Last Comment Bug 1269718 - Crash [@ XDRRelazificationInfo<(js::XDRMode)1>] or Crash [@ initRuntimeFields] with OOM
: Crash [@ XDRRelazificationInfo<(js::XDRMode)1>] or Crash [@ initRuntimeFields...
Status: NEW
[jsbugmon:update]
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: ARM Linux
-- critical (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz 912928
  Show dependency treegraph
 
Reported: 2016-05-03 04:44 PDT by Christian Holler (:decoder)
Modified: 2016-05-20 16:58 PDT (History)
5 users (show)
nicolas.b.pierron: needinfo? (nicolas.b.pierron)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
affected


Attachments
OOM_VERBOSE=1 stack from m-c rev 45709b7b6466 (10.25 KB, text/plain)
2016-05-20 16:58 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details

Description User image Christian Holler (:decoder) 2016-05-03 04:44:13 PDT
The following testcase crashes on mozilla-central revision 77cead2cd203 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --fuzzing-safe --thread-count=2):

oomTest(function() { eval(`
  function evalWithCache(code, ctx) {
    ctx = Object.create(ctx, {});
    code = code instanceof Object ? code : cacheEntry(code);
    ctx.global = newGlobal({ cloneSingletons: true });
    var res1 = evaluate(code, Object.create(ctx, {saveBytecode: { value: true } }));
    var res2 = evaluate(code, Object.create(ctx, {loadBytecode: { value: true }, saveBytecode: { value: true } }));
  }
  test = (function () {
    function f(x) {}
    return f.toSource() + "; f(true)";
  })();
  evalWithCache(test, { assertEqBytecode: true, assertEqResult : true });
`);
});



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
XDRRelazificationInfo<(js::XDRMode)1> (lazy=..., enclosingScope=..., script=..., fun=..., xdr=0xffffad10) at js/src/jsscript.cpp:557
#0  XDRRelazificationInfo<(js::XDRMode)1> (lazy=..., enclosingScope=..., script=..., fun=..., xdr=0xffffad10) at js/src/jsscript.cpp:557
#1  js::XDRScript<(js::XDRMode)1> (xdr=xdr@entry=0xffffad10, enclosingScopeArg=enclosingScopeArg@entry=..., enclosingScript=..., enclosingScript@entry=..., fun=fun@entry=..., scriptp=..., scriptp@entry=...) at js/src/jsscript.cpp:1211
#2  0x085aa13a in js::XDRInterpretedFunction<(js::XDRMode)1> (xdr=xdr@entry=0xffffad10, enclosingScope=enclosingScope@entry=..., enclosingScript=enclosingScript@entry=..., objp=objp@entry=...) at js/src/jsfun.cpp:630
#3  0x085f4346 in js::XDRScript<(js::XDRMode)1> (xdr=xdr@entry=0xffffad10, enclosingScopeArg=enclosingScopeArg@entry=..., enclosingScript=..., enclosingScript@entry=..., fun=..., fun@entry=..., scriptp=..., scriptp@entry=...) at js/src/jsscript.cpp:1152
#4  0x0883948d in js::XDRState<(js::XDRMode)1>::codeScript (this=this@entry=0xffffad10, scriptp=scriptp@entry=...) at js/src/vm/Xdr.cpp:168
#5  0x08524376 in JS_DecodeScript (cx=0xf7a74020, data=0xeca54000, length=342) at js/src/jsapi.cpp:6457
#6  0x080f24fd in Evaluate (cx=0xf7a74020, argc=2, vp=0xf542d128) at js/src/shell/js.cpp:1478
#7  0x086f8a4a in js::CallJSNative (cx=0xf7a74020, native=0x80f17d0 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#8  0x086f5ce4 in js::InternalCallOrConstruct (cx=0xf7a74020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:480
#9  0x086f6094 in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:525
#10 0x086e509b in CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:531
#11 Interpret (cx=cx@entry=0xf7a74020, state=...) at js/src/vm/Interpreter.cpp:2831
#12 0x086f5a0f in js::RunScript (cx=0xf7a74020, state=...) at js/src/vm/Interpreter.cpp:426
#13 0x086f797f in js::ExecuteKernel (cx=0xf7a74020, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=evalInFrame@entry=..., result=result@entry=0xf59ffe80) at js/src/vm/Interpreter.cpp:704
#14 0x0849776d in js::DirectEvalStringFromIon (cx=cx@entry=0xf7a74020, scopeObj=scopeObj@entry=..., callerScript=callerScript@entry=..., newTargetValue=newTargetValue@entry=..., str=str@entry=..., pc=pc@entry=0xf7a98629 "{", vp=...) at js/src/builtin/Eval.cpp:408
#15 0x084fb19d in js::jit::Simulator::softwareInterrupt (this=0xf7a1c000, instr=0xf553b264) at js/src/jit/arm/Simulator-arm.cpp:2388
[...]
#28 0x088487bc in OOMTest (cx=0xf7a74020, argc=1, vp=0xf542d058) at js/src/builtin/TestingFunctions.cpp:1310
[...]
#43 main (argc=4, argv=0xffffccd4, envp=0xffffcce8) at js/src/shell/js.cpp:7483
eax	0x0	0
ebx	0x988cffc	159961084
ecx	0x0	0
edx	0x0	0
esi	0x0	0
edi	0x0	0
ebp	0xffffa9c8	4294945224
esp	0xffffa7b0	4294944688
eip	0x85f4b91 <js::XDRScript<(js::XDRMode)1>(js::XDRState<(js::XDRMode)1>*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Handle<JSFunction*>, JS::MutableHandle<JSScript*>)+7713>
=> 0x85f4b91 <js::XDRScript<(js::XDRMode)1>(js::XDRState<(js::XDRMode)1>*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Handle<JSFunction*>, JS::MutableHandle<JSScript*>)+7713>:	movzbl 0x1f(%eax),%edx
   0x85f4b95 <js::XDRScript<(js::XDRMode)1>(js::XDRState<(js::XDRMode)1>*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Handle<JSFunction*>, JS::MutableHandle<JSScript*>)+7717>:	shl    $0x4,%ecx
Comment 1 User image Fuzzing Team 2016-05-03 05:11:44 PDT
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781".
The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1
Comment 2 User image Gary Kwong [:gkw] [:nth10sd] 2016-05-20 16:58:29 PDT
Created attachment 8755066 [details]
OOM_VERBOSE=1 stack from m-c rev 45709b7b6466

Note You need to log in before you can comment on or make changes to this bug.