Closed Bug 1792960 Opened 2 years ago Closed 2 years ago

Assertion failure: cx->runtime()->hadOutOfMemory, at /js/src/shell/js.cpp:5694

Categories

(Core :: JavaScript Engine, defect, P1)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
107 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox105 --- unaffected
firefox106 --- unaffected
firefox107 --- verified

People

(Reporter: decoder, Assigned: arai)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])

Attachments

(3 files)

The following testcase crashes on mozilla-central revision 20220929-a2601693650d (debug build, run with --fuzzing-safe --ion-offthread-compile=off test.js):

syntaxParse(">")

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x000055fedbd7a0aa in SyntaxParse(JSContext*, unsigned int, JS::Value*) ()
#0  0x000055fedbd7a0aa in SyntaxParse(JSContext*, unsigned int, JS::Value*) ()
#1  0x000055fedbeebfcd in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#12 0x000055fedbd43104 in main ()
rax	0x55fedaa22bf6	94553078115318
rbx	0x0	0
rcx	0x55fedd491a68	94553122609768
rdx	0x1	1
rsi	0x0	0
rdi	0x7f7e0dec57d0	140179376199632
rbp	0x7ffd8c781b30	140726960134960
rsp	0x7ffd8c780fa0	140726960132000
r8	0x0	0
r9	0x6d	109
r10	0xfffffffffffffe1e	-482
r11	0x7f7e0dd59340	140179374707520
r12	0x55fedd3fbc70	94553121995888
r13	0x7f7e0ce2ae00	140179358789120
r14	0x1	1
r15	0x7f7e0bca60a0	140179340419232
rip	0x55fedbd7a0aa <SyntaxParse(JSContext*, unsigned int, JS::Value*)+2682>
=> 0x55fedbd7a0aa <_ZL11SyntaxParseP9JSContextjPN2JS5ValueE+2682>:	movl   $0x163e,0x0
   0x55fedbd7a0b5 <_ZL11SyntaxParseP9JSContextjPN2JS5ValueE+2693>:	callq  0x55fedbdd93a0 <abort>

Fuzzblocker due to the simplicity of the test.

Attached file Testcase

Regression from AutoReportFrontendContext added in bug 1786494.

Regressed by: 1786494

Set release status flags based on info from the regressing bug 1786494

:arai, since you are the author of the regressor, bug 1786494, could you take a look? Also, could you set the severity field?

For more information, please visit auto_nag documentation.

Flags: needinfo?(arai.unmht)
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220930093536-8d15b6719c22.
The bug appears to have been introduced in the following build range:

Start: 50157da10bda15d65de462d77d9e0b0538bf54cb (20220928073715)
End: 0ac06d10a688469f9dee764c08fd1f3b18240544 (20220928074337)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=50157da10bda15d65de462d77d9e0b0538bf54cb&tochange=0ac06d10a688469f9dee764c08fd1f3b18240544

Whiteboard: [bugmon:update,bisect][fuzzblocker] → [bugmon:update,bisected,confirmed][fuzzblocker]
Severity: -- → S3
Priority: -- → P1
Pushed by arai_a@mac.com: https://hg.mozilla.org/integration/autoland/rev/655a9a7b28a1 Fix AutoReportFrontendContext handling in shell. r=bthrall
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 107 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20221005094233-c14f7934269f.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Flags: needinfo?(arai.unmht)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: