Closed Bug 1404710 Opened 3 years ago Closed 3 years ago

Assertion failure: isThrowingOutOfMemory(), at js/src/jscntxt.cpp:1110 with out-of-stack-space


(Core :: JavaScript Engine, defect, P3)




Tracking Status
firefox-esr52 --- unaffected
firefox58 --- wontfix
firefox59 --- wontfix
firefox60 --- fixed


(Reporter: decoder, Assigned: jandem)


(Blocks 1 open bug)


(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update][fuzzblocker])


(1 file)

The following testcase crashes on mozilla-central revision cd9c8c48e4b3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

stackTest(new Function(`
  var g = newGlobal();
  var dbg = new Debugger(g);
  dbg.onDebuggerStatement = function (frame) {
    assertEq(frame.evalWithBindings("x", {x: 2}).return, 2);
  g.eval("function f(y) { debugger; }");


 received signal SIGSEGV, Segmentation fault.
0x0000000000980cb3 in JSContext::recoverFromOutOfMemory (this=0x7ffff6955000) at js/src/jscntxt.cpp:1110
#0  0x0000000000980cb3 in JSContext::recoverFromOutOfMemory (this=0x7ffff6955000) at js/src/jscntxt.cpp:1110
#1  0x0000000000b3ed8c in js::DebugEnvironments::takeFrameSnapshot (cx=cx@entry=0x7ffff6955000, debugEnv=..., debugEnv@entry=..., frame=...) at js/src/vm/EnvironmentObject.cpp:2723
#2  0x0000000000b459f4 in js::DebugEnvironments::onPopCall (cx=cx@entry=0x7ffff6955000, frame=...) at js/src/vm/EnvironmentObject.cpp:2772
#3  0x000000000053dd1b in PopEnvironment (cx=cx@entry=0x7ffff6955000, ei=...) at js/src/vm/Interpreter.cpp:1083
#4  0x000000000053deeb in js::UnwindAllEnvironmentsInFrame (cx=cx@entry=0x7ffff6955000, ei=...) at js/src/vm/Interpreter.cpp:1146
#5  0x0000000000c42ac5 in js::InterpreterFrame::epilogue (this=0x7ffff42960c0, cx=0x7ffff6955000, pc=0x7ffff2ff020f "\231Ǘ\020\221\n") at js/src/vm/Stack.cpp:281
#6  0x000000000054b6a8 in Interpret (cx=0x7ffff6955000, state=...) at js/src/vm/Interpreter.cpp:4347
#7  0x0000000000551181 in js::RunScript (cx=0x7ffff6955000, state=...) at js/src/vm/Interpreter.cpp:435
#8  0x000000000055187f in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6955000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:513
#9  0x0000000000551bbd in InternalCall (cx=0x7ffff6955000, args=...) at js/src/vm/Interpreter.cpp:540
#10 0x0000000000551d20 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:559
#11 0x0000000000ab99b4 in js::ForwardingProxyHandler::call (this=<optimized out>, cx=0x7ffff6955000, proxy=..., args=...) at js/src/proxy/Wrapper.cpp:175
#12 0x0000000000aa584b in js::CrossCompartmentWrapper::call (this=0x1f13450 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff6955000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:359
#13 0x0000000000ab0165 in js::Proxy::call (cx=0x7ffff6955000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:497
#14 0x0000000000ab1d5d in js::proxy_Call (cx=0x7ffff6955000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:772
#15 0x000000000055d391 in js::CallJSNative (cx=0x7ffff6955000, native=0xab1ce0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
#16 0x0000000000551a19 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6955000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:477
#17 0x0000000000551bbd in InternalCall (cx=0x7ffff6955000, args=...) at js/src/vm/Interpreter.cpp:540
#18 0x0000000000551cea in js::CallFromStack (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:546
#19 0x000000000063cea3 in js::jit::DoCallFallback (cx=0x7ffff6955000, frame=0x7fffffffcb68, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffcb08, res=...) at js/src/jit/BaselineIC.cpp:2586
#20 0x00002282dd93628b in ?? ()
rax	0x0	0
rbx	0x7ffff6955000	140737330368512
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffb4d0	140737488336080
rsp	0x7fffffffb4c0	140737488336064
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x0	0
r11	0x0	0
r12	0x7fffffffb500	140737488336128
r13	0x7fffffffb520	140737488336160
r14	0x0	0
r15	0x7fffffffb568	140737488336232
rip	0x980cb3 <JSContext::recoverFromOutOfMemory()+195>
=> 0x980cb3 <JSContext::recoverFromOutOfMemory()+195>:	movl   $0x0,0x0
   0x980cbe <JSContext::recoverFromOutOfMemory()+206>:	ud2    

This could be a wrong assertion. Given the testcase, it seems likely that some call here can fail due to being out of stack space rather than regular OOM.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
user:        Christian Holler
date:        Wed Sep 20 14:19:21 2017 +0200
summary:     Bug 1395240 - Implement stackTest function for JS stack OOM testing. r=jandem

This iteration took 1.359 seconds to run.
Priority: -- → P3
This bug is occurring highly frequently, marking as fuzzblocker.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review
We call recoverFromOutOfMemory but the code can also throw overrecursion (when resolving the Array prototype under NewArray).
Assignee: nobody → jdemooij
Flags: needinfo?(jdemooij)
Attachment #8946228 - Flags: review?(jcoppeard)
Attachment #8946228 - Flags: review?(jcoppeard) → review+
Pushed by
Also handle overrecursion in DebugEnvironments::takeFrameSnapshot. r=jonco
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.