Closed Bug 1727291 Opened 3 years ago Closed 3 years ago

Assertion failure: inited == hasPrototype(key), at vm/GlobalObject.h:334 with OOM

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1219128
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox91 --- wontfix
firefox92 --- wontfix
firefox93 --- fix-optional

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Detailed Crash Information
4.28 KB, text/plain
Details
Testcase
50 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20210817-659f053820bf (debug build, run with --fuzzing-safe --ion-offthread-compile=off test.js):

a = evalcx("lazy")
oomTest(function() {
    a.b
})

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000055aecf16268d in js::GlobalObject::functionObjectClassesInitialized() const ()
#1  0x000055aecf1623ad in js::GlobalObject::getOrCreateObjectPrototype(JSContext*, JS::Handle<js::GlobalObject*>) ()
#2  0x000055aecf266d4c in JS_ResolveStandardClass(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) ()
#3  0x000055aecf020c2e in sandbox_resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) ()
#4  0x000055aecf50768e in bool js::NativeLookupOwnPropertyInline<(js::AllowGC)1, (js::LookupResolveMode)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, js::PropertyResult*) ()
#5  0x000055aecf50d037 in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#6  0x000055aecf03bcc3 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) ()
#7  0x000055aecf17ea46 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) ()
#8  0x000055aecf16bc5b in Interpret(JSContext*, js::RunState&) ()
#9  0x000055aecf165891 in js::RunScript(JSContext*, js::RunState&) ()
#10 0x000055aecf178cb3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#11 0x000055aecf17a0d1 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#12 0x000055aecf17a2f0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#13 0x000055aecf338dfe in JS_CallFunction(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSFunction*>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) ()
#14 0x000055aecf6bb537 in RunIterativeFailureTest(JSContext*, IterativeFailureTestParams const&, IterativeFailureSimulator&) ()
#15 0x000055aecf6d46a1 in OOMTest(JSContext*, unsigned int, JS::Value*) ()
[...]
#28 0x000055aecefd249e in main ()
rax	0x55aecdd3d11e	94209265881374
rbx	0x0	0
rcx	0x55aed06887e0	94209309181920
rdx	0x1	1
rsi	0x0	0
rdi	0x7fbe01a854b0	140454048322736
rbp	0x7fff5e85ddd0	140734779219408
rsp	0x7fff5e85dda0	140734779219360
r8	0x0	0
r9	0x6f	111
r10	0x55aecdae464d	94209263421005
r11	0x7fbe0191c4c0	140454046844096
r12	0x1000000000000	281474976710656
r13	0x346a18f3f0e0	57630289817824
r14	0x0	0
r15	0xfff8000100000000	-2251795518717952
rip	0x55aecf16268d <js::GlobalObject::functionObjectClassesInitialized() const+413>
=> 0x55aecf16268d <_ZNK2js12GlobalObject32functionObjectClassesInitializedEv+413>:	movl   $0x14e,0x0
   0x55aecf162698 <_ZNK2js12GlobalObject32functionObjectClassesInitializedEv+424>:	callq  0x55aecf06881a <abort>

I don't think this bug is necessarily new, but recently this assert and variations of it started surfacing with much higher frequency. It would be nice if we could solve these initialization problems.

Attached file Testcase

Hey Jan,

Not sure to whom this would best go... any suggestions?

Severity: -- → S2
Flags: needinfo?(jdemooij)
Priority: -- → P3

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210824094724-7857f4c37a92.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: ae3feb731c92425c7bd4d32b9d0c8fbb907f4f9b (20200825033900)
End: 659f053820bfb61ffef053723a9ead96fb3ac7ec (20210817214910)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

Bug 1723715 part 13 refactored this code and changed the assertion message, but this is the same issue as bug 1219128. It's a complicated OOM bug around Object/Function bootstrapping...

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
Severity: S2 → S4

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: