Closed Bug 806344 Opened 9 years ago Closed 8 years ago

Assertion failure: isObject(), at ../../jsapi.h:490 with OOM

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 840012

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update,testComment=10,origRev=8cc32d6fa707,ignore])

The following testcase asserts on mozilla-central revision e069342dc665 (run with --ion-eager):


var gTestcases = new Array();
var gTc = gTestcases.length;
function TestCase(n, d, e, a) {
  gTestcases[gTc++] = this;
}
gcparam("maxBytes", gcparam("gcBytes") + 1024);
var j = 0;
for ( k = 0, i = 0x0020; i < 0x007e; i++, j++, k++ ) {
  new TestCase();
}
This still reproduces and I suspect it covers other bugs with the same assertion. Marking as fuzzblocker to get it fixed more quickly.
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect][fuzzblocker]
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   106052:8a2010ae3d08
user:        Sean Stangl
date:        Tue Mar 27 12:20:22 2012 -0700
summary:     Bug 735400 - Optimize JSOP_FUNCALL. r=dvander

This iteration took 83.662 seconds to run.
Not sure if this is the right changeset because sometimes OOM bugs tend to just reproduce because of unrelated changes, but worth a try.
Flags: needinfo?(sstangl)
(In reply to Christian Holler (:decoder) from comment #3)
> Not sure if this is the right changeset because sometimes OOM bugs tend to
> just reproduce because of unrelated changes, but worth a try.

I'm not able to reproduce the crash (x86_64 with --ion-eager). Is it still occurring?
Flags: needinfo?(sstangl)
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   117020:88a218a4b5bf
user:        Jan de Mooij
date:        Tue Dec 25 16:12:59 2012 +0100
summary:     Bug 764310 part 2 - Implement JSOP_DEFFUN in IonMonkey. r=bhackett

Sean / jandem, do you think bug 764310 possibly fixed this?
Flags: needinfo?(sstangl)
(In reply to Gary Kwong [:gkw] from comment #5)
> autoBisect shows this is probably related to the following changeset:
> 
> The first good revision is:
> changeset:   117020:88a218a4b5bf
> user:        Jan de Mooij
> date:        Tue Dec 25 16:12:59 2012 +0100
> summary:     Bug 764310 part 2 - Implement JSOP_DEFFUN in IonMonkey.
> r=bhackett
> 
> Sean / jandem, do you think bug 764310 possibly fixed this?

I checked out the revision. Note that the assertion reproduces with --no-ion --no-jm.

The "first bad" patch from Comment 2 only makes changes to Ion code, so it is unlikely that it is related. Although Bug 764310 makes changes to the interpreter, it's also unlikely that it fixes anything.
Flags: needinfo?(sstangl)
Summary: IonMonkey: Assertion failure: isObject(), at ../../jsapi.h:490 with OOM → Assertion failure: isObject(), at ../../jsapi.h:490 with OOM
autoBisect seems to point at a merge landing, when running the testcase with --no-ion --no-jm.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   106276:adcd5d3c984e
parent:      106275:2062cc1c4b06
parent:      95823:cf4face65451
user:        Sean Stangl
date:        Tue Jun 05 16:54:36 2012 -0700
summary:     Merge m-c to Ionmonkey.

Not all ancestors of this changeset have been checked.
Use bisect --extend to continue the bisection from
the common ancestor, fe758ebc1707.

This iteration took 1.390 seconds to run.

Oops! We didn't test rev cf4face65451, a parent of the blamed revision! Let's do that now.
Rev cf4face65451: Found cached shell...   Testing... good (Unknown exit code 1, but not the specified one) 
As expected, the parent's label is the opposite of the blamed rev's label.

Related to bug 822223?
s-s first because possibly-related bug 822223 is s-s.
Group: core-security
Flags: needinfo?(sstangl)
Keywords: regression
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:]
JSBugMon: Cannot process bug: Unknown exception (check manually)
Whiteboard: [fuzzblocker] [jsbugmon:] → [fuzzblocker] [jsbugmon:update]
In case the original test doesn't reproduce for you, this one reproduces on 64 bit debug builds (8cc32d6fa707):

gcparam("maxBytes", gcparam("gcBytes") + 1024);
test();
function test() {
  function f(i) {
      for (var n = 0; n < 100; (new f()).m());
  }
  actual = f(1)
}
Keywords: sec-high
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:]
JSBugMon: Cannot process bug: Unknown exception (check manually)
Whiteboard: [fuzzblocker] [jsbugmon:] → [fuzzblocker][jsbugmon:update,testComment=10,origRev=8cc32d6fa707]
Based on Bug 840012 Comment 4, this is most likely the same issue as Bug 840012.
Depends on: 840012
Flags: needinfo?(sstangl)
Whiteboard: [fuzzblocker][jsbugmon:update,testComment=10,origRev=8cc32d6fa707] → [fuzzblocker] [jsbugmon:testComment=10,origRev=8cc32d6fa707]
JSBugMon: Cannot process bug: Unknown exception (check manually)
Whiteboard: [fuzzblocker] [jsbugmon:testComment=10,origRev=8cc32d6fa707] → [fuzzblocker] [jsbugmon:update,testComment=10,origRev=8cc32d6fa707]
Whiteboard: [fuzzblocker] [jsbugmon:update,testComment=10,origRev=8cc32d6fa707] → [fuzzblocker] [jsbugmon:update,testComment=10,origRev=8cc32d6fa707,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 25c2aaee8acc).
Whiteboard: [fuzzblocker] [jsbugmon:update,testComment=10,origRev=8cc32d6fa707,ignore] → [fuzzblocker] [jsbugmon:update,testComment=10,origRev=8cc32d6fa707,bisectfix]
Whiteboard: [fuzzblocker] [jsbugmon:update,testComment=10,origRev=8cc32d6fa707,bisectfix] → [fuzzblocker] [jsbugmon:update,testComment=10,origRev=8cc32d6fa707,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 25c2aaee8acc).
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   129087:64198b55d1ae
user:        Luke Wagner
date:        Wed Apr 17 08:50:54 2013 -0700
summary:     Bug 840012 - Handle OOM in CreateThisForFunction (r=hannes)

This iteration took 141.646 seconds to run.
Likely a dup of bug 840012.
Group: core-security
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 840012
Keywords: sec-high
You need to log in before you can comment on or make changes to this bug.