1298355 - Assertion failure: isObjectOrNull(), at dist/include/js/Value.h:1279 with OOM and Promise

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 01748a2b1a46 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --thread-count=2 --ion-check-range-analysis):

var lfLogBuffer = `
  let g = newGlobal();
  let dbg = new Debugger();
  let gw = dbg.addDebuggee(g);
  g.promise = Promise.resolve(42);
  let promiseDO = gw.getOwnPropertyDescriptor('promise').value;
  let resolutionSite = promiseDO.promiseResolutionSite;
`;
loadFile(lfLogBuffer);
function loadFile(lfVarx) {
    try {
        oomTest(function() {
            eval(lfVarx);
        });
    } catch (lfVare) {}
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x080e785e in JS::Value::toObjectOrNull (this=0xf462f988) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/32/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Value.h:1279
#0  0x080e785e in JS::Value::toObjectOrNull (this=0xf462f988) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/32/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Value.h:1279
#1  0x0865f3cd in js::PromiseObject::resolutionSite (this=<optimized out>) at js/src/builtin/Promise.h:51
#2  js::DebuggerObject::promiseResolutionSiteGetter (cx=0xf7953000, argc=0, vp=0xffffb370) at js/src/vm/Debugger.cpp:8706
#3  0x087034cb in js::CallJSNative (cx=0xf7953000, native=0x865f1e0 <js::DebuggerObject::promiseResolutionSiteGetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#4  0x086fa776 in js::InternalCallOrConstruct (cx=0xf7953000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:453
#5  0x086faaad in InternalCall (cx=cx@entry=0xf7953000, args=...) at js/src/vm/Interpreter.cpp:498
#6  0x086fac3b in js::Call (cx=0xf7953000, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:517
#7  0x086fad26 in js::CallGetter (cx=0xf7953000, thisv=..., getter=..., rval=...) at js/src/vm/Interpreter.cpp:631
#8  0x086faff9 in CallGetter (vp=..., shape=..., receiver=..., obj=..., cx=0xf7953000) at js/src/vm/NativeObject.cpp:1737
#9  GetExistingProperty<(js::AllowGC)1> (cx=0xf7953000, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:1785
#10 0x086fbb50 in NativeGetPropertyInline<(js::AllowGC)1> (cx=0xf7953000, obj=..., receiver=..., id=..., nameLookup=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2012
#11 0x086fc1c7 in js::NativeGetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:2046
#12 0x0830fd53 in js::GetProperty (cx=0xf7953000, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1479
#13 0x086fcd16 in js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0xf7953000) at js/src/jsobj.h:836
#14 js::GetProperty (cx=0xf7953000, v=..., name=..., vp=...) at js/src/vm/Interpreter.cpp:4169
#15 0x086ef94a in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=0xf7953000) at js/src/vm/Interpreter.cpp:189
#16 Interpret (cx=0xf7953000, state=...) at js/src/vm/Interpreter.cpp:2598
#17 0x086fa5be in js::RunScript (cx=0xf7953000, state=...) at js/src/vm/Interpreter.cpp:399
#18 0x08700950 in js::ExecuteKernel (cx=0xf7953000, script=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., result=0xffffbc10) at js/src/vm/Interpreter.cpp:679
#19 0x086324a3 in js::DirectEvalStringFromIon (cx=0xf7953000, scopeObj=..., callerScript=..., newTargetValue=..., str=..., pc=0xf426bae5 "{", vp=...) at js/src/builtin/Eval.cpp:426
#20 0xf7be8bea in ?? ()
eax	0x0	0
ebx	0x8c32ff4	147009524
ecx	0xf7da4864	-136689564
edx	0x0	0
esi	0xf7953000	-141217792
edi	0xffffb178	-20104
ebp	0xffffb148	4294947144
esp	0xffffb140	4294947136
eip	0x80e785e <JS::Value::toObjectOrNull() const+110>
=> 0x80e785e <JS::Value::toObjectOrNull() const+110>:	movl   $0x0,0x0
   0x80e7868 <JS::Value::toObjectOrNull() const+120>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 506facea6316).
JSBugMon: Bisection requested, failed due to error (try manually).

Comment 2

[Fuzzing Team]

JSBugMon: Fix Bisection requested, result:
Due to skipped revisions, the first good revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo)

changeset:   https://hg.mozilla.org/mozilla-central/rev/18bec78f348e
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Report memory metrics for Scopes. (r=njn)

This iteration took 199.197 seconds to run.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Shu-yu, is bug 1263355 a likely fix?

Comment 4

[Shu-yu Guo [:shu]]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3)
> Shu-yu, is bug 1263355 a likely fix?

I don't know the promise stuff, but I don't see why bug 1263355 would have fixed a promise OOM bug.

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Till, the fix range is probably bogus, any thoughts on whether the issue still exists?

Comment 6

[Till Schneidereit [:till]]

It doesn't seem to exist anymore. My best guess at what fixed it is bug 1298776.

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Assuming FIXED by bug 1298776 as per comment 6.