Closed Bug 744053 Opened 9 years ago Closed 9 years ago

Assertion failure: isValid(), at ../../jsscript.h:380 or Crash [@ js::mjit::JITScript::destroy] or Crash [@ JSScript::ReleaseCode]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla15

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, crash, testcase, Whiteboard: js-triage-done)

Crash Data

Attachments

(1 file)

The following test asserts/crashes on mozilla-central revision 3fa30b0edd15 (options -m -n -a):


function printStatus (msg) {}
function printBugNumber (num) {
  if (typeof document != "object" || !document.location.href.match(/jsreftest.html/)) {  }
}
function enterFunc (funcName)
function getFailedCases() {}
function jit(on) {}
function f() {
    var ss = [new f("abc"), new ("\u00c2" )  ((500)), new String("quux")];
}
gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
for (var i = 0; f("set1") ^ this && Number(setTime); i++) {}


Crash backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000069f3cf in js::mjit::JITScript::destroy (this=0x0, fop=0x7ffff7fb0aa8) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1318
1318        for (unsigned i = 0; i < nchunks; i++)
(gdb) bt
#0  0x000000000069f3cf in js::mjit::JITScript::destroy (this=0x0, fop=0x7ffff7fb0aa8) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1318
#1  0x000000000069f999 in JSScript::ReleaseCode (fop=0x7ffff7fb0aa8, jith=0x7ffff61074e8) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1456
#2  0x00000000006b3cbe in js::mjit::Compiler::compile (this=0x7fffffff84d0) at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:149
#3  0x00000000006b7036 in js::mjit::CanMethodJIT (cx=0xb77a80, script=0x7ffff6107480, pc=0xb7da38 "Z", construct=true, request=js::mjit::CompileRequest_Interpreter)
    at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:993
#4  0x00000000005086fb in js::Interpret (cx=0xb77a80, entryFrame=0x7ffff63fb030, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:2726
#5  0x000000000069e8dc in js::mjit::EnterMethodJIT (cx=0xb77a80, fp=0x7ffff63fb030, code=0x7ffff7f3e078, stackLimit=0x7ffff67db000, partial=false) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1079
#6  0x000000000069ea95 in CheckStackAndEnterMethodJIT (cx=0xb77a80, fp=0x7ffff63fb030, code=0x7ffff7f3e078, partial=false) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1111
#7  0x000000000069eb54 in js::mjit::JaegerShot (cx=0xb77a80, partial=false) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1123
#8  0x00000000004fbd1d in js::RunScript (cx=0xb77a80, script=0x7ffff6107538, fp=0x7ffff63fb030) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:469


Looks like a save null-deref due to OOM.
Crash Signature: [@ js::mjit::JITScript::destroy] → [@ js::mjit::JITScript::destroy] [@ JSScript::ReleaseCode]
Summary: Assertion failure: isValid(), at ../../jsscript.h:380 or Crash [@ js::mjit::JITScript::destroy] → Assertion failure: isValid(), at ../../jsscript.h:380 or Crash [@ js::mjit::JITScript::destroy] or Crash [@ JSScript::ReleaseCode]
Reproducible on Mac OS X with the following code:

gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
function f() { var x = [ function g() { f() }, new f("abc") ] }
f()
Attached patch Potential fixSplinter Review
The issue appears to be that the script handle has not been initialized as the compiler ran out of memory while compiling.  Checking the handle is valid first before accessing the contents fixes this.
Attachment #628957 - Flags: review?(bhackett1024)
Attachment #628957 - Flags: review?(bhackett1024) → review+
Whiteboard: js-triage-needed → js-triage-needed, [checkin-needed]
http://hg.mozilla.org/integration/mozilla-inbound/rev/284763d56e96
Whiteboard: js-triage-needed, [checkin-needed] → js-triage-done
Target Milestone: --- → mozilla15
https://hg.mozilla.org/mozilla-central/rev/284763d56e96
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.