Closed Bug 1278839 Opened 9 years ago Closed 9 years ago

Crash [@ js::StringEqualsAscii] with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla50
Tracking Flags:
Tracking Status
firefox50 --- verified

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

OOM_VERBOSE=1 stack from m-c rev 3ccccf8e5036
3.72 KB, text/plain
Details
Patch
1.16 KB, patch
nbp
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision ec20b463c04f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads): lfLogBuffer = ` setJitCompilerOption(eval + Function, 0); `; loadFile(lfLogBuffer); loadFile(lfLogBuffer); function loadFile(lfVarx) oomTest(function() eval(lfVarx)); Backtrace: Program received signal SIGSEGV, Segmentation fault. js::StringEqualsAscii (str=str@entry=0x0, asciiBytes=asciiBytes@entry=0xf5ff92 "baseline.warmup.trigger") at js/src/jsstr.cpp:3047 #0 js::StringEqualsAscii (str=str@entry=0x0, asciiBytes=asciiBytes@entry=0xf5ff92 "baseline.warmup.trigger") at js/src/jsstr.cpp:3047 #1 0x00000000008c683a in JS_FlatStringEqualsAscii (str=str@entry=0x0, asciiBytes=asciiBytes@entry=0xf5ff92 "baseline.warmup.trigger") at js/src/jsapi.cpp:5344 #2 0x0000000000bea6a6 in SetJitCompilerOption (cx=0x7ffff691ac00, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1954 #3 0x0000000000a95c22 in js::CallJSNative (cx=0x7ffff691ac00, native=0xbea5e0 <SetJitCompilerOption(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...] #44 0x0000000000000000 in ?? () rax 0x17 23 rbx 0xf5ff92 16121746 rcx 0xf5ffa9 16121769 rdx 0x200040000800000 144119586130755584 rsi 0xf5ff92 16121746 rdi 0xf5ff92 16121746 rbp 0x7fffffffaa10 140737488333328 rsp 0x7fffffffa9e0 140737488333280 r8 0xf5ffa9 16121769 r9 0x0 0 r10 0x7fffffffa650 140737488332368 r11 0x2 2 r12 0x17 23 r13 0x0 0 r14 0x2 2 r15 0x7fffffffaa60 140737488333408 rip 0x992383 <js::StringEqualsAscii(JSLinearString*, char const*)+83> => 0x992383 <js::StringEqualsAscii(JSLinearString*, char const*)+83>: mov 0x4(%r13),%edx 0x992387 <js::StringEqualsAscii(JSLinearString*, char const*)+87>: xor %eax,%eax
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781". The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1
Not sure what's going on here. Since SetJitCompilerOption is on the stack, setting needinfo? from Jan as a start.
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review
Trivial OOM bug in SetJitCompilerOption.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8762285 - Flags: review?(nicolas.b.pierron)
Attachment #8762285 - Flags: review?(nicolas.b.pierron) → review+
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/c6d7cd4c7aa2 Fix a trivial OOM in SetJitCompilerOption. r=nbp
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/26a3a36d9f67 followup - Fix test to check oomTest is present. r=me
https://hg.mozilla.org/mozilla-central/rev/c6d7cd4c7aa2 https://hg.mozilla.org/mozilla-central/rev/26a3a36d9f67
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox50: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
I believe we can safely mark this verified fixed on Fx50, based on the crash data available for the last 4 months. SIGNATURE | MessageLoop::PostTask_Helper ------------------------------------------ CRASH STATS | http://tinyurl.com/hvpgpk5 ------------------------------------------ OVERVIEW | 0 crashes on nightly 52 | 0 crashes on nightly 51 | 0 crashes on aurora 51 | 0 crashes on nightly 50 | 0 crashes on aurora 50 | 0 crashes on beta 50
Status: RESOLVED → VERIFIED
status-firefox50: fixedverified
With the right crash stats and signature this time: http://tinyurl.com/zobagnl, js::StringEqualsAscii.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: