Closed Bug 1721990 Opened 4 years ago Closed 4 years ago

Assertion failure: thresholdBytes <= heapThreshold.incrementalLimitBytes(), at js/src/gc/GC.cpp:3438

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1721713
Tracking Flags:
Tracking Status
firefox92 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect][fuzzblocker])

Attachments

(2 files)

Detailed Crash Information
4.59 KB, text/plain
Details
Testcase
112 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20210723-5a2e54d9a8ca ( build, run with --fuzzing-safe --ion-offthread-compile=off):

function a(b, c) {
  const d = "".padStart(10000);
  e = [];
  const f = [,, e];
  d.startsWith();
  a();
}
a();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555574cdf1c in js::gc::GCRuntime::maybeTriggerGCAfterMalloc(JS::Zone*, js::gc::HeapSize const&amp;, js::gc::HeapThreshold const&amp;, JS::GCReason) ()
#1  0x0000555556f91ebf in js::NativeObject::allocateSlots(JSContext*, unsigned int) ()
#2  0x0000555556c1e03b in js::NativeObject::updateSlotsForSpan(JSContext*, unsigned long, unsigned long) ()
#3  0x000055555701e38f in js::NativeObject::setShapeAndUpdateSlotsForNewSlot(JSContext*, js::Shape*, unsigned int) ()
#4  0x000055555701dba2 in js::NativeObject::addProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, js::PropertyFlags, unsigned int*) ()
#5  0x0000555556f9760e in bool AddOrChangeProperty<(IsAddOrChange)0>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::PropertyDescriptor>, js::PropertyResult*) ()
#6  0x0000555556f96539 in js::NativeDefineProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&amp;) ()
#7  0x0000555556f3bce8 in js::DefineDataProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, unsigned int, JS::ObjectOpResult&amp;) ()
#8  0x0000555556f3c084 in js::DefineDataProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, unsigned int) ()
#9  0x0000555556f3c988 in js::DefineFunctions(JSContext*, JS::Handle<JSObject*>, JSFunctionSpec const*, js::DefineAsIntrinsic) ()
#10 0x0000555556fc13cc in JS_DefineFunctions(JSContext*, JS::Handle<JSObject*>, JSFunctionSpec const*) ()
#11 0x0000555556ea3d8f in js::GlobalObject::resolveConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey, js::GlobalObject::IfClassIsDisabled) ()
#12 0x0000555556fe2b04 in js::GlobalObject::getOrCreateSavedFramePrototype(JSContext*, JS::Handle<js::GlobalObject*>) ()
#13 0x0000555556fe281e in js::SavedFrame::create(JSContext*) ()
#14 0x0000555556feb315 in js::SavedStacks::createFrameFromLookup(JSContext*, JS::Handle<js::SavedFrame::Lookup>) ()
#15 0x0000555556feb055 in js::SavedStacks::getOrCreateSavedFrame(JSContext*, JS::Handle<js::SavedFrame::Lookup>) ()
#16 0x0000555556fe8571 in js::SavedStacks::insertFrames(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&amp;&amp;) ()
#17 0x0000555556fe7635 in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&amp;&amp;) ()
#18 0x0000555556d10b55 in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&amp;&amp;) ()
#19 0x0000555556d1636e in js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) ()
#20 0x0000555556e2074f in js::ReportErrorNumberVA(JSContext*, js::IsWarning, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, js::ErrorArgumentsType, __va_list_tag*) ()
#21 0x0000555556cf254f in JS_ReportErrorNumberASCII(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, ...) ()
#22 0x0000555556ef1080 in js::ReportOverRecursed(JSContext*, unsigned int) ()
#23 0x0000555556e49aac in ToStringForStringFunction(JSContext*, char const*, JS::Handle<JS::Value>) ()
#24 0x0000555556e4acb6 in js::str_startsWith(JSContext*, unsigned int, JS::Value*) ()
#25 0x00002f2f2c4edd2c in ?? ()
#26 0xfff8800000000000 in ?? ()
#27 0x00007fffffdfe2a8 in ?? ()
#28 0xfffb1ef19c729780 in ?? ()
#29 0x0000000000000000 in ?? ()
rax	0x555555845960	93824995318112
rbx	0x7ffff603b768	140737320826728
rcx	0x5555580fd490	93825038013584
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffdfcc70	140737486244976
rsp	0x7fffffdfcc40	140737486244928
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7ffff4a62060	140737297916000
r13	0x159fa3d3	362783699
r14	0x5	5
r15	0x7ffff4a62000	140737297915904
rip	0x5555574cdf1c <js::gc::GCRuntime::maybeTriggerGCAfterMalloc(JS::Zone*, js::gc::HeapSize const&amp;, js::gc::HeapThreshold const&amp;, JS::GCReason)+348>
=> 0x5555574cdf1c <_ZN2js2gc9GCRuntime25maybeTriggerGCAfterMallocEPN2JS4ZoneERKNS0_8HeapSizeERKNS0_13HeapThresholdENS2_8GCReasonE+348>:	movl   $0xd6e,0x0
   0x5555574cdf27 <_ZN2js2gc9GCRuntime25maybeTriggerGCAfterMallocEPN2JS4ZoneERKNS0_8HeapSizeERKNS0_13HeapThresholdENS2_8GCReasonE+359>:	callq  0x555556af935a <abort>

This is triggering very frequently, marking as fuzzblocker.

Attached file Testcase
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE

Bugmon Analysis
No valid actions for resolution (DUPLICATE)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: