-> (this=0x7fffedb219b0) at js/src/debug64/dist/include/mozilla/UniquePtr.h:319
#0  0x0000000000471752 in mozilla::UniquePtr<JS::ubi::CountType, JS::DeletePolicy<JS::ubi::CountType> >::operator-> (this=0x7fffedb219b0) at js/src/debug64/dist/include/mozilla/UniquePtr.h:319
#1  0x0000000000ba6a09 in operator-> (this=0x7fffedb219b0) at js/src/debug64/dist/include/js/HashTable.h:1237
#2  JS::ubi::ByObjectClass::makeCount (this=0x7fffedb219a0) at js/src/vm/UbiNodeCensus.cpp:436
#3  0x0000000000ba6661 in JS::ubi::ByCoarseType::makeCount (this=0x7fffedb4d5b0) at js/src/vm/UbiNodeCensus.cpp:236
#4  0x00000000009f5229 in js::DebuggerMemory::takeCensus (cx=0x7ffff6908800, argc=<optimized out>, vp=<optimized out>) at js/src/vm/DebuggerMemory.cpp:401
#5  0x00007ffff7ff76b8 in ?? ()
#6  0x00007fffffffb400 in ?? ()
#7  0x00007fffffffb3b0 in ?? ()
#8  0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffedb219a0	140737181260192
rcx	0x7ffff6ca5870	140737333844080
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffaeb0	140737488334512
rsp	0x7fffffffaeb0	140737488334512
r8	0x7ffff7fdf7c0	140737354004416
r9	0x6e552f616c6c697a	7950312812669856122
r10	0x7ffff6f76be0	140737336798176
r11	0x246	582
r12	0x7fffffffb180	140737488335232
r13	0x7fffffffaf30	140737488334640
r14	0x7ffff6908830	140737330055216
r15	0x7ffff6908800	140737330055168
rip	0x471752 <mozilla::UniquePtr<JS::ubi::CountType, JS::DeletePolicy<JS::ubi::CountType> >::operator->() const+28>
=> 0x471752 <mozilla::UniquePtr<JS::ubi::CountType, JS::DeletePolicy<JS::ubi::CountType> >::operator->() const+28>:	movl   $0x13f,0x0
   0x47175d <mozilla::UniquePtr<JS::ubi::CountType, JS::DeletePolicy<JS::ubi::CountType> >::operator->() const+39>:	callq  0x4a9b00 <abort()>
GetDefaultBreakdown() in vm/UbiNodeCensus.cpp needs OOM checks.
Flags: needinfo?(nfitzgerald)
This commit adds OOM checks that were missing to
`GetDefaultBreakdown`. Additionally, it replaces uses of `js_new<T>` with
`cx->new_<T>` so that OOMs are automatically reported on the context.
Attachment #8736381 - Flags: review?(jorendorff)
Assignee: nobody → nfitzgerald
Status: NEW → ASSIGNED
Flags: needinfo?(nfitzgerald)
Attachment #8736381 - Flags: review?(jorendorff) → review+
Fix failures from the try push where oomTest was not defined.
Attachment #8736460 - Flags: review+
Attachment #8736381 - Attachment is obsolete: true
https://hg.mozilla.org/mozilla-central/rev/7614fc1c6285
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Depends on: 1305436
No longer depends on: 1305436
You need to log in before you can comment on or make changes to this bug.