1298776 - Assertion failure: uintptr_t(obj) > 0x1000 || uintptr_t(obj) == 0x48, at dist/include/js/Value.h:831 with OOM and Promise

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 1a5b53a831e5 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe):

oomTest(Function(`new Promise(res=>res)`));



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0881dad6 in OBJECT_TO_JSVAL_IMPL (obj=<optimized out>) at dist/include/js/Value.h:549
#0  0x0881dad6 in OBJECT_TO_JSVAL_IMPL (obj=<optimized out>) at dist/include/js/Value.h:549
#1  0x08835f9e in JS::Value::setObject (obj=..., this=0xffffb770) at dist/include/js/Value.h:1091
#2  JS::ObjectValue (obj=...) at dist/include/js/Value.h:1546
#3  js::PromiseObject::create (cx=0xf7953000, executor=..., proto=...) at js/src/builtin/Promise.cpp:713
#4  0x08836815 in js::PromiseConstructor (cx=0xf7953000, argc=1, vp=0xffffbc18) at js/src/builtin/Promise.cpp:925
#5  0x087052fb in js::CallJSNative (cx=0xf7953000, native=0x8836550 <js::PromiseConstructor(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#6  0x08707c76 in js::CallJSNativeConstructor (cx=0xf7953000, native=0x8836550 <js::PromiseConstructor(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:268
#7  0x08701584 in InternalConstruct (cx=cx@entry=0xf7953000, args=...) at js/src/vm/Interpreter.cpp:545
#8  0x08701720 in js::ConstructFromStack (cx=0xf7953000, args=...) at js/src/vm/Interpreter.cpp:583
#9  0x089e2dd8 in js::jit::DoCallFallback (cx=0xf7953000, frame=0xffffbc68, stub_=0xf7985070, argc=1, vp=0xffffbc18, res=...) at js/src/jit/BaselineIC.cpp:5972
#10 0xf7be367c in ?? ()
#11 0xf7985070 in ?? ()
#12 0xf7be2c4a in ?? ()
#13 0x081f8880 in EnterBaseline (cx=0xf7bedc6a, cx@entry=0xf7953000, data=...) at js/src/jit/BaselineJIT.cpp:157
[...]
#19 0x0851039b in JS_CallFunction (cx=0xf7953000, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2793
#20 0x08856de4 in OOMTest (cx=0xf7953000, argc=1, vp=0xf1233058) at js/src/builtin/TestingFunctions.cpp:1395
#21 0x087052fb in js::CallJSNative (cx=0xf7953000, native=0x8856b20 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#35 main (argc=3, argv=0xffffce24, envp=0xffffce34) at js/src/shell/js.cpp:7623
eax	0x0	0
ebx	0x8c33ff4	147013620
ecx	0xf7da4864	-136689564
edx	0x0	0
esi	0xffffb70c	-18676
edi	0x0	0
ebp	0xffffb6c8	4294948552
esp	0xffffb6c0	4294948544
eip	0x881dad6 <OBJECT_TO_JSVAL_IMPL(JSObject*)+70>
=> 0x881dad6 <OBJECT_TO_JSVAL_IMPL(JSObject*)+70>:	movl   $0x0,0x0
   0x881dae0 <OBJECT_TO_JSVAL_IMPL(JSObject*)+80>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160826080917" and the hash "e2a5214ebb0f6c3a19c7583c5a86f9d490257d1e".
The "bad" changeset has the timestamp "20160826084618" and the hash "cd28f500db07bf2c6a99027dbd0c341ea69fb52e".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e2a5214ebb0f6c3a19c7583c5a86f9d490257d1e&tochange=cd28f500db07bf2c6a99027dbd0c341ea69fb52e

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Till, is bug 1289318 a likely regressor?

Comment 3

[Pulsebot]

Pushed by tschneidereit@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4b33830da34c
Handle nullptr return from CreatePromiseObjectInternal in PromiseObject::create. r=evilpie

Comment 4

[Pulsebot]

Pushed by tschneidereit@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/52afe8f0380a
Skip test in builds without oomTest to fix bustage. r=me

Comment 5

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/4b33830da34c
https://hg.mozilla.org/mozilla-central/rev/52afe8f0380a