Closed Bug 1263558 Opened 4 years ago Closed 4 years ago

Assertion failure: isObject(), at dist/include/js/Value.h:1281

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox47 --- unaffected
firefox48 + fixed
firefox-esr45 --- unaffected

People

(Reporter: gkw, Assigned: arai)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [jsbugmon:])

Attachments

(8 files, 1 obsolete file)

The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --baseline-eager --no-ion):

// Adapted from randomly chosen test: js/src/tests/test262/intl402/ch11/11.3/11.3_a.js
evalcx(`
    eval('\
        var appendToActual = function(s) {};\
        gczeal = function() {};\
        gcslice = function() {};\
        selectforgc = function() {};\
        if (!("verifyprebarriers" in this)) {\
            verifyprebarriers = function() {};\
        }\
    ');
    oomTest(() => eval('Array(..."")'));
    Intl.NumberFormat.prototype.format(0);
`, newGlobal());

Backtrace:

0   js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010002222d JS::Value::toObject() const + 189 (Value.h:1281)
1   js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010085ae52 intrinsic_ObjectHasPrototype(JSContext*, unsigned int, JS::Value*) + 82 (RootingAPI.h:661)
2   js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007d617e js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:236)
3   js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010079d53e js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 702 (Interpreter.cpp:464)
4   js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115)
5   ???                           	0x0000000102ad2b6b 0 + 4339870571
6   ???                           	0x00000001050bfc88 0 + 4379638920
7   ???                           	0x0000000102acbdc4 0 + 4339842500
8   js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152)
9   js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188)
10  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407)
11  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494)
12  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115)
13  ???                           	0x0000000102ad2b6b 0 + 4339870571
14  ???                           	0x00000001050bb678 0 + 4379620984
15  ???                           	0x0000000102acbdc4 0 + 4339842500
16  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152)
17  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188)
18  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407)
19  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494)
20  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115)
21  ???                           	0x0000000102ad2b6b 0 + 4339870571
22  ???                           	0x00000001050b9a30 0 + 4379613744
23  ???                           	0x0000000102acbdc4 0 + 4339842500
24  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152)
25  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188)
26  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407)
27  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494)
28  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115)
29  ???                           	0x0000000102ad2b6b 0 + 4339870571
30  ???                           	0x00000001050b0188 0 + 4379574664
31  ???                           	0x0000000102acbdc4 0 + 4339842500
32  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152)
33  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188)
34  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407)
35  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494)
36  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115)
37  ???                           	0x0000000102ad2b6b 0 + 4339870571
38  ???                           	0x00000001050aef98 0 + 4379570072
39  ???                           	0x0000000102acbdc4 0 + 4339842500
40  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152)
41  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188)
42  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407)
43  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494)
44  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115)
45  ???                           	0x0000000102ad2b6b 0 + 4339870571
46  ???                           	0x00000001050ade18 0 + 4379565592
47  ???                           	0x0000000102acbdc4 0 + 4339842500
48  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152)
49  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188)
50  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407)
51  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494)
52  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115)
53  ???                           	0x0000000102ad2b6b 0 + 4339870571
54  ???                           	0x00000001050ac538 0 + 4379559224
55  ???                           	0x0000000102acbdc4 0 + 4339842500
56  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152)
57  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188)
58  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407)
59  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494)
60  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115)
61  ???                           	0x0000000102ad2b6b 0 + 4339870571
62  ???                           	0x00000001050aa760 0 + 4379551584
63  ???                           	0x0000000102acbdc4 0 + 4339842500
64  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152)
65  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188)
66  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407)
67  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494)
68  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115)
69  ???                           	0x0000000102ad2b6b 0 + 4339870571
70  ???                           	0x000000010509d5c0 0 + 4379497920
71  ???                           	0x0000000102acbdc4 0 + 4339842500
72  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152)
73  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188)
74  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407)
75  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494)
76  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115)
77  ???                           	0x0000000102ad2b6b 0 + 4339870571
78  ???                           	0x0000000105099718 0 + 4379481880
79  ???                           	0x0000000102acbdc4 0 + 4339842500
80  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152)
81  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188)
82  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407)
83  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494)
84  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115)
85  ???                           	0x0000000102ad2b6b 0 + 4339870571
86  ???                           	0x00000001050982c8 0 + 4379476680
87  ???                           	0x0000000102acbdc4 0 + 4339842500
88  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152)
89  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188)
90  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407)
91  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494)
92  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007c6e42 js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 546 (Interpreter.cpp:528)
93  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007c7ad2 js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) + 82 (Interpreter.cpp:639)
94  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007f9365 bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) + 965 (RootingAPI.h:667)
95  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007f9f38 bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<jsid, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) + 2088 (NativeObject.cpp:2002)
96  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010002df69 js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) + 169 (RootingAPI.h:667)
97  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007c9e39 js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) + 553 (RootingAPI.h:667)
98  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010047b518 js::jit::ComputeGetPropResult(JSContext*, js::jit::BaselineFrame*, JSOp, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) + 552 (SharedIC.cpp:2802)
99  js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010046520a js::jit::DoGetPropFallback(JSContext*, void*, js::jit::ICGetProp_Fallback*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) + 3018 (SharedIC.cpp:2882)
100 ???                           	0x0000000102accb77 0 + 4339846007
101 ???                           	0x0000000102acbdc4 0 + 4339842500
102 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152)
103 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188)
104 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407)
105 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007c8044 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) + 1124 (Interpreter.cpp:682)
106 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007c83c5 js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 469 (RootingAPI.h:667)
107 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010059606f Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::StaticScope*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) + 1135 (jsapi.cpp:4466)
108 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x0000000100596482 JS::Evaluate(JSContext*, JS::ReadOnlyCompileOptions const&, char16_t const*, unsigned long, JS::MutableHandle<JS::Value>) + 210 (jsapi.cpp:4503)
109 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x0000000100011a93 EvalInContext(JSContext*, unsigned int, JS::Value*) + 1603 (jsapi.h:3956)
110 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007d617e js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:236)
111 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010079d53e js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 702 (Interpreter.cpp:464)
112 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115)
113 ???                           	0x0000000102ad2b6b 0 + 4339870571
114 ???                           	0x0000000105025370 0 + 4379005808
115 ???                           	0x0000000102acbdc4 0 + 4339842500
116 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152)
117 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188)
118 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407)
119 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007c8044 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) + 1124 (Interpreter.cpp:682)
120 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001007c83c5 js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 469 (RootingAPI.h:667)
121 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x0000000100595241 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 417 (jsapi.cpp:4372)
122 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x00000001005954b2 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 82 (RootingAPI.h:667)
123 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x0000000100020aa9 Process(JSContext*, char const*, bool, FileKind) + 3609 (js.cpp:530)
124 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x000000010000610b main + 11739 (js.cpp:6732)
125 js-dbg-64-dm-clang-darwin-29d5a4175c8b	0x0000000100001374 start + 52

Yet another bug possibly related to recent RegExp fallout. Locking s-s just to be safe.
Summary: Assertion failure: isObject(), at /Users/skywalker/shell-cache/js-dbg-64-dm-clang-darwin-29d5a4175c8b/objdir-js/dist/include/js/Value.h:1281 → Assertion failure: isObject(), at dist/include/js/Value.h:1281
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160407030451" and the hash "9f6afb62fe80ee168a90577957d1c53ad9fe8ecd".
The "bad" changeset has the timestamp "20160407034945" and the hash "4d0f975a23119a61a6c8e5856125de2db5713c49".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=9f6afb62fe80ee168a90577957d1c53ad9fe8ecd&tochange=4d0f975a23119a61a6c8e5856125de2db5713c49

I'll see if I can get a smaller regression window. In the meantime, setting needinfo? from arai-san.
Flags: needinfo?(arai.unmht)
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b4e25cbe3dcb
user:        Tooru Fujisawa
date:        Thu Jan 28 18:56:02 2016 +0900
summary:     Bug 887016 - Part 14: Add RegExpSearcher. r=h4writer

Note that the patch was landed on April 7, 2016.
GetBuiltinPrototype("String") returns undefined.
GetBuiltinConstructor("String").prototype is undefined there.

till, is it possible in normal situation?
Flags: needinfo?(arai.unmht) → needinfo?(till)
When I add following line into evalcx, it works without crash

    String.prototype;

maybe String prototype is not yet resolved?

should we check the returned value of GetBuiltinPrototype (and GetBuiltinConstructor?) at every callsite.
In case we should check the return value, here's the patch that adds branches.
if it's a bug in GetBuiltinPrototype or more internal thing, we should fix it instead tho.
Assignee: nobody → arai.unmht
Attachment #8739950 - Flags: feedback?(till)
Comment on attachment 8739950 [details] [diff] [review]
Check the return value of GetBuiltinPrototype.

Review of attachment 8739950 [details] [diff] [review]:
-----------------------------------------------------------------

This doesn't seem right. I would've expected GetBuiltinConstructor to either succeed or throw an error. It seems like it doesn't throw an error if it's not able to resolve the constructor. Or this is about the Prototype? In any case, I would very much like to have this fixed properly. For these usages, just bailing is fine because it'll just miss optimization opportunities, but that won't always be the case.

Can you check in a debugger what happens under intrinsic_GetBuiltinConstructor?
Attachment #8739950 - Flags: feedback?(till) → feedback-
Thanks :)   so, it's surely not-normal case.

after following line in intrinsic_GetBuiltinConstructor for JSProto_String:

>     if (!GetBuiltinConstructor(cx, key, &ctor))
>         return false;

the property of the ctor seems to be broken.
It should point shape list with "localeCompare", "split", ... (String generics)
but the propid_ is 4, and parent is null

(lldb) p *((JSFunction*)ctor.ptr)->lastProperty()
(js::Shape) $13 = {
  base_ = {
    js::WriteBarrieredBase<js::BaseShape *> = {
      js::BarrieredBase<js::BaseShape *> = {
        value = 0x00000001044911a0
      }
    }
  }
  propid_ = {
    js::WriteBarrieredBase<jsid> = {
      js::BarrieredBase<jsid> = {
        value = (asBits = 4)
      }
    }
  }
  slotInfo = 134217727
  attrs = '@'
  flags = '\b'
  parent = {
    js::WriteBarrieredBase<js::Shape *> = {
      js::BarrieredBase<js::Shape *> = (value = 0x0000000000000000)
    }
  }
   = {
    kids = (w = 4395676385)
    listp = 0x000000010600b2e1
  }
}


maybe error in somewhere is ignored.
In resolveConstructor for JSProto_String, it fails with OOM.
I traced that the error gets propagated to frame #34, but not sure about remaining frames.

