Closed Bug 1527155 Opened 5 years ago Closed 5 years ago

Assertion failure: isThrowingOutOfMemory(), at js/src/vm/JSContext.cpp:1162 with BigInt

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- unaffected
firefox66 --- unaffected
firefox67 --- fixed

People

(Reporter: gkw, Assigned: wingo)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(3 files)

Detailed Crash Information
7.58 KB, text/plain
Details
Testcase
115.63 KB, text/plain
Details
Bug 1527155 - Uniformly signal OOM if StringToBigInt result too large
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision b9187fa10f13 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

See attachment.

Backtrace:

#0 JSContext::alreadyReportedOOM (this=0x7ffa36d17000) at js/src/vm/JSContext.cpp:1162
#1 0x000055ea5f59cebb in js::StringToBigInt (cx=0x7ffa36d17000, str=...) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-x86_64-b9187fa10f13/objdir-js/dist/include/mozilla/Maybe.h:443
#2 0x000055ea5f59c5f9 in js::ToBigInt (cx=0x7ffa36d17000, val=...) at js/src/vm/BigIntType.cpp:2633
#3 0x000055ea5f7e2448 in BigIntConstructor (cx=0x7ffa36d17000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/BigInt.cpp:47
#4 0x000055ea5f57e300 in CallJSNative (cx=0x7ffa36d17000, native=0x55ea5f7e22f0 <BigIntConstructor(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:442
/snip

For detailed crash information, see attachment.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/4b74d76e55a8
user: Andy Wingo
date: Wed Feb 06 13:41:56 2019 +0000
summary: Bug 1522436 - Enable BigInt compilation by default r=jandem,terpri,froydnj

Andy, again related to BigInt?

Blocks: 1522436
Flags: needinfo?(wingo)

The testcase seems to be resistant against further line-based reduction so I just went ahead to file for good measure...

Summary: Assertion failure: isThrowingOutOfMemory(), at js/src/vm/JSContext.cpp:1162 → Assertion failure: isThrowingOutOfMemory(), at js/src/vm/JSContext.cpp:1162 with BigInt

a smaller testcase: BigInt(String(Array(0x100000)))

Flags: needinfo?(robin)

Attached patch fixes the error. Thanks for the report gkw!

Flags: needinfo?(wingo)
Flags: needinfo?(robin)
Keywords: checkin-needed

Pushed by apavel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9ae214a9c414
Uniformly signal OOM if StringToBigInt result too large r=jwalden,terpri

Keywords: checkin-needed

https://hg.mozilla.org/mozilla-central/rev/9ae214a9c414

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox67: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Assignee: nobody → wingo
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: