Closed Bug 1411294 Opened 3 years ago Closed 3 years ago

Assertion failure: get() (dereferencing a UniquePtr containing nullptr), at dist/include/mozilla/UniquePtr.h:320

Categories

(Core :: JavaScript Engine, defect, P1)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla58
Tracking Status
firefox-esr52 --- wontfix
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision d49501f258b1 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

oomTest(function() {
  eval(`var clonebuffer = serialize("abc");
  clonebuffer.clonebuffer = "\
\\x00\\x00\\x00\\x00\\b\\x00\\xFF\\xFF\\f\
\\x00\\x00\\x00\\x03\\x00\\xFF\\xFF\\x00\\x00\\x00\\x00\\x00\\x00\\x00\
\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xF0?\\x00\\x00\\x00\\\x00\\x00\
\\x00\\xFF\\xFF"
  var obj = deserialize(clonebuffer)
  assertEq(new ({ get }).keys(obj).toString(), "12,ab");
`);
});


Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00000000008c9c3c in mozilla::UniquePtr<JS::ubi::EdgeRange, JS::DeletePolicy<JS::ubi::EdgeRange> >::operator-> (this=<optimized out>) at dist/include/mozilla/UniquePtr.h:320
#1  0x00000000008da6a8 in CloneBufferObject::setCloneBuffer_impl (cx=cx@entry=0x7ffff6948000, args=...) at js/src/builtin/TestingFunctions.cpp:2780
#2  0x00000000008daa6b in JS::CallNonGenericMethod<&CloneBufferObject::is, &CloneBufferObject::setCloneBuffer_impl> (args=..., cx=0x7ffff6948000) at dist/include/js/CallNonGenericMethod.h:100
#3  CloneBufferObject::setCloneBuffer (cx=0x7ffff6948000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:2798
#4  0x0000000000560fcd in js::CallJSNative (cx=0x7ffff6948000, native=0x8da9d0 <CloneBufferObject::setCloneBuffer(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:291
#5  0x000000000055563f in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6948000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:473
#6  0x0000000000555a1d in InternalCall (cx=cx@entry=0x7ffff6948000, args=...) at js/src/vm/Interpreter.cpp:522
#7  0x0000000000555b80 in js::Call (cx=cx@entry=0x7ffff6948000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:541
#8  0x0000000000556102 in js::CallSetter (cx=0x7ffff6948000, thisv=..., thisv@entry=..., setter=setter@entry=..., v=v@entry=...) at js/src/vm/Interpreter.cpp:670
#9  0x0000000000bd7ece in SetExistingProperty (cx=0x7ffff6948000, obj=..., obj@entry=..., id=..., id@entry=..., v=v@entry=..., receiver=receiver@entry=..., pobj=..., pobj@entry=..., prop=..., result=...) at js/src/vm/NativeObject.cpp:2732
#10 0x0000000000bed668 in js::NativeSetProperty<(js::QualifiedBool)1> (cx=cx@entry=0x7ffff6948000, obj=..., id=id@entry=..., value=..., value@entry=..., receiver=..., receiver@entry=..., result=...) at js/src/vm/NativeObject.cpp:2768
#11 0x000000000055de8c in js::SetProperty (cx=0x7ffff6948000, obj=..., id=..., id@entry=..., v=..., receiver=..., receiver@entry=..., result=...) at js/src/vm/NativeObject.h:1621
#12 0x000000000063938c in js::jit::DoSetPropFallback (cx=0x7ffff6948000, frame=0x7fffffffa378, stub_=<optimized out>, stack=0x7fffffffa368, lhs=..., rhs=...) at js/src/jit/BaselineIC.cpp:1728
#13 0x00003c8234db65dd in ?? ()
[...]
#37 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffff99a0	140737488329120
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffff9900	140737488328960
rsp	0x7fffffff9900	140737488328960
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x28	40
r13	0x7fffffff9940	140737488329024
r14	0x7ffff69d8a90	140737330907792
r15	0x0	0
rip	0x8c9c3c <mozilla::UniquePtr<JS::ubi::EdgeRange, JS::DeletePolicy<JS::ubi::EdgeRange> >::operator->() const+44>
=> 0x8c9c3c <mozilla::UniquePtr<JS::ubi::EdgeRange, JS::DeletePolicy<JS::ubi::EdgeRange> >::operator->() const+44>:	movl   $0x0,0x0
   0x8c9c47 <mozilla::UniquePtr<JS::ubi::EdgeRange, JS::DeletePolicy<JS::ubi::EdgeRange> >::operator->() const+55>:	ud2
Attached patch PatchSplinter Review
OOM bug in a CloneBuffer testing function.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8921805 - Flags: review?(jcoppeard)
Attachment #8921805 - Flags: review?(jcoppeard) → review+
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/8c07eaec94c4
user:        Kan-Ru Chen
date:        Fri Apr 22 18:04:20 2016 +0800
summary:     Bug 1264642 - Part 4. Use BufferList to replace raw buffers in StructuredClone. r=baku r=billm r=jorendorff

This iteration took 1.170 seconds to run.
Priority: -- → P1
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a132d945f106
Fix OOM bug in CloneBuffer testing function. r=jonco
https://hg.mozilla.org/mozilla-central/rev/a132d945f106
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Duplicate of this bug: 1415948
You need to log in before you can comment on or make changes to this bug.