1268309 - Assertion failure: !lookup(l).found(), at dist/include/js/HashTable.h:1733 with OOM

Status: RESOLVED DUPLICATE of bug 1266649

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision ab8a76ac7b34 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe):

du = new Debugger
du.setupTraceLogger({
    Scripts: true
});
lfCodeBuffer = "";
loadFile(lfCodeBuffer);
function loadFile(lfVarx)
  oomTest(Function(lfVarx));


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x081b375c in putNewInfallible<unsigned int&, js::TraceLoggerEventPayload*&> (l=@0xffffc610: 59, this=0xf7a821d8) at js/src/debug32/dist/include/js/HashTable.h:1733
#0  0x081b375c in putNewInfallible<unsigned int&, js::TraceLoggerEventPayload*&> (l=@0xffffc610: 59, this=0xf7a821d8) at js/src/debug32/dist/include/js/HashTable.h:1733
#1  putNew<unsigned int&, js::TraceLoggerEventPayload*&> (l=@0xffffc610: 59, this=0xf7a821d8) at js/src/debug32/dist/include/js/HashTable.h:1749
#2  putNew<unsigned int&, js::TraceLoggerEventPayload*&> (v=<synthetic pointer>, k=@0xffffc610: 59, this=0xf7a821d8) at js/src/debug32/dist/include/js/HashTable.h:238
#3  js::TraceLoggerThread::getOrCreateEventPayload (this=this@entry=0xf7a82180, type=type@entry=TraceLogger_Scripts, filename=0xf7a8f040 "min.js line 9 > Function", lineno=lineno@entry=1, colno=colno@entry=0, ptr=ptr@entry=0xf4f5a1f0) at js/src/vm/TraceLogging.cpp:438
#4  0x081b38c4 in getOrCreateEventPayload (script=0xf4f5a1f0, type=TraceLogger_Scripts, this=0xf7a82180) at js/src/vm/TraceLogging.cpp:458
#5  js::TraceLoggerEvent::TraceLoggerEvent (this=0xffffc7ec, logger=0xf7a82180, type=TraceLogger_Scripts, script=0xf4f5a1f0) at js/src/vm/TraceLogging.cpp:970
#6  0x08712723 in Interpret (cx=cx@entry=0xf7a73020, state=...) at js/src/vm/Interpreter.cpp:1664
#7  0x0872311f in js::RunScript (cx=cx@entry=0xf7a73020, state=...) at js/src/vm/Interpreter.cpp:426
#8  0x087233fa in js::InternalCallOrConstruct (cx=0xf7a73020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#9  0x08723664 in InternalCall (cx=cx@entry=0xf7a73020, args=...) at js/src/vm/Interpreter.cpp:525
#10 0x08723714 in js::Call (cx=0xf7a73020, fval=fval@entry=..., thisv=thisv@entry=..., args=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:544
#11 0x08576bf0 in JS_CallFunction (cx=cx@entry=0xf7a73020, obj=..., fun=fun@entry=..., args=..., rval=rval@entry=...) at js/src/jsapi.cpp:2876
#12 0x088768b6 in OOMTest (cx=0xf7a73020, argc=1, vp=0xf4c380b8) at js/src/builtin/TestingFunctions.cpp:1310
#13 0x08726bca in js::CallJSNative (cx=0xf7a73020, native=0x88765b0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#27 main (argc=3, argv=0xffffd8e4, envp=0xffffd8f4) at js/src/shell/js.cpp:7465
eax	0x0	0
ebx	0x98b9774	160143220
ecx	0xf7e4488c	-136034164
edx	0x0	0
esi	0xffffc630	-14800
edi	0xf7a82180	-139976320
ebp	0xffffc678	4294952568
esp	0xffffc5d0	4294952400
eip	0x81b375c <js::TraceLoggerThread::getOrCreateEventPayload(TraceLoggerTextId, char const*, unsigned int, unsigned int, void const*)+2204>
=> 0x81b375c <js::TraceLoggerThread::getOrCreateEventPayload(TraceLoggerTextId, char const*, unsigned int, unsigned int, void const*)+2204>:	movl   $0x6c5,0x0
   0x81b3766 <js::TraceLoggerThread::getOrCreateEventPayload(TraceLoggerTextId, char const*, unsigned int, unsigned int, void const*)+2214>:	call   0x8109470 <abort()>