744053 - Assertion failure: isValid(), at ../../jsscript.h:380 or Crash [@ js::mjit::JITScript::destroy] or Crash [@ JSScript::ReleaseCode]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following test asserts/crashes on mozilla-central revision 3fa30b0edd15 (options -m -n -a):


function printStatus (msg) {}
function printBugNumber (num) {
  if (typeof document != "object" || !document.location.href.match(/jsreftest.html/)) {  }
}
function enterFunc (funcName)
function getFailedCases() {}
function jit(on) {}
function f() {
    var ss = [new f("abc"), new ("\u00c2" )  ((500)), new String("quux")];
}
gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
for (var i = 0; f("set1") ^ this && Number(setTime); i++) {}


Crash backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000069f3cf in js::mjit::JITScript::destroy (this=0x0, fop=0x7ffff7fb0aa8) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1318
1318        for (unsigned i = 0; i < nchunks; i++)
(gdb) bt
#0  0x000000000069f3cf in js::mjit::JITScript::destroy (this=0x0, fop=0x7ffff7fb0aa8) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1318
#1  0x000000000069f999 in JSScript::ReleaseCode (fop=0x7ffff7fb0aa8, jith=0x7ffff61074e8) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1456
#2  0x00000000006b3cbe in js::mjit::Compiler::compile (this=0x7fffffff84d0) at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:149
#3  0x00000000006b7036 in js::mjit::CanMethodJIT (cx=0xb77a80, script=0x7ffff6107480, pc=0xb7da38 "Z", construct=true, request=js::mjit::CompileRequest_Interpreter)
    at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:993
#4  0x00000000005086fb in js::Interpret (cx=0xb77a80, entryFrame=0x7ffff63fb030, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:2726
#5  0x000000000069e8dc in js::mjit::EnterMethodJIT (cx=0xb77a80, fp=0x7ffff63fb030, code=0x7ffff7f3e078, stackLimit=0x7ffff67db000, partial=false) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1079
#6  0x000000000069ea95 in CheckStackAndEnterMethodJIT (cx=0xb77a80, fp=0x7ffff63fb030, code=0x7ffff7f3e078, partial=false) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1111
#7  0x000000000069eb54 in js::mjit::JaegerShot (cx=0xb77a80, partial=false) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1123
#8  0x00000000004fbd1d in js::RunScript (cx=0xb77a80, script=0x7ffff6107538, fp=0x7ffff63fb030) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:469


Looks like a save null-deref due to OOM.

Comment 1

[Jon Coppeard (:jonco)]

Reproducible on Mac OS X with the following code:

gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
function f() { var x = [ function g() { f() }, new f("abc") ] }
f()

Comment 2

[Jon Coppeard (:jonco)]

Attachment: Potential fix

The issue appears to be that the script handle has not been initialized as the compiler ran out of memory while compiling.  Checking the handle is valid first before accessing the contents fixes this.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

http://hg.mozilla.org/integration/mozilla-inbound/rev/284763d56e96

Comment 4

[(no longer active)]

https://hg.mozilla.org/mozilla-central/rev/284763d56e96