Closed Bug 1305570 Opened 8 years ago Closed 8 years ago

Assertion failure: ret == 0, at js/src/vm/Compression.cpp:242

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox52 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [fuzzblocker][jsbugmon:ignore])

Attachments

(3 files)

Detailed Crash Information
47.46 KB, text/plain
Details
Testcase
65.54 KB, text/plain
Details
Patch
2.19 KB, patch
luke
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision c55bcb7c777e (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --no-baseline --ion-eager):

See attachment.

Backtrace:

1   js-dbg-64-clang-darwin-c55bcb7c777e	0x0000000100bc0844 js::ScriptSource::chunkChars(JSContext*, js::UncompressedSourceCache::AutoHoldEntry&, unsigned long) + 372 (jsscript.cpp:1552)
2   js-dbg-64-clang-darwin-c55bcb7c777e	0x0000000100bc0aeb js::ScriptSource::chars(JSContext*, js::UncompressedSourceCache::AutoHoldEntry&, unsigned long, unsigned long) + 187 (jsscript.cpp:1601)
3   js-dbg-64-clang-darwin-c55bcb7c777e	0x0000000100bbf9bc js::ScriptSource::substring(JSContext*, unsigned long, unsigned long) + 76 (jsscript.cpp:1658)
4   js-dbg-64-clang-darwin-c55bcb7c777e	0x0000000100b1f48d js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool) + 941 (RootingAPI.h:700)
/snip

For detailed crash information, see attachment.

Setting [fuzzblocker] because this is happening fairly often.
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160923033900" and the hash "c4d91d17c8ed2e385f4a4a3d97f861eee722626f".
The "bad" changeset has the timestamp "20160923040159" and the hash "52459cfd15765aa82ff26501b9c1a56272d49f0d".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c4d91d17c8ed2e385f4a4a3d97f861eee722626f&tochange=52459cfd15765aa82ff26501b9c1a56272d49f0d

Jan, is bug 1304390 a likely regressor?
Blocks: 1304390
Flags: needinfo?(jdemooij)
Note that this can be a little intermittent though still fairly reproducible. The more I reduce the testcase, the less reproducible it becomes, so the testcase is fairly large, and setting JSBugMon to ignore.
Attached patch PatchSplinter Review 
This is annoying:

When inflate() is called with flush = Z_FINISH parameter, it won't allocate any memory. However, we can't use Z_FINISH for chunks other than the last one, or inflate() will throw Z_BUF_ERROR at us.

So for these non-last chunks, we have to use Z_NO_FLUSH (or Z_BLOCK, it doesn't really matter). When zlib is done, it attempts to allocate some internal (window) data structures for the *next* call to inflate. In this case there won't be another call to inflate (we immediately call inflateEnd), but unfortunately there's no way to communicate that to zlib.

Anyway, let's just handle OOM return values from inflate() in this case. I also upgraded some asserts to release asserts.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8795210 - Flags: review?(luke)
Attachment #8795210 - Flags: review?(luke) → review+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a14592c05e0f
Handle OOM when calling inflate() with Z_NO_FLUSH. r=luke
https://hg.mozilla.org/mozilla-central/rev/a14592c05e0f
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox52: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: