Assertion failure: !templateObj->nonProxyIsExtensible(), at js/src/jscompartment.cpp:642 with OOM

RESOLVED FIXED in Firefox 55

Status

()

P2
critical
RESOLVED FIXED
a year ago
11 months ago

People

(Reporter: decoder, Assigned: shu)

Tracking

(Blocks: 2 bugs, {assertion, jsbugmon, testcase})

Trunk
mozilla55
x86_64
Linux
assertion, jsbugmon, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox52 unaffected, firefox-esr52 unaffected, firefox53 unaffected, firefox54 unaffected, firefox55 fixed)

Details

(Whiteboard: [jsbugmon:update,ignore])

Attachments

(1 attachment)

(Reporter)

Description

a year ago
The following testcase crashes on mozilla-central revision e1576dd8bd9d (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var lfLogBuffer = `
(function(global) {
  global.BUGNUMBER = "";
})(this);
var BUGNUMBER = 452498;
//corefuzz-dcd-endofdata
var appendToActual = function(s) {}
//corefuzz-dcd-endofdata
function tryItOut(code) {
    d = f = Function(code)
    f()
}
tryItOut("assertEq('bar', String.raw\`bar\`);")
`;
lfLogBuffer = lfLogBuffer.split('\n');
var lfCodeBuffer = "";
while (true) {
    var line = lfLogBuffer.shift();
    if (line == null) {
        break;
    } else if (line == "//corefuzz-dcd-endofdata") {
        loadFile(lfCodeBuffer);
    } else {
        lfCodeBuffer += line + "\n";
    }
}
if (lfCodeBuffer) loadFile(lfCodeBuffer);
function loadFile(lfVarx) {
      oomTest(function() {
        eval(lfVarx);
      });
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000953578 in JSCompartment::getTemplateLiteralObject (this=0x7ffff692b000, cx=0x7ffff6948000, rawStrings=..., templateObj=...) at js/src/jscompartment.cpp:642
#0  0x0000000000953578 in JSCompartment::getTemplateLiteralObject (this=0x7ffff692b000, cx=0x7ffff6948000, rawStrings=..., templateObj=...) at js/src/jscompartment.cpp:642
#1  0x0000000000530f7d in Interpret (cx=0x7ffff6948000, state=...) at js/src/vm/Interpreter.cpp:3193
#2  0x0000000000538a12 in js::RunScript (cx=0x7ffff6948000, state=...) at js/src/vm/Interpreter.cpp:394
#3  0x000000000053b581 in js::ExecuteKernel (cx=cx@entry=0x7ffff6948000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffb090) at js/src/vm/Interpreter.cpp:677
#4  0x0000000000570ac6 in EvalKernel (cx=cx@entry=0x7ffff6948000, v=..., v@entry=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., env=env@entry=..., pc=<optimized out>, vp=...) at js/src/builtin/Eval.cpp:328
#5  0x000000000057100d in js::DirectEval (cx=cx@entry=0x7ffff6948000, v=..., vp=vp@entry=...) at js/src/builtin/Eval.cpp:438
#6  0x000000000060e200 in js::jit::DoCallFallback (cx=0x7ffff6948000, frame=0x7fffffffb128, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffb0d8, res=...) at js/src/jit/BaselineIC.cpp:2332
#7  0x000009654b9892e4 in ?? ()
rax	0x0	0
rbx	0x7fffffff9c60	140737488329824
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffff9ce0	140737488329952
rsp	0x7fffffff9c30	140737488329776
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7fffffff9c80	140737488329856
r13	0x7ffff692b000	140737330196480
r14	0x7ffff692b450	140737330197584
r15	0x7ffff692b470	140737330197616
rip	0x953578 <JSCompartment::getTemplateLiteralObject(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>)+1192>
=> 0x953578 <JSCompartment::getTemplateLiteralObject(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>)+1192>:	movl   $0x0,0x0
   0x953583 <JSCompartment::getTemplateLiteralObject(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>)+1203>:	ud2

Updated

a year ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

a year ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/4fe119142fb5
user:        Shu-yu Guo
date:        Wed Mar 08 12:00:54 2017 -0800
summary:     Bug 1108941 - Implement the per-global template literal registry. (r=arai,jonco)

This iteration took 265.180 seconds to run.

Updated

a year ago
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]

Comment 2

a year ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 5fe5dcf1c10a).
This seems like a fragile testcase, setting needinfo? from Shu-yu as per comment 1 as a start.
Flags: needinfo?(shu)
(Assignee)

Comment 4

a year ago
Created attachment 8850146 [details] [diff] [review]
Add template objects to the registry after freezing.

The bug is that defining the property may fail, causing the invariant that all
template objects in the cache are frozen. Teaches me to be clever...
Attachment #8850146 - Flags: review?(jcoppeard)
(Assignee)

Updated

a year ago
Flags: needinfo?(shu)
Attachment #8850146 - Flags: review?(jcoppeard) → review+
(In reply to Shu-yu Guo [:shu] from comment #4)
Oh, and please add check in the testcase too if possible.
(Assignee)

Comment 6

a year ago
(In reply to Jon Coppeard (:jonco) from comment #5)
> (In reply to Shu-yu Guo [:shu] from comment #4)
> Oh, and please add check in the testcase too if possible.

Unfortunately I couldn't figure out a reliable test case since it depends on OOM.

Comment 7

a year ago
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ce401c54cdbb
Add template objects to the registry after freezing. (r=jonco)

Comment 8

a year ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/ce401c54cdbb
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox55: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Assignee: nobody → shu
status-firefox52: --- → unaffected
status-firefox53: --- → unaffected
status-firefox54: --- → unaffected
status-firefox-esr52: --- → unaffected
Priority: -- → P2
You need to log in before you can comment on or make changes to this bug.