Closed Bug 630533 Opened 9 years ago Closed 9 years ago

JM: OOM crash [@ JSObject::updateFlags]

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+

People

(Reporter: gkw, Assigned: dmandelin)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr][softblocker][fixed-in-tracemonkey])

Crash Data

Attachments

(3 files)

s-s because I have no idea what this OOM crash is capable of.

Another super-difficult-to-reduce testcase, this time with a stack and occurs on Ubuntu Linux 10.04 32-bit debug js shell TM changeset a6d56af51d69 and with -m. This crashes on debug shell at JSObject::updateFlags, and crashes extremely occasionally. Just pass in the testcase as a CLI argument and it will reproduce. 

Eventually. Maybe.
blocking2.0: --- → ?
fwiw, the fix for bug 625141 is already checked in to http://hg.mozilla.org/tracemonkey/rev/a6d56af51d69

Opt shell seems to just throw an OOM error.
I think I see the bug based on the stack trace:

   560     if (inDictionaryMode()) {
   561         JS_ASSERT(parent == lastProp);
   562         if (parent->frozen()) {
   563             parent = Shape::newDictionaryList(cx, &lastProp);
   564             if (!parent)
   565                 return NULL;
   566             JS_ASSERT(!parent->frozen());
   567         }
   568         shape = Shape::newDictionaryShape(cx, child, &lastProp);
   569         if (!shape)
   570             return NULL;
   571     } else {
   572         shape = JS_PROPERTY_TREE(cx).getChild(cx, parent, child);
   573         if (shape) {
   574             JS_ASSERT(shape->parent == parent);
   575             JS_ASSERT_IF(parent != lastProp, parent == lastProp->parent);
   576             setLastProperty(shape);
   577         }
              ^^^^^^ fall through with shape == 0
   578     }
   579 
   580     updateFlags(shape);
           ^^^^^^^^^^^^^^^^^^^ requires shape != 0 or else it crashes

I think the false branch just needs to check for shape == 0 and return false, just like the true branch. I don't think this needs to block but it will take only 15 minutes (mostly to run tests) and should be very low risk so I'll try post a patch later today.
That code was schizo about whether to return early of fall through -- bad. Thanks for fixing, will r+ fast. Safe ridealong OOM protection.

/be
Just an OOM nullish deref crash.

/be
Group: core-security
Summary: JM: Crash [@ JSObject::updateFlags] → JM: OOM crash [@ JSObject::updateFlags]
Assignee: general → dmandelin
blocking2.0: ? → final+
Whiteboard: [ccbr] → [ccbr][softblocker]
Attached patch PatchSplinter Review
Attachment #508905 - Flags: review?(brendan)
Attachment #508905 - Flags: review?(brendan) → review+
http://hg.mozilla.org/tracemonkey/rev/a2afd41ae041
Whiteboard: [ccbr][softblocker] → [ccbr][softblocker][fixed-in-tracemonkey]
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Crash Signature: [@ JSObject::updateFlags]
You need to log in before you can comment on or make changes to this bug.