Closed Bug 1347120 Opened 3 years ago Closed 3 years ago

Assertion failure: resultCode_ == JS::TranscodeResult_Ok, at js/src/vm/Xdr.cpp:35 with OOM

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox-esr52 --- wontfix
firefox53 --- wontfix
firefox54 --- wontfix
firefox55 --- fixed

People

(Reporter: decoder, Assigned: nbp)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, jsbugmon, testcase, Whiteboard: [jsbugmon:])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision f9362554866b (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var lfLogBuffer = `
function evalWithCache(code, ctx) {
  ctx = Object.create(ctx, {});
  code = code instanceof Object ? code : cacheEntry(code);
  ctx.global = newGlobal({ cloneSingletons: true });
  var ctx_save = Object.create(ctx, {saveBytecode: { value: true } });
  var res1 = evaluate(code, ctx_save);
  var res2 = evaluate(code, Object.create(ctx_save, {loadBytecode: { value: true } }));
}
evalWithCache('', {});
`;
loadFile("");
loadFile(lfLogBuffer);
function loadFile(lfVarx) {
    try {
        oomTest(function() {
            let m = parseModule(lfVarx);
            m.declarationInstantiation();
            m.evaluation();
        });
    } catch(exc1) {}
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000cb4770 in js::XDRState<(js::XDRMode)1>::postProcessContextErrors (this=0x7fffffffb2c0, cx=0x7ffff6948000) at js/src/vm/Xdr.cpp:35
#0  0x0000000000cb4770 in js::XDRState<(js::XDRMode)1>::postProcessContextErrors (this=0x7fffffffb2c0, cx=0x7ffff6948000) at js/src/vm/Xdr.cpp:35
#1  0x0000000000cbcd1a in js::XDRState<(js::XDRMode)1>::codeScript (this=this@entry=0x7fffffffb2c0, scriptp=scriptp@entry=...) at js/src/vm/Xdr.cpp:172
#2  0x000000000092a3d5 in JS::DecodeScript (cx=cx@entry=0x7ffff6948000, buffer=..., scriptp=..., scriptp@entry=..., cursorIndex=cursorIndex@entry=0) at js/src/jsapi.cpp:6955
#3  0x000000000045a65e in Evaluate (cx=0x7ffff6948000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:1782
#4  0x0000000000540aa0 in js::CallJSNative (cx=cx@entry=0x7ffff6948000, native=0x45a250 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:282
#5  0x000000000053627a in js::InternalCallOrConstruct (cx=0x7ffff6948000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:448
#6  0x000000000052897a in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:499
#7  Interpret (cx=0x7ffff6948000, state=...) at js/src/vm/Interpreter.cpp:2954
#8  0x0000000000535e52 in js::RunScript (cx=0x7ffff6948000, state=...) at js/src/vm/Interpreter.cpp:394
#9  0x00000000005389c1 in js::ExecuteKernel (cx=cx@entry=0x7ffff6948000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffc208) at js/src/vm/Interpreter.cpp:677
#10 0x0000000000538d88 in js::Execute (cx=cx@entry=0x7ffff6948000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x7fffffffc208) at js/src/vm/Interpreter.cpp:710
#11 0x00000000005595d4 in js::ModuleObject::evaluate (cx=cx@entry=0x7ffff6948000, self=..., self@entry=..., rval=rval@entry=...) at js/src/builtin/ModuleObject.cpp:923
#12 0x0000000000ba725e in intrinsic_EvaluateModule (cx=0x7ffff6948000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:2145
#13 0x0000214d602caf12 in ?? ()
[...]
#16 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff6948000	140737330315264
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffb230	140737488335408
rsp	0x7fffffffb220	140737488335392
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7fffffffb2c0	140737488335552
r13	0x0	0
r14	0x7fffffffb4c0	140737488336064
r15	0x1	1
rip	0xcb4770 <js::XDRState<(js::XDRMode)1>::postProcessContextErrors(JSContext*)+128>
=> 0xcb4770 <js::XDRState<(js::XDRMode)1>::postProcessContextErrors(JSContext*)+128>:	movl   $0x0,0x0
   0xcb477b <js::XDRState<(js::XDRMode)1>::postProcessContextErrors(JSContext*)+139>:	ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160115010341" and the hash "32a8c6a3be186bbc1f39da147eb09b087ed322e3".
The "bad" changeset has the timestamp "20160115014842" and the hash "df444117c7bea0a407387dca31ed54c3598b054a".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=32a8c6a3be186bbc1f39da147eb09b087ed322e3&tochange=df444117c7bea0a407387dca31ed54c3598b054a
Flags: needinfo?(nicolas.b.pierron)
Flags: needinfo?(nicolas.b.pierron)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 23fe0b76a018).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160119005036" and the hash "9bb1872a676cfc39fd9419fb5d7310bd80258d56".
The "bad" changeset has the timestamp "20160120100025" and the hash "c34410da6b0130bc5430d18a20ad0357114ab0ed".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=9bb1872a676cfc39fd9419fb5d7310bd80258d56&tochange=c34410da6b0130bc5430d18a20ad0357114ab0ed
Jon, not sure if the testcase is intermittent, or is this FIXED?
Flags: needinfo?(jcoppeard)
Flags: needinfo?(jcoppeard) → needinfo?(nicolas.b.pierron)
Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4)
> Jon, not sure if the testcase is intermittent, or is this FIXED?

I have not checked why it disappeared, but it was not fixed.
The problem comes from the fact that we have 2 different ways of reporting errors in XDR code, and we were setting both at the same time, and correctly.  The assertions is about the fact that both error reporting system are set, and takes the one from the context instead of the other.

In this case we were setting both reporting systems correctly after a small allocation failure caused by the oomTest function, so I weaken the assertion to fixed this issues.
Comment on attachment 8866321 [details] [diff] [review]
XDR: Do not assert if the failure code is already set as to 'Throw' when there is a pending exception.

Review of attachment 8866321 [details] [diff] [review]:
-----------------------------------------------------------------

...sure
Attachment #8866321 - Flags: review?(shu) → review+
Pushed by npierron@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/58f6e99c9a83
XDR: Do not assert if the failure code is already set as to 'Throw' when there is a pending exception. r=shu
https://hg.mozilla.org/mozilla-central/rev/58f6e99c9a83
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Can this ride the 55 train or should it be nominated for backport?
(In reply to Ryan VanderMeulen [:RyanVM] from comment #10)
> Can this ride the 55 train or should it be nominated for backport?

This is an assertion issue, not a code issue.  If this is needed by fuzzer to get this backported, I don't see anything against.  Otherwise, I do not see much uses to backport this change.

"wontfix" for older version is the easiest from my point of view.
Flags: needinfo?(nicolas.b.pierron)
Gary, is this something you want uplifted for the sake of fuzzing or should we let it ride the trains?
Flags: needinfo?(gary)
Probably not this particular one.
Flags: needinfo?(gary)
You need to log in before you can comment on or make changes to this bug.