* thread #1: tid = 0x8760ee, 0x00000001006e80c5 js`js::ReportOutOfMemory(cxArg=0x0000000104241c00) + 15 at jscntxt.cpp:293, queue = 'com.apple.main-thread', stop reason = step in
  * frame #0: 0x00000001006e80c5 js`js::ReportOutOfMemory(cxArg=0x0000000104241c00) + 15 at jscntxt.cpp:293
    frame #1: 0x0000000100ce2aee js`bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(this=0x000000010425d428, cx=0x0000000104241c00, kind=BASE_SHAPE) + 510 at Allocator.cpp:78
    frame #2: 0x0000000100ce5003 js`js::BaseShape* js::Allocate<js::BaseShape, (js::AllowGC)1>(cx=0x0000000104241c00) + 195 at Allocator.cpp:213
    frame #3: 0x0000000100a9cf84 js`js::BaseShape::getUnowned(cx=0x0000000104241c00, base=0x00007fff5fbf9c70) + 180 at Shape.cpp:1307
    frame #4: 0x0000000100a9e898 js`js::EmptyShape::getInitialShape(cx=0x0000000104241c00, clasp=0x00000001014311a8, proto=TaggedProto @ 0x00007fff5fbf9d20, nfixed=2, objectFlags=0) + 472 at Shape.cpp:1488
    frame #5: 0x00000001007bb5cc js`NewObject(cx=0x0000000104241c00, group=js::HandleObjectGroup @ 0x00007fff5fbf9e10, kind=OBJECT2_BACKGROUND, newKind=SingletonObject, initialShapeFlags=0) + 460 at jsobj.cpp:662
    frame #6: 0x00000001007bb0b8 js`js::NewObjectWithGivenTaggedProto(cxArg=0x0000000104241c00, clasp=0x00000001014311a8, proto=Handle<js::TaggedProto> @ 0x00007fff5fbf9f60, allocKind=OBJECT2_BACKGROUND, newKind=SingletonObject, initialShapeFlags=0) + 536 at jsobj.cpp:729
    frame #7: 0x00000001009ed9eb js`js::NewObjectWithGivenTaggedProto(cx=0x0000000104241c00, clasp=0x00000001014311a8, proto=Handle<js::TaggedProto> @ 0x00007fff5fbf9fa8, newKind=SingletonObject, initialShapeFlags=0) + 75 at jsobjinlines.h:636
    frame #8: 0x00000001009dd8e6 js`js::NewObjectWithGivenProto(cx=0x0000000104241c00, clasp=0x00000001014311a8, proto=JS::HandleObject @ 0x00007fff5fbf9ff8, newKind=SingletonObject) + 86 at jsobjinlines.h:671
    frame #9: 0x00000001009db2d3 js`js::NewNativeObjectWithGivenProto(cx=0x0000000104241c00, clasp=0x00000001014311a8, proto=JS::HandleObject @ 0x00007fff5fbfa038, newKind=SingletonObject) + 51 at NativeObject-inl.h:346
    frame #10: 0x00000001009a5f14 js`CreateBlankProto(cx=0x0000000104241c00, clasp=0x00000001014311a8, proto=JS::HandleObject @ 0x00007fff5fbfa0a0, global=JS::HandleObject @ 0x00007fff5fbfa098) + 148 at GlobalObject.cpp:572
    frame #11: 0x00000001009a5e55 js`js::GlobalObject::createBlankPrototype(this=0x0000000105393060, cx=0x0000000104241c00, clasp=0x00000001014311a8) + 213 at GlobalObject.cpp:588
    frame #12: 0x00000001008337fe js`js::InitStringClass(cx=0x0000000104241c00, obj=JS::HandleObject @ 0x00007fff5fbfa290) + 206 at jsstr.cpp:2751
    frame #13: 0x00000001009a3a5b js`js::GlobalObject::resolveConstructor(cx=0x0000000104241c00, global=Handle<js::GlobalObject *> @ 0x00007fff5fbfa4d0, key=JSProto_String) + 587 at GlobalObject.cpp:178
    frame #14: 0x00000001007c279f js`MaybeResolveConstructor(cxArg=0x0000000104241c00, global=Handle<js::GlobalObject *> @ 0x00007fff5fbfa510, key=JSProto_String) + 127 at jsobj.cpp:2009
    frame #15: 0x00000001007bbd58 js`js::GetBuiltinPrototype(cx=0x0000000104241c00, key=JSProto_String, protop=JS::MutableHandleObject @ 0x00007fff5fbfa580) + 168 at jsobj.cpp:2029
    frame #16: 0x00000001007bb9aa js`js::NewObjectWithClassProtoCommon(cxArg=0x0000000104241c00, clasp=0x00000001014311a8, protoArg=JS::HandleObject @ 0x00007fff5fbfa740, allocKind=OBJECT2_BACKGROUND, newKind=GenericObject) + 570 at jsobj.cpp:788
    frame #17: 0x000000010002901b js`js::NewObjectWithClassProto(cx=0x0000000104241c00, clasp=0x00000001014311a8, proto=JS::HandleObject @ 0x00007fff5fbfa788, allocKind=OBJECT2, newKind=GenericObject) + 59 at jsobjinlines.h:702
    frame #18: 0x0000000100028fa3 js`js::NewObjectWithClassProto(cx=0x0000000104241c00, clasp=0x00000001014311a8, proto=JS::HandleObject @ 0x00007fff5fbfa7c8, newKind=GenericObject) + 67 at jsobjinlines.h:710
    frame #19: 0x00000001007ee8f4 js`js::StringObject::create(cx=0x0000000104241c00, str=JS::HandleString @ 0x00007fff5fbfa840, proto=JS::HandleObject @ 0x00007fff5fbfa838, newKind=GenericObject) + 68 at StringObject-inl.h:38
    frame #20: 0x00000001007c84c4 js`js::PrimitiveToObject(cx=0x0000000104241c00, v=0x00007fff5fbfabd0) + 132 at jsobj.cpp:3204
    frame #21: 0x00000001007c8807 js`js::ToObjectSlow(cx=0x0000000104241c00, val=JS::HandleValue @ 0x00007fff5fbfa970, reportScanStack=true) + 423 at jsobj.cpp:3238
    frame #22: 0x00000001009e5288 js`js::ToObjectFromStack(cx=0x0000000104241c00, vp=JS::HandleValue @ 0x00007fff5fbfa9a0) + 88 at jsobj.h:1285
    frame #23: 0x0000000100293834 js`js::GetPrimitiveElementOperation(cx=0x0000000104241c00, op=JSOP_CALLELEM, receiver=JS::HandleValue @ 0x00007fff5fbfab10, key=JS::HandleValue @ 0x00007fff5fbfab08, res=JS::MutableHandleValue @ 0x00007fff5fbfab00) + 164 at Interpreter-inl.h:468
    frame #24: 0x0000000100290e7f js`js::GetElementOperation(cx=0x0000000104241c00, op=JSOP_CALLELEM, lref=JS::MutableHandleValue @ 0x00007fff5fbfac00, rref=JS::HandleValue @ 0x00007fff5fbfabf8, res=JS::MutableHandleValue @ 0x00007fff5fbfabf0) + 463 at Interpreter-inl.h:554
    frame #25: 0x0000000100269240 js`js::jit::DoGetElemFallback(cx=0x0000000104241c00, frame=0x00007fff5fbfafd8, stub_=0x00000001042bf0d0, lhs=JS::HandleValue @ 0x00007fff5fbfaf20, rhs=JS::HandleValue @ 0x00007fff5fbfaf18, res=JS::MutableHandleValue @ 0x00007fff5fbfaf10) + 1824 at BaselineIC.cpp:1728
    frame #26: 0x00000001035bc26b
    frame #27: 0x00000001035b4dc4
    frame #28: 0x0000000100287869 js`EnterBaseline(cx=0x0000000104241c00, data=0x00007fff5fbfb468) + 1321 at BaselineJIT.cpp:149
    frame #29: 0x0000000100287258 js`js::jit::EnterBaselineMethod(cx=0x0000000104241c00, state=0x00007fff5fbfb710) + 280 at BaselineJIT.cpp:188
    frame #30: 0x00000001009aea7e js`js::RunScript(cx=0x0000000104241c00, state=0x00007fff5fbfb710) + 606 at Interpreter.cpp:416
    frame #31: 0x00000001009cb9cb js`js::ExecuteKernel(cx=0x0000000104241c00, script=JS::HandleScript @ 0x00007fff5fbfb7d0, scopeChainArg=0x00000001043035e0, newTargetValue=0x00007fff5fbfb910, evalInFrame=(ptr_ = 0), result=0x00007fff5fbfc538) + 747 at Interpreter.cpp:682
    frame #32: 0x000000010061e139 js`EvalKernel(cx=0x0000000104241c00, args=0x00007fff5fbfc390, evalType=DIRECT_EVAL, caller=(ptr_ = 140734799791498), scopeobj=JS::HandleObject @ 0x00007fff5fbfbc98, pc="{") + 3017 at Eval.cpp:331
    frame #33: 0x000000010061e4a5 js`js::DirectEval(cx=0x0000000104241c00, args=0x00007fff5fbfc390) + 789 at Eval.cpp:439
    frame #34: 0x0000000100279138 js`js::jit::DoCallFallback(cx=0x0000000104241c00, frame=0x00007fff5fbfc588, stub_=0x00000001042a70c8, argc=1, vp=0x00007fff5fbfc538, res=JS::MutableHandleValue @ 0x00007fff5fbfc498) + 1320 at BaselineIC.cpp:6100
    frame #35: 0x00000001035bbb6b
maybe, it's something related to error handling in baseline, that I don't know much about.
jandem, can you take a look?
Assignee: arai.unmht → nobody
Flags: needinfo?(jdemooij)
I think the problem here is in js::InitStringClass. There we call GlobalObject::initBuiltinConstructor *before* we call LinkConstructorAndPrototype and DefinePropertiesAndFunctions. We should move the initBuiltinConstructor call *after* the other calls.

Unfortunately it's more complicated than that, because the string class has generic functions (JSFUN_GENERIC_NATIVE). Those generics require us to set the constructor on the global *before* we call DefinePropertiesAndFunctions (see DefineFunctionFromSpec).

Because only the Array and String classes use JSFUN_GENERIC_NATIVE, I think it'd be much nicer to either:

(1) Remove the JSFUN_GENERIC_NATIVE stuff from DefineFunctionFromSpec, and instead add a new DefineGenericFunctions function that takes both the constructor and prototype.

(2) Remove JSFUN_GENERIC_NATIVE completely and self-host the (non-standard) generics for now.
Flags: needinfo?(jdemooij)
Thank you for investigating it :)

I'll try self-hosting Array/String generics as a first step.
they're already deprecated (tracked in bug 1222547 and bug 1222552), and performance difference won't be a problem.
If we hit some performance regression from them, we should fix consumer instead ;)
Thank's for investigating this, arai. I agree that self-hosting the generics makes the most sense.
Flags: needinfo?(till)
Self-hosted Array generics, and added simple testcases, as I don't see any pre-existing testcase for them.
Assignee: nobody → arai.unmht
Attachment #8740933 - Flags: review?(till)
Comment on attachment 8740933 [details] [diff] [review]
Part 1: Self-host Array generics.

Review of attachment 8740933 [details] [diff] [review]:
-----------------------------------------------------------------

Looks great, thanks!
Attachment #8740933 - Flags: review?(till) → review+
Same for String generics too.
Attachment #8740940 - Flags: review?(till)
Attachment #8740944 - Flags: review?(till)
Moved initBuiltinConstructor, as jandem suggested, and added same testcase as previous patch.
Attachment #8739950 - Attachment is obsolete: true
Attachment #8740946 - Flags: review?(till)
Comment on attachment 8740940 [details] [diff] [review]
Part 2: Self-host String generics.

Review of attachment 8740940 [details] [diff] [review]:
-----------------------------------------------------------------

Very nice. r=me with nits addressed.

::: js/src/jsstr.cpp
@@ +2735,2 @@
>      // This must be at the end because of bug 853075: functions listed after
>      // self-hosted methods aren't available in self-hosted code.

This isn't relevant anymore; can you just remove the comment?

::: js/src/jsstr.h
@@ +364,5 @@
> +extern bool
> +str_localeCompare(JSContext* cx, unsigned argc, Value* vp);
> +#endif
> +
> +#if EXPOSE_INTL_API

can't you just use #else here?

::: js/src/vm/SelfHosting.cpp
@@ +2311,5 @@
> +    JS_FN("std_String_toLocaleUpperCase",        str_toLocaleUpperCase,        0,0),
> +#if !EXPOSE_INTL_API
> +    JS_FN("std_String_localeCompare",            str_localeCompare,            1,0),
> +#endif
> +#if EXPOSE_INTL_API

Same here: just use #else
Attachment #8740940 - Flags: review?(till) → review+
Comment on attachment 8740944 [details] [diff] [review]
Part 3: Remove JSFUN_GENERIC_NATIVE.

Review of attachment 8740944 [details] [diff] [review]:
-----------------------------------------------------------------

\o/
Attachment #8740944 - Flags: review?(till) → review+
Comment on attachment 8740946 [details] [diff] [review]
Part 4: Call initBuiltinConstructor after defining properties in InitStringClass.

Review of attachment 8740946 [details] [diff] [review]:
-----------------------------------------------------------------

I like how small the actual fix here is ...
Attachment #8740946 - Flags: review?(till) → review+
Thank you for reviewing :)

This could happen when we use GetBuiltinPrototype or GetBuiltinConstructor with "String" argument, and there was no such code before bug 887016, so I think this bug affects only nightly, and no need to backport.
till, how do you think?
Flags: needinfo?(till)
Agreed, this doesn't need backporting. Which in turn means you can land it right-away.
Flags: needinfo?(till)
Just like Array#concat (bug 1233642), removed all Array generics from ctorPropsToSkip list.
Attachment #8741201 - Flags: review?(bobbyholley)
Attachment #8741201 - Flags: review?(bobbyholley) → review+
Backed out in https://hg.mozilla.org/mozilla-central/rev/354cb3932e36 for causing bug 1264937
Status: RESOLVED → REOPENED
Flags: needinfo?(arai.unmht)
Resolution: FIXED → ---
The assertion failure on linux32 happens from Part 2.
Maybe it changed the timing related to OOM?
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
When it hits assertion failure, any code of String#search is not executed.

https://dxr.mozilla.org/mozilla-central/source/js/src/jit-test/tests/gc/bug-1240527.js
> offThreadCompileScript(`
>  oomTest(() => "".search(/d/));
>  fullcompartmentchecks(3);
> `);
> runOffThreadScript();

I suppose some issue happens while JIT compiling.
BaselineCompiler::compile fails in following line, ensureHasAnalyzedArgsUsage call, while compiling String_search self-hosted function.

https://dxr.mozilla.org/mozilla-central/rev/21bf1af375c1fa8565ae3bb2e89bd1a0809363d4/js/src/jit/BaselineCompiler.cpp#96
>     if (!script->ensureHasTypes(cx) || !script->ensureHasAnalyzedArgsUsage(cx))
>         return Method_Error;

will continue investigating.
MBasicBlock::addImmediatelyDominatedBlock fails in jit::BuildDominatorTree.

https://dxr.mozilla.org/mozilla-central/rev/21bf1af375c1fa8565ae3bb2e89bd1a0809363d4/js/src/jit/IonAnalysis.cpp#2104
> bool
> jit::BuildDominatorTree(MIRGraph& graph)
> {
> ...
>     for (PostorderIterator i(graph.poBegin()); i != graph.poEnd(); i++) {
>         MBasicBlock* child = *i;
>         MBasicBlock* parent = child->immediateDominator();
> ...
>         if (!parent->addImmediatelyDominatedBlock(child))
>             return false;

Maybe, somewhere in the call stack forget to report OOM ?


