Closed Bug 1299106 Opened 8 years ago Closed 8 years ago

Crash [@ js::Sprinter::checkInvariants] or Crash [@ js::Sprinter::putString] with OOM

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1298570
Tracking Status
firefox51 --- affected

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: bugmon, crash, testcase, Whiteboard: [jsbugmon:])

Crash Data

The following testcase crashes on mozilla-central revision 4f72b1d05267 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --no-threads --baseline-eager):

var lfLogBuffer = `(function([{x}]) {})({})`;
loadFile();
loadFile(lfLogBuffer);
function loadFile(lfVarx) {
    oomTest(function() {
        eval(lfVarx);
    });
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x08723ef2 in js::Sprinter::checkInvariants (this=<optimized out>) at js/src/vm/Printer.cpp:132
#0  0x08723ef2 in js::Sprinter::checkInvariants (this=<optimized out>) at js/src/vm/Printer.cpp:132
#1  js::Sprinter::InvariantChecker::InvariantChecker (p=<optimized out>, this=<optimized out>) at js/src/vm/Printer.h:63
#2  js::Sprinter::putString (this=0xffff9f04, s=0x0) at js/src/vm/Printer.cpp:225
#3  0x08577875 in (anonymous namespace)::ExpressionDecompiler::write (this=this@entry=0xffff9ec8, str=<optimized out>) at js/src/jsopcode.cpp:1309
#4  0x085a026d in (anonymous namespace)::ExpressionDecompiler::decompilePC (this=this@entry=0xffff9ec8, pc=pc@entry=0xf6a18f25 "T") at js/src/jsopcode.cpp:1192
#5  0x085a1b6d in DecompileExpressionFromStack (cx=cx@entry=0xf7953000, spindex=spindex@entry=-1, skipStackHits=skipStackHits@entry=0, v=..., res=0xffffa15c) at js/src/jsopcode.cpp:1458
#6  0x085a1e69 in js::DecompileValueGenerator (cx=0xf7953000, spindex=-1, v=..., fallbackArg=..., skipStackHits=0) at js/src/jsopcode.cpp:1471
#7  0x084fc1d3 in js::ReportValueErrorFlags (cx=0xf7953000, flags=0, errorNumber=50, spindex=-1, v=..., fallback=..., arg1=0x0, arg2=0x0) at js/src/jscntxt.cpp:859
#8  0x089e2ac5 in js::jit::DoCallFallback (cx=0xf7953000, frame=0xffffa458, stub_=0xf65f2090, argc=0, vp=0xffffa418, res=...) at js/src/jit/BaselineIC.cpp:5989
#9  0xf7be367c in ?? ()
#10 0xf65f2090 in ?? ()
#11 0xf7be2c4a in ?? ()
#12 0x081f8880 in EnterBaseline (cx=0xf663879d, cx@entry=0xf7953000, data=...) at js/src/jit/BaselineJIT.cpp:157
[...]
#38 0x0851039b in JS_CallFunction (cx=0xf7953000, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2793
#39 0x08856de4 in OOMTest (cx=0xf7953000, argc=1, vp=0xffffbc88) at js/src/builtin/TestingFunctions.cpp:1395
#40 0xf7beb825 in ?? ()
[...]
#64 main (argc=5, argv=0xffffcde4, envp=0xffffcdfc) at js/src/shell/js.cpp:7623
eax	0x40	64
ebx	0x0	0
ecx	0xf791f000	-141430784
edx	0xf65d1440	-161672128
esi	0xffff9f04	-24828
edi	0x0	0
ebp	0xffff9dc8	4294942152
esp	0xffff9d80	4294942080
eip	0x8723ef2 <js::Sprinter::putString(JSString*)+82>
=> 0x8723ef2 <js::Sprinter::putString(JSString*)+82>:	mov    0x4(%ebx),%edi
   0x8723ef5 <js::Sprinter::putString(JSString*)+85>:	sub    $0x8,%esp
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160825005824" and the hash "181336fdda6625d8ffa5e5764b817cc3da1f9659".
The "bad" changeset has the timestamp "20160825011927" and the hash "bd702fa23037799ab4dd266d8a2b59d021f6cfa8".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=181336fdda6625d8ffa5e5764b817cc3da1f9659&tochange=bd702fa23037799ab4dd266d8a2b59d021f6cfa8
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 1789229965bf).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/6c65ad93a66d
user:        Shu-yu Guo
date:        Fri Sep 02 15:30:48 2016 -0700
summary:     Bug 1298570 - Check result of getArg when decompiling. (r=efaust)

This iteration took 244.667 seconds to run.
Shu-yu, is bug 1298570 a likely fix?
Flags: needinfo?(shu)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4)
> Shu-yu, is bug 1298570 a likely fix?

ya
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(shu)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.