Closed Bug 1784435 Opened 2 years ago Closed 2 years ago

Assertion failure: isThrowingOutOfMemory(), at vm/JSContext.cpp:968

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
105 Branch
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox103 --- unaffected
firefox104 --- unaffected
firefox105 --- verified

People

(Reporter: decoder, Assigned: mohamedatef1698)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

The following testcase crashes on mozilla-central revision 20220811-7169b8faa7e1 (debug build, run with --fuzzing-safe --no-threads):

v2 = new Uint32Array(65537);
v4 = Object.getOwnPropertyNames(v2);
do {} while (v4 < 10n);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556f14e46 in JSContext::alreadyReportedOOM() ()
#1  0x0000555556e31510 in js::StringToBigInt(JSContext*, JS::Handle<JSString*>) ()
#2  0x0000555556e32ba6 in JS::BigInt::lessThan(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, mozilla::Maybe<bool>&) ()
#3  0x0000555556d57333 in LessThanImpl(JSContext*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>, mozilla::Maybe<bool>&) ()
#4  0x0000555556d2bc6c in Interpret(JSContext*, js::RunState&) ()
[...]
#13 0x0000555556b93ab4 in main ()
rax	0x55555574f6bd	93824994309821
rbx	0x7ffff602a100	140737320755456
rcx	0x5555582b3190	93825039806864
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffbfa0	140737488338848
rsp	0x7fffffffbf90	140737488338832
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7ffff5e0c098	140737318535320
r13	0x7ffff5e0c090	140737318535312
r14	0x7fffffffc018	140737488338968
r15	0x7ffff602a100	140737320755456
rip	0x555556f14e46 <JSContext::alreadyReportedOOM()+182>
=> 0x555556f14e46 <_ZN9JSContext18alreadyReportedOOMEv+182>:	movl   $0x3c8,0x0
   0x555556f14e51 <_ZN9JSContext18alreadyReportedOOMEv+193>:	callq  0x555556c2a1b4 <abort>
Attached file Testcase
Regressed by: 1746713

Set release status flags based on info from the regressing bug 1746713

:mohamedatef1698, since you are the author of the regressor, bug 1746713, could you take a look?
For more information, please visit auto_nag documentation.

Flags: needinfo?(mohamedatef1698)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220812154154-66e3220110ba.
The bug appears to have been introduced in the following build range:

Start: 9fee436165d47605743596ac776654acedf1b757 (20220810213450)
End: 30d55bfc9346d72490b626d486b012a172f582a4 (20220810214808)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9fee436165d47605743596ac776654acedf1b757&tochange=30d55bfc9346d72490b626d486b012a172f582a4

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Assignee: nobody → mohamedatef1698
Status: NEW → ASSIGNED
Attachment #9289762 - Attachment description: Bug 1784435: Assertion failure: isThrowingOutOfMemory(), at vm/JSContext.cpp:968. r?arai → Bug 1784435: Support generic error in js::StringToBigInt. r?arai
Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/e5c661eb211d
Support generic error in js::StringToBigInt. r=arai
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220813214044-f3931b6a6402.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

Done

Flags: needinfo?(mohamedatef1698)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: