Closed
Bug 1415948
Opened 7 years ago
Closed 7 years ago
Assertion failure: get() (dereferencing a UniquePtr containing nullptr), at dist/include/mozilla/UniquePtr.h:320 with clone and OOM
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
DUPLICATE
of bug 1411294
| Tracking | Status | |
|---|---|---|
| firefox58 | --- | affected |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update,ignore])
The following testcase crashes on mozilla-central revision 4e6df5159df3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):
oomTest(function() {
eval(`var clonebuffer = serialize("abc");
clonebuffer.clonebuffer = "\
\\x00\\x00\\x00\\x00\\b\\x00\\xFF\\xFF\\f\
\\x00\\x00\\x00\\x03\\x00\\xFF\\xFF\\x00\\x00\\x00\\x00\\x00\\x00\\x00\
\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xF0?\\x00\\x00\\x00\\\x00\\x00\
\\x00\\xFF\\xFF"
assertEq(yield, yield, ... clonebuffer("$5", eval));
`);
});
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00000000008c7b5c in mozilla::UniquePtr<JS::ubi::EdgeRange, JS::DeletePolicy<JS::ubi::EdgeRange> >::operator-> (this=<optimized out>) at dist/include/mozilla/UniquePtr.h:320
#1 0x00000000008d84b8 in CloneBufferObject::setCloneBuffer_impl (cx=cx@entry=0x7ffff6948000, args=...) at js/src/builtin/TestingFunctions.cpp:2779
#2 0x00000000008d887b in JS::CallNonGenericMethod<&CloneBufferObject::is, &CloneBufferObject::setCloneBuffer_impl> (args=..., cx=0x7ffff6948000) at dist/include/js/CallNonGenericMethod.h:100
#3 CloneBufferObject::setCloneBuffer (cx=0x7ffff6948000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:2797
#4 0x000000000055e631 in js::CallJSNative (cx=0x7ffff6948000, native=0x8d87e0 <CloneBufferObject::setCloneBuffer(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:291
#5 0x0000000000552dbf in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6948000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:472
#6 0x000000000055319d in InternalCall (cx=cx@entry=0x7ffff6948000, args=...) at js/src/vm/Interpreter.cpp:521
#7 0x0000000000553300 in js::Call (cx=cx@entry=0x7ffff6948000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:540
#8 0x0000000000553882 in js::CallSetter (cx=0x7ffff6948000, thisv=..., thisv@entry=..., setter=setter@entry=..., v=v@entry=...) at js/src/vm/Interpreter.cpp:669
#9 0x0000000000bd6e6e in SetExistingProperty (cx=0x7ffff6948000, obj=..., obj@entry=..., id=..., id@entry=..., v=v@entry=..., receiver=receiver@entry=..., pobj=..., pobj@entry=..., prop=..., result=...) at js/src/vm/NativeObject.cpp:2730
#10 0x0000000000bf5a17 in js::NativeSetProperty<(js::QualifiedBool)1> (cx=cx@entry=0x7ffff6948000, obj=..., id=id@entry=..., v=..., v@entry=..., receiver=..., receiver@entry=..., result=...) at js/src/vm/NativeObject.cpp:2758
#11 0x000000000055b55c in js::SetProperty (cx=0x7ffff6948000, obj=..., id=..., id@entry=..., v=..., receiver=..., receiver@entry=..., result=...) at js/src/vm/NativeObject.h:1621
#12 0x000000000063b0ec in js::jit::DoSetPropFallback (cx=0x7ffff6948000, frame=0x7fffffffa3d8, stub_=<optimized out>, stack=0x7fffffffa3c8, lhs=..., rhs=...) at js/src/jit/BaselineIC.cpp:1728
#13 0x00001794bfc3658d in ?? ()
[...]
#37 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7fffffff9a20 140737488329248
rcx 0x7ffff6c282ad 140737333330605
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffff9980 140737488329088
rsp 0x7fffffff9980 140737488329088
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fe4740 140737354024768
r10 0x58 88
r11 0x7ffff6b9e7a0 140737332766624
r12 0x28 40
r13 0x7fffffff99c0 140737488329152
r14 0x7ffff4595af0 140737292884720
r15 0x0 0
rip 0x8c7b5c <mozilla::UniquePtr<JS::ubi::EdgeRange, JS::DeletePolicy<JS::ubi::EdgeRange> >::operator->() const+44>
=> 0x8c7b5c <mozilla::UniquePtr<JS::ubi::EdgeRange, JS::DeletePolicy<JS::ubi::EdgeRange> >::operator->() const+44>: movl $0x0,0x0
0x8c7b67 <mozilla::UniquePtr<JS::ubi::EdgeRange, JS::DeletePolicy<JS::ubi::EdgeRange> >::operator->() const+55>: ud2
|
||
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
|
|
||
Comment 1•7 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 2bdf6eed0f64). JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/8c07eaec94c4 user: Kan-Ru Chen date: Fri Apr 22 18:04:20 2016 +0800 summary: Bug 1264642 - Part 4. Use BufferList to replace raw buffers in StructuredClone. r=baku r=billm r=jorendorff This iteration took 1.294 seconds to run.
|
||
Comment 2•7 years ago
|
||
This could be a duplicate of bug 1411294 (because the build was broken for you).
|
||
Comment 3•7 years ago
|
||
This doesn't reproduce with revision abc17e0eea77. decoder?
Flags: needinfo?(choller)
|
|
||
Updated•7 years ago
|
Priority: -- → P1
|
Reporter | |
Comment 4•7 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #2) > This could be a duplicate of bug 1411294 (because the build was broken for > you). Jan is right, this is fixed already but we had a build breakage.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Comment 5•7 years ago
|
||
Clearing needinfo.
|
||
Updated•7 years ago
|
Flags: needinfo?(choller)
You need to log in
before you can comment on or make changes to this bug.
Description
•