Closed
Bug 1404710
Opened 7 years ago
Closed 6 years ago
Assertion failure: isThrowingOutOfMemory(), at js/src/jscntxt.cpp:1110 with out-of-stack-space
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla60
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox58 | --- | wontfix |
firefox59 | --- | wontfix |
firefox60 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update][fuzzblocker])
Attachments
(1 file)
1.41 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision cd9c8c48e4b3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off): stackTest(new Function(` var g = newGlobal(); var dbg = new Debugger(g); dbg.onDebuggerStatement = function (frame) { assertEq(frame.evalWithBindings("x", {x: 2}).return, 2); }; g.eval("function f(y) { debugger; }"); g.f(3); `)); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000980cb3 in JSContext::recoverFromOutOfMemory (this=0x7ffff6955000) at js/src/jscntxt.cpp:1110 #0 0x0000000000980cb3 in JSContext::recoverFromOutOfMemory (this=0x7ffff6955000) at js/src/jscntxt.cpp:1110 #1 0x0000000000b3ed8c in js::DebugEnvironments::takeFrameSnapshot (cx=cx@entry=0x7ffff6955000, debugEnv=..., debugEnv@entry=..., frame=...) at js/src/vm/EnvironmentObject.cpp:2723 #2 0x0000000000b459f4 in js::DebugEnvironments::onPopCall (cx=cx@entry=0x7ffff6955000, frame=...) at js/src/vm/EnvironmentObject.cpp:2772 #3 0x000000000053dd1b in PopEnvironment (cx=cx@entry=0x7ffff6955000, ei=...) at js/src/vm/Interpreter.cpp:1083 #4 0x000000000053deeb in js::UnwindAllEnvironmentsInFrame (cx=cx@entry=0x7ffff6955000, ei=...) at js/src/vm/Interpreter.cpp:1146 #5 0x0000000000c42ac5 in js::InterpreterFrame::epilogue (this=0x7ffff42960c0, cx=0x7ffff6955000, pc=0x7ffff2ff020f "\231Ǘ\020\221\n") at js/src/vm/Stack.cpp:281 #6 0x000000000054b6a8 in Interpret (cx=0x7ffff6955000, state=...) at js/src/vm/Interpreter.cpp:4347 #7 0x0000000000551181 in js::RunScript (cx=0x7ffff6955000, state=...) at js/src/vm/Interpreter.cpp:435 #8 0x000000000055187f in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6955000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:513 #9 0x0000000000551bbd in InternalCall (cx=0x7ffff6955000, args=...) at js/src/vm/Interpreter.cpp:540 #10 0x0000000000551d20 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:559 #11 0x0000000000ab99b4 in js::ForwardingProxyHandler::call (this=<optimized out>, cx=0x7ffff6955000, proxy=..., args=...) at js/src/proxy/Wrapper.cpp:175 #12 0x0000000000aa584b in js::CrossCompartmentWrapper::call (this=0x1f13450 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff6955000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:359 #13 0x0000000000ab0165 in js::Proxy::call (cx=0x7ffff6955000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:497 #14 0x0000000000ab1d5d in js::proxy_Call (cx=0x7ffff6955000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:772 #15 0x000000000055d391 in js::CallJSNative (cx=0x7ffff6955000, native=0xab1ce0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293 #16 0x0000000000551a19 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6955000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:477 #17 0x0000000000551bbd in InternalCall (cx=0x7ffff6955000, args=...) at js/src/vm/Interpreter.cpp:540 #18 0x0000000000551cea in js::CallFromStack (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:546 #19 0x000000000063cea3 in js::jit::DoCallFallback (cx=0x7ffff6955000, frame=0x7fffffffcb68, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffcb08, res=...) at js/src/jit/BaselineIC.cpp:2586 #20 0x00002282dd93628b in ?? () rax 0x0 0 rbx 0x7ffff6955000 140737330368512 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffb4d0 140737488336080 rsp 0x7fffffffb4c0 140737488336064 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x0 0 r11 0x0 0 r12 0x7fffffffb500 140737488336128 r13 0x7fffffffb520 140737488336160 r14 0x0 0 r15 0x7fffffffb568 140737488336232 rip 0x980cb3 <JSContext::recoverFromOutOfMemory()+195> => 0x980cb3 <JSContext::recoverFromOutOfMemory()+195>: movl $0x0,0x0 0x980cbe <JSContext::recoverFromOutOfMemory()+206>: ud2 This could be a wrong assertion. Given the testcase, it seems likely that some call here can fail due to being out of stack space rather than regular OOM.
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•7 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/a69946757ded user: Christian Holler date: Wed Sep 20 14:19:21 2017 +0200 summary: Bug 1395240 - Implement stackTest function for JS stack OOM testing. r=jandem This iteration took 1.359 seconds to run.
Updated•7 years ago
|
Priority: -- → P3
Reporter | ||
Comment 2•6 years ago
|
||
This bug is occurring highly frequently, marking as fuzzblocker.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Assignee | ||
Updated•6 years ago
|
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 3•6 years ago
|
||
We call recoverFromOutOfMemory but the code can also throw overrecursion (when resolving the Array prototype under NewArray).
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8946228 -
Flags: review?(jcoppeard)
Updated•6 years ago
|
Attachment #8946228 -
Flags: review?(jcoppeard) → review+
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/6c5d87204717 Also handle overrecursion in DebugEnvironments::takeFrameSnapshot. r=jonco
Comment 5•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/6c5d87204717
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox60:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Updated•6 years ago
|
Updated•6 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•