Breakpoint 1, js::jit::MBasicBlock::addImmediatelyDominatedBlock (
    this=0xb79b6a00, child=0xb79b79f0)
    at /home/osboxes/projects/mozilla-central/js/src/jit/MIRGraph.cpp:1259
1259	        fprintf(stderr, "addImmediatelyDominatedBlock: false\n");
(gdb) bt
#0  js::jit::MBasicBlock::addImmediatelyDominatedBlock (this=0xb79b6a00, 
    child=0xb79b79f0)
    at /home/osboxes/projects/mozilla-central/js/src/jit/MIRGraph.cpp:1259
#1  0x083a37c4 in js::jit::BuildDominatorTree (graph=...)
    at /home/osboxes/projects/mozilla-central/js/src/jit/IonAnalysis.cpp:2107
#2  0x083abc36 in js::jit::AnalyzeArgumentsUsage (cx=0xb797f020, 
    scriptArg=0xb5b5b160)
    at /home/osboxes/projects/mozilla-central/js/src/jit/IonAnalysis.cpp:3999
#3  0x08850839 in JSScript::ensureHasAnalyzedArgsUsage (this=0xb5b5b160, 
    cx=0xb797f020)
    at /home/osboxes/projects/mozilla-central/js/src/jsscriptinlines.h:203
#4  0x08c99cfe in js::jit::BaselineCompiler::compile (this=0xbfffc420)
    at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineCompiler.cpp:103
#5  0x082c2192 in js::jit::BaselineCompile (cx=0xb797f020, script=0xb5b5b160, 
    forceDebugInstrumentation=false)
    at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineJIT.cpp:291
#6  0x082c2480 in CanEnterBaselineJIT (cx=0xb797f020, script=..., osrFrame=0x0)
    at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineJIT.cpp:330
#7  0x082c2718 in js::jit::CanEnterBaselineMethod (cx=0xb797f020, state=...)
    at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineJIT.cpp:392
#8  0x0890266d in js::RunScript (cx=0xb797f020, state=...)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:412
#9  0x08902b44 in js::InternalCallOrConstruct (cx=0xb797f020, args=..., 
    construct=js::NO_CONSTRUCT)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:498
#10 0x08902e19 in InternalCall (cx=0xb797f020, args=...)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:525
#11 0x08902e52 in js::CallFromStack (cx=0xb797f020, args=...)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:531
#12 0x082b4d7b in js::jit::DoCallFallback (cx=0xb797f020, frame=0xbfffd5e8, 
    stub_=0xb79b5070, argc=1, vp=0xbfffd5a8, res=...)
    at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineIC.cpp:6116
#13 0xb7fccdce in ?? ()
#14 0xb79b5070 in ?? ()
#15 0xb7fc6c5c in ?? ()
#16 0x082c158c in EnterBaseline (cx=0xb797f020, data=...)
    at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineJIT.cpp:150
#17 0x082c1936 in js::jit::EnterBaselineMethod (cx=0xb797f020, state=...)
    at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineJIT.cpp:188
#18 0x0890269d in js::RunScript (cx=0xb797f020, state=...)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:416
#19 0x08902b44 in js::InternalCallOrConstruct (cx=0xb797f020, args=..., 
    construct=js::NO_CONSTRUCT)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:498
#20 0x08902e19 in InternalCall (cx=0xb797f020, args=...)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:525
#21 0x08902ed6 in js::Call (cx=0xb797f020, fval=..., thisv=..., args=..., 
    rval=...)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:544
#22 0x0868f017 in JS_CallFunction (cx=0xb797f020, obj=..., fun=..., args=..., 
    rval=...) at /home/osboxes/projects/mozilla-central/js/src/jsapi.cpp:2876
#23 0x08ae589e in OOMTest (cx=0xb797f020, argc=1, vp=0xbfffdec8)
    at /home/osboxes/projects/mozilla-central/js/src/builtin/TestingFunctions.cpp:1310
#24 0x08927b26 in js::CallJSNative (cx=0xb797f020, 
    native=0x8ae534c <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/osboxes/projects/mozilla-central/js/src/jscntxtinlines.h:235
#25 0x08902aa7 in js::InternalCallOrConstruct (cx=0xb797f020, args=..., 
    construct=js::NO_CONSTRUCT)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:480
#26 0x08902e19 in InternalCall (cx=0xb797f020, args=...)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:525
#27 0x08902e52 in js::CallFromStack (cx=0xb797f020, args=...)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:531
#28 0x082b4d7b in js::jit::DoCallFallback (cx=0xb797f020, frame=0xbfffdf08, 
    stub_=0xb79b4050, argc=1, vp=0xbfffdec8, res=...)
    at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineIC.cpp:6116
#29 0xb7fccdce in ?? ()
#30 0xb79b4050 in ?? ()
#31 0xb7fc6c5c in ?? ()
#32 0x082c158c in EnterBaseline (cx=0xb797f020, data=...)
    at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineJIT.cpp:150
#33 0x082c1936 in js::jit::EnterBaselineMethod (cx=0xb797f020, state=...)
    at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineJIT.cpp:188
#34 0x0890269d in js::RunScript (cx=0xb797f020, state=...)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:416
#35 0x08903c14 in js::ExecuteKernel (cx=0xb797f020, script=..., 
    scopeChainArg=..., newTargetValue=..., evalInFrame=..., result=0xbfffe718)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:704
#36 0x08903f41 in js::Execute (cx=0xb797f020, script=..., scopeChainArg=..., 
    rval=0xbfffe718)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:737
#37 0x086957e6 in ExecuteScript (cx=0xb797f020, scope=..., script=..., 
    rval=0xbfffe718)
    at /home/osboxes/projects/mozilla-central/js/src/jsapi.cpp:4392
#38 0x08695afd in JS_ExecuteScript (cx=0xb797f020, scriptArg=..., rval=...)
    at /home/osboxes/projects/mozilla-central/js/src/jsapi.cpp:4418
#39 0x08086e6e in runOffThreadScript (cx=0xb797f020, argc=0, vp=0xbfffe718)
    at /home/osboxes/projects/mozilla-central/js/src/shell/js.cpp:3943
#40 0x08927b26 in js::CallJSNative (cx=0xb797f020, 
    native=0x8086d33 <runOffThreadScript(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/osboxes/projects/mozilla-central/js/src/jscntxtinlines.h:235
#41 0x08902aa7 in js::InternalCallOrConstruct (cx=0xb797f020, args=..., 
    construct=js::NO_CONSTRUCT)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:480
#42 0x08902e19 in InternalCall (cx=0xb797f020, args=...)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:525
#43 0x08902e52 in js::CallFromStack (cx=0xb797f020, args=...)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:531
#44 0x082b4d7b in js::jit::DoCallFallback (cx=0xb797f020, frame=0xbfffe748, 
    stub_=0xb7998180, argc=0, vp=0xbfffe718, res=...)
    at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineIC.cpp:6116
#45 0xb7fccdce in ?? ()
#46 0xb7998180 in ?? ()
#47 0xb7fc6c5c in ?? ()
#48 0x082c158c in EnterBaseline (cx=0xb797f020, data=...)
    at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineJIT.cpp:150
#49 0x082c1936 in js::jit::EnterBaselineMethod (cx=0xb797f020, state=...)
    at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineJIT.cpp:188
#50 0x0890269d in js::RunScript (cx=0xb797f020, state=...)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:416
#51 0x08903c14 in js::ExecuteKernel (cx=0xb797f020, script=..., 
    scopeChainArg=..., newTargetValue=..., evalInFrame=..., result=0x0)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:704
#52 0x08903f41 in js::Execute (cx=0xb797f020, script=..., scopeChainArg=..., 
    rval=0x0)
    at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:737
#53 0x086957e6 in ExecuteScript (cx=0xb797f020, scope=..., script=..., 
    rval=0x0) at /home/osboxes/projects/mozilla-central/js/src/jsapi.cpp:4392
#54 0x08695bbd in JS_ExecuteScript (cx=0xb797f020, scriptArg=...)
    at /home/osboxes/projects/mozilla-central/js/src/jsapi.cpp:4425
#55 0x08078698 in RunFile (cx=0xb797f020, 
    filename=0xbffff31c "/home/osboxes/Desktop/a.js", file=0xb58149e0, 
    compileOnly=false)
    at /home/osboxes/projects/mozilla-central/js/src/shell/js.cpp:530
#56 0x080798de in Process (cx=0xb797f020, 
    filename=0xbffff31c "/home/osboxes/Desktop/a.js", forceTTY=false, 
    kind=FileScript)
    at /home/osboxes/projects/mozilla-central/js/src/shell/js.cpp:803
#57 0x0808f29c in ProcessArgs (cx=0xb797f020, op=0xbfffefa0)
    at /home/osboxes/projects/mozilla-central/js/src/shell/js.cpp:6743
#58 0x080903c0 in Shell (cx=0xb797f020, op=0xbfffefa0, envp=0xbffff104)
    at /home/osboxes/projects/mozilla-central/js/src/shell/js.cpp:7071
#59 0x080918e4 in main (argc=3, argv=0xbffff0f4, envp=0xbffff104)
    at /home/osboxes/projects/mozilla-central/js/src/shell/js.cpp:7455
What function is responsible for reporting an exception when following function fails?
  * MBasicBlock::addImmediatelyDominatedBlock
  * jit::BuildDominatorTree
  * jit::AnalyzeNewScriptDefiniteProperties

jit::AnalyzeNewScriptDefiniteProperties calls ReportOutOfMemory in some failure case:
>     CompilerConstraintList* constraints = NewCompilerConstraintList(temp);
>     if (!constraints) {
>         ReportOutOfMemory(cx);
>         return false;
>     }

but it doesn't in some other case, where cx is not passed:

>     if (!SplitCriticalEdges(graph))
>         return false;
> 
>     if (!RenumberBlocks(graph))
>         return false;
> 
>     if (!BuildDominatorTree(graph)) {
>         ReportOutOfMemory(cx);
>         return false;
>     }
Flags: needinfo?(arai.unmht) → needinfo?(jdemooij)
(In reply to Tooru Fujisawa [:arai] from comment #33)
> What function is responsible for reporting an exception when following
> function fails?
>   * MBasicBlock::addImmediatelyDominatedBlock
>   * jit::BuildDominatorTree

Ion functions like these should not report OOM (they also don't have a cx available most of the time).

> jit::AnalyzeNewScriptDefiniteProperties calls ReportOutOfMemory in some
> failure case:

AnalyzeNewScriptDefiniteProperties should report OOM when it returns false and the callee doesn't report OOM.

I wonder if we should add AutoAssertPendingException, like AutoAssertNoPendingException we already have.
Flags: needinfo?(jdemooij)
Thank you jandem!

I'll check the related code path and add error reporting.


>     if (!SplitCriticalEdges(graph))
>         return false;
> 
>     if (!RenumberBlocks(graph))
>         return false;
> 
>     if (!BuildDominatorTree(graph)) {
>         ReportOutOfMemory(cx);
>         return false;
>     }

Sorry, this code was copied from WIP-patch applied tree, there is no ReportOutOfMemory actually.
here's call tree from MBasicBlock::addImmediatelyDominatedBlock,
so, jit::AnalyzeNewScriptDefiniteProperties and jit::AnalyzeArgumentsUsage should be fixed.


