Closed
Bug 1278839
Opened 8 years ago
Closed 8 years ago
Crash [@ js::StringEqualsAscii] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla50
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | verified |
People
(Reporter: decoder, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
|
3.72 KB,
text/plain
|
Details | |
|
1.16 KB,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision ec20b463c04f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads): lfLogBuffer = ` setJitCompilerOption(eval + Function, 0); `; loadFile(lfLogBuffer); loadFile(lfLogBuffer); function loadFile(lfVarx) oomTest(function() eval(lfVarx)); Backtrace: Program received signal SIGSEGV, Segmentation fault. js::StringEqualsAscii (str=str@entry=0x0, asciiBytes=asciiBytes@entry=0xf5ff92 "baseline.warmup.trigger") at js/src/jsstr.cpp:3047 #0 js::StringEqualsAscii (str=str@entry=0x0, asciiBytes=asciiBytes@entry=0xf5ff92 "baseline.warmup.trigger") at js/src/jsstr.cpp:3047 #1 0x00000000008c683a in JS_FlatStringEqualsAscii (str=str@entry=0x0, asciiBytes=asciiBytes@entry=0xf5ff92 "baseline.warmup.trigger") at js/src/jsapi.cpp:5344 #2 0x0000000000bea6a6 in SetJitCompilerOption (cx=0x7ffff691ac00, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1954 #3 0x0000000000a95c22 in js::CallJSNative (cx=0x7ffff691ac00, native=0xbea5e0 <SetJitCompilerOption(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...] #44 0x0000000000000000 in ?? () rax 0x17 23 rbx 0xf5ff92 16121746 rcx 0xf5ffa9 16121769 rdx 0x200040000800000 144119586130755584 rsi 0xf5ff92 16121746 rdi 0xf5ff92 16121746 rbp 0x7fffffffaa10 140737488333328 rsp 0x7fffffffa9e0 140737488333280 r8 0xf5ffa9 16121769 r9 0x0 0 r10 0x7fffffffa650 140737488332368 r11 0x2 2 r12 0x17 23 r13 0x0 0 r14 0x2 2 r15 0x7fffffffaa60 140737488333408 rip 0x992383 <js::StringEqualsAscii(JSLinearString*, char const*)+83> => 0x992383 <js::StringEqualsAscii(JSLinearString*, char const*)+83>: mov 0x4(%r13),%edx 0x992387 <js::StringEqualsAscii(JSLinearString*, char const*)+87>: xor %eax,%eax
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781". The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1
Not sure what's going on here. Since SetJitCompilerOption is on the stack, setting needinfo? from Jan as a start.
Flags: needinfo?(jdemooij)
|
Assignee | |
Comment 4•8 years ago
|
||
Trivial OOM bug in SetJitCompilerOption.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8762285 -
Flags: review?(nicolas.b.pierron)
|
||
Updated•8 years ago
|
Attachment #8762285 -
Flags: review?(nicolas.b.pierron) → review+
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/c6d7cd4c7aa2 Fix a trivial OOM in SetJitCompilerOption. r=nbp
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/26a3a36d9f67 followup - Fix test to check oomTest is present. r=me
|
||
Comment 7•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/c6d7cd4c7aa2 https://hg.mozilla.org/mozilla-central/rev/26a3a36d9f67
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
|
||
Comment 8•8 years ago
|
||
I believe we can safely mark this verified fixed on Fx50, based on the crash data available for the last 4 months. SIGNATURE | MessageLoop::PostTask_Helper ------------------------------------------ CRASH STATS | http://tinyurl.com/hvpgpk5 ------------------------------------------ OVERVIEW | 0 crashes on nightly 52 | 0 crashes on nightly 51 | 0 crashes on aurora 51 | 0 crashes on nightly 50 | 0 crashes on aurora 50 | 0 crashes on beta 50
Status: RESOLVED → VERIFIED
|
|
||
Comment 9•8 years ago
|
||
With the right crash stats and signature this time: http://tinyurl.com/zobagnl, js::StringEqualsAscii.
You need to log in
before you can comment on or make changes to this bug.
Description
•