1265693 - Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:238 with OOM and hasOwnProperty

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision cb65ec85049e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off):

oomTest(Function("Function.hasOwnProperty(1.1)"));



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000a966a8 in js::CallJSNative (cx=0x7ffff6908800, native=0x83f7d0 <js::obj_hasOwnProperty(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:238
#0  0x0000000000a966a8 in js::CallJSNative (cx=0x7ffff6908800, native=0x83f7d0 <js::obj_hasOwnProperty(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:238
#1  0x0000000000a92ab7 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6908800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:480
#2  0x0000000000a92d9b in InternalCall (cx=cx@entry=0x7ffff6908800, args=...) at js/src/vm/Interpreter.cpp:525
#3  0x0000000000a83677 in CallFromStack (args=..., cx=0x7ffff6908800) at js/src/vm/Interpreter.cpp:531
#4  Interpret (cx=cx@entry=0x7ffff6908800, state=...) at js/src/vm/Interpreter.cpp:2831
#5  0x0000000000a92838 in js::RunScript (cx=cx@entry=0x7ffff6908800, state=...) at js/src/vm/Interpreter.cpp:426
#6  0x0000000000a92b09 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6908800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#7  0x0000000000a92d9b in InternalCall (cx=cx@entry=0x7ffff6908800, args=...) at js/src/vm/Interpreter.cpp:525
#8  0x0000000000a92eda in js::Call (cx=cx@entry=0x7ffff6908800, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:544
#9  0x00000000008ec7c6 in JS_CallFunction (cx=cx@entry=0x7ffff6908800, obj=..., fun=..., fun@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2876
#10 0x0000000000be1951 in OOMTest (cx=0x7ffff6908800, argc=<optimized out>, vp=0x7ffff31f7090) at js/src/builtin/TestingFunctions.cpp:1310
#11 0x0000000000a96522 in js::CallJSNative (cx=0x7ffff6908800, native=0xbe15b0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#12 0x0000000000a92ab7 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6908800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:480
#13 0x0000000000a92d9b in InternalCall (cx=cx@entry=0x7ffff6908800, args=...) at js/src/vm/Interpreter.cpp:525
#14 0x0000000000a83677 in CallFromStack (args=..., cx=0x7ffff6908800) at js/src/vm/Interpreter.cpp:531
#15 Interpret (cx=cx@entry=0x7ffff6908800, state=...) at js/src/vm/Interpreter.cpp:2831
#16 0x0000000000a92838 in js::RunScript (cx=cx@entry=0x7ffff6908800, state=...) at js/src/vm/Interpreter.cpp:426
[...]
#25 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7455
rax	0x0	0
rbx	0x7ffff6908800	140737330055168
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffc110	140737488339216
rsp	0x7fffffffc0b0	140737488339120
r8	0x7ffff7fdf7c0	140737354004416
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffbe70	140737488338544
r11	0x7ffff6c27ee0	140737333329632
r12	0x7ffff31f7120	140737272312096
r13	0x0	0
r14	0x7fffffffc0d0	140737488339152
r15	0x83f7d0	8648656
rip	0xa966a8 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+680>
=> 0xa966a8 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+680>:	movl   $0xee,0x0
   0xa966b3 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+691>:	callq  0x4abcb0 <abort()>

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781".
The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1

Comment 2

[Jason Orendorff [:jorendorff]]

With this stack, we call ReportOutOfMemory:

#0  AtomizeAndCopyChars<unsigned char> (cx=0x7f2c40d1c800, tbchars=0x7fffccae3860 "1.1", length=3, 
    pin=js::DoNotPinAtom) at /home/jorendorff/dev/gecko/js/src/jsatom.cpp:339
#1  0x0000000000580763 in js::Atomize (cx=0x7f2c40d1c800, bytes=0x7fffccae3860 "1.1", length=3, 
    pin=js::DoNotPinAtom) at /home/jorendorff/dev/gecko/js/src/jsatom.cpp:409
#2  0x0000000000af248d in js::NumberToAtom (cx=0x7f2c40d1c800, d=1.1000000000000001)
    at /home/jorendorff/dev/gecko/js/src/jsnum.cpp:1349
#3  0x0000000000580fc0 in ToAtomSlow<(js::AllowGC)0> (cx=0x7f2c40d1c800, arg=...)
    at /home/jorendorff/dev/gecko/js/src/jsatom.cpp:485
#4  0x000000000058270d in js::ToAtom<(js::AllowGC)0> (cx=0x7f2c40d1c800, v=...)
    at /home/jorendorff/dev/gecko/js/src/jsatom.cpp:498
#5  0x00000000009c548d in js::ValueToId<(js::AllowGC)0> (cx=0x7f2c40d1c800, v=..., idp=...)
    at /home/jorendorff/dev/gecko/js/src/jsatominlines.h:87
#6  0x00000000009b304c in js::obj_hasOwnProperty (cx=0x7f2c40d1c800, argc=1, vp=0x7f2c37793120)
    at /home/jorendorff/dev/gecko/js/src/builtin/Object.cpp:521

I think we've got to clear that before returning from ToAtomSlow<NoGC>, because NoGC functions must not set an exception pending.

Comment 3

[Jason Orendorff [:jorendorff]]

Attachment: OOM bug in ToAtom<NoGC>()

MozReview-Commit-ID: 8fAwOBOXIDq

Comment 4

[Jason Orendorff [:jorendorff]]

Attachment: OOM bug in ToAtom<NoGC>()

MozReview-Commit-ID: 8fAwOBOXIDq

Comment 5

[Terrence Cole [:terrence]]

Comment on attachment 8742888 [details] [diff] [review]
OOM bug in ToAtom<NoGC>()

Review of attachment 8742888 [details] [diff] [review]:
-----------------------------------------------------------------

Jon is more familiar with the OOM paths, let's make sure he gets a look.

Comment 6

[Jon Coppeard (:jonco)]

Comment on attachment 8742888 [details] [diff] [review]
OOM bug in ToAtom<NoGC>()

Review of attachment 8742888 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit-test/tests/basic/bug1265693.js
@@ +1,1 @@
> +oomTest(Function("Function.hasOwnProperty(1.1)"));

This needs a |if (!('oomTest' in this)) quit()| guard.

Comment 7

[Jason Orendorff [:jorendorff]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/21f1e0017ba67e1017f487f9e750d87c92ac9d4a
Bug 1265693 - OOM bug in ToAtom<NoGC>(). r=jcoppeard.

Comment 8

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/21f1e0017ba6

Comment 9

[Sylvestre Ledru [:Sylvestre]]

Jason, is it something you would like to uplift to aurora & beta? Thanks

Comment 10

[Sylvestre Ledru [:Sylvestre]]

Too late for 49
Jon, do you know who could help with comment #9? Thanks

Comment 11

[Jon Coppeard (:jonco)]

I think it's fine to let this ride the trains.