MBasicBlock::addImmediatelyDominatedBlock [A]
 |
 +- jit::BuildDominatorTree [A]
     |
     +- OptimizeMIR [A]
     |   |
     |   +- wasm::IonCompileFunction [A]
     |   |   |
     |   |   +- ModuleGenerator::finishFuncDef [A]
     |   |   |   |
     |   |   |   +- FunctionValidator::finish [A]
     |   |   |   |   |
     |   |   |   |   +- CheckFunction [B]
     |   |   |   |
     |   |   |   +- DecodeFunctionBody [E]
     |   |   |       |
     |   |   |       +- DecodeFunctionBodies [E]
     |   |   |           |
     |   |   |           +- DecodeModule [E]
     |   |   |               |
     |   |   |               +- wasm::Eval [B]
     |   |   |
     |   |   +- HelperThread::handleWasmWorkload [B]
     |   |
     |   +- CompileBackEnd [A]
     |       |
     |       +- IonCompile [B]
     |       |
     |       +- HelperThread::handleIonWorkload [D]
     |
     +- jit::AccountForCFGChanges [A]
     |   |
     |   +- jit::RemoveUnmarkedBlocks [A]
     |   |   |
     |   |   +- ValueNumberer::cleanupOSRFixups [A]
     |   |       |
     |   |       +- ValueNumberer::run [A]
     |   |           |
     |   |           +- OptimizeMIR [A] *
     |   |
     |   +- ValueNumberer::run [A] *
     |
     +- jit::AnalyzeNewScriptDefiniteProperties [C]
     |
     +- jit::AnalyzeArgumentsUsage [C]
     |
     +- jit::UnrollLoops [A]
         |
         +- OptimizeMIR [A] *

[A] doesn't report, propagates false/nullptr
[B] reports failure
[C] has cx, doesn't report, but reports exception on other case, SHOULD FIX
[D] handled in different path, clears pending exception
      https://dxr.mozilla.org/mozilla-central/rev/1da1937a9e03154ae7c60089f2dcf5ad9ee20fa3/js/src/jit/Ion.cpp#555
[E] has cx, but handled in caller
*   dupllicated entry
Added ReportOutOfMemory to AnalyzeNewScriptDefiniteProperties and AnalyzeArgumentsUsage.
Other methods might needs same thing tho, not yet investigated, and anyway, this change should be needed there.
Attachment #8742306 - Flags: review?(jdemooij)
This sounds like some kind of type confusion, so I'm going to mark this sec-high. Adjust if appropriate.
Keywords: sec-high
Comment on attachment 8742306 [details] [diff] [review]
followup - Handle OOM inside BuildDominatorTree at AnalyzeNewScriptDefiniteProperties and AnalyzeArgumentsUsage.

Review of attachment 8742306 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/IonAnalysis.cpp
@@ +3772,4 @@
>      FinishDefinitePropertiesAnalysis(cx, constraints);
>  
>      if (!SplitCriticalEdges(graph))
>          return false;

I think we should also call ReportOutOfMemory here and after RenumberBlocks and EliminatePhis. (Although RenumberBlocks always returns true, so we could change it to return void instead of bool...)
Attachment #8742306 - Flags: review?(jdemooij) → review+
[Tracking Requested - why for this release]: sec-high regression
Keywords: regression
Fixed SplitCriticalEdges, RenumberBlocks and EliminatePhis.
Attachment #8742941 - Flags: review?(jdemooij)
Comment on attachment 8742941 [details] [diff] [review]
followup 2 - Handle OOM inside SplitCriticalEdges and EliminatePhis at AnalyzeNewScriptDefiniteProperties and AnalyzeArgumentsUsage.

Review of attachment 8742941 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good.
Attachment #8742941 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/611130fe9f93305ba081ce37a923d3383ccf3419
Bug 1263558 - Part 0.1: Handle OOM inside BuildDominatorTree at AnalyzeNewScriptDefiniteProperties and AnalyzeArgumentsUsage. r=jandem

https://hg.mozilla.org/integration/mozilla-inbound/rev/344a4bcc9015457aa8deadbaac79eead70acbb60
Bug 1263558 - Part 0.2: Handle OOM inside SplitCriticalEdges and EliminatePhis at AnalyzeNewScriptDefiniteProperties and AnalyzeArgumentsUsage. r=jandem

https://hg.mozilla.org/integration/mozilla-inbound/rev/5af002b8ef582c6d18ae5e7565d6c2c55dad0759
Bug 1263558 - Part 1: Self-host Array generics. r=till,bholley

https://hg.mozilla.org/integration/mozilla-inbound/rev/f1876796b8665a096aba8083a195ed8e85751b5f
Bug 1263558 - Part 2: Self-host String generics. r=till

https://hg.mozilla.org/integration/mozilla-inbound/rev/7b1ce08126bf35127d0e338cd2a21883ae87fcbe
Bug 1263558 - Part 3: Remove JSFUN_GENERIC_NATIVE. r=till

https://hg.mozilla.org/integration/mozilla-inbound/rev/b1e8dbf2f4c92666991b0a026dfbc8fa0fa26826
Bug 1263558 - Part 4: Call initBuiltinConstructor after defining properties in InitStringClass. r=till
Blocks: 1267171
(In reply to Hannes Verschore [:h4writer] from comment #45)
> https://treeherder.mozilla.org/#/jobs?repo=try&revision=dbc24d3df009

Hmm. That was not intentially! This is for another bug.
Group: javascript-core-security → core-security-release
Tracking in case this reopens
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.