Closed Bug 855553 Opened 11 years ago Closed 9 years ago

Crash [@ JSRope::flattenInternal] with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

Attachments

(1 file)

Testcase for shell
2.30 KB, application/javascript
Details
Attached file Testcase for shell 
The attached testcase crashes on mozilla-central revision 178a4a770bb1 (run with --ion-eager).
Crash is a null-deref due to OOM:

(gdb) bt
Python Exception <type 'exceptions.AttributeError'> 'NoneType' object has no attribute 'jschars': 
#0  JSRope::flattenInternal<(JSRope::UsingBarrier)1> (this=, maybecx=0x0) at /srv/repos/mozilla-central/js/src/vm/String.cpp:573
#1  0x08199e71 in ensureLinear (cx=0x0, this=<optimized out>) at /srv/repos/mozilla-central/js/src/vm/String.h:900
#2  getChars (this=<optimized out>, cx=0x0) at /srv/repos/mozilla-central/js/src/vm/String.h:882
#3  StringToNumberType<double> (result=0xffffa058, str=<optimized out>, cx=0x88f6278) at /srv/repos/mozilla-central/js/src/jsnuminlines.h:35
#4  js::ToNumberSlow (cx=0x88f6278, v=$jsval(-nan(0xfff85f7533100)), out=0xffffa058) at /srv/repos/mozilla-central/js/src/jsnum.cpp:1377
#5  0x0819a9aa in js::ToInt32Slow (cx=0x88f6278, v=..., out=0xffffa414) at /srv/repos/mozilla-central/js/src/jsnum.cpp:1455
#6  0x0817c2fc in ToInt32 (out=0xffffa414, v=..., cx=0x88f6278) at /srv/repos/mozilla-central/js/src/jsapi.h:1682
#7  js::Interpret (cx=0x88f6278, entryFrame=0xf7716400, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:1814
#8  0x08183e59 in js::RunScript (cx=0x88f6278, fp=0xf7716400) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:341
#9  0x081844da in js::InvokeKernel (cx=0x88f6278, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:398
#10 0x081852dd in Invoke (args=..., cx=0x88f6278, construct=<optimized out>) at /srv/repos/mozilla-central/js/src/jsinterp.h:135
#11 js::Invoke (cx=0x88f6278, thisv=..., fval=..., argc=3, argv=0xffffa8b4, rval=0xffffa888) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:431
#12 0x085f9fd4 in js::ion::InvokeFunction (cx=0x88f6278, fun0=(JSFunction * const) 0xf7531280 [object Function <unnamed>], argc=3, argv=0xffffa8ac, rval=0xffffa888)
    at /srv/repos/mozilla-central/js/src/ion/VMFunctions.cpp:110
#13 0xf770a59a in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x /i $pc
=> 0x830413b <JSRope::flattenInternal<(JSRope::UsingBarrier)1>(JSContext*)+283>:        mov    (%edx),%ecx
(gdb) info reg edx
edx            0x0      0
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 279078670022).
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   125555:b00eb1ef1517
user:        Nicholas D. Matsakis
date:        Tue Mar 19 22:12:27 2013 -0400
summary:     Bug 829602 - Enable self-hosted parallelarray r=dvander,till

This iteration took 138.138 seconds to run.
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision aae004a3c5d9).
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   126369:5dbcbd03d7ba
parent:      126368:362d0632ed67
parent:      126238:0713793b80b1
user:        Ryan VanderMeulen
date:        Wed Mar 27 07:27:36 2013 -0400
summary:     Merge m-c to inbound.

Not all ancestors of this changeset have been checked.
Use bisect --extend to continue the bisection from
the common ancestor, c9bf19d37fe0.

This iteration took 120.462 seconds to run.

Oops! We didn't test rev 362d0632ed67, a parent of the blamed revision! Let's do that now.
We did not test rev 362d0632ed67 because it is not a descendant of either 178a4a770bb1 or aae004a3c5d9.
Rev 362d0632ed67: Updating... Compiling... Testing... [Uninteresting] It didn't crash. (0.057 seconds)
good (not interesting) 
Bisect lied to us! Parent rev 362d0632ed67 was also good!

Perhaps we should expand the search to include the common ancestor of the blamed changeset's parents.
The common ancestor of 362d0632ed67 and 0713793b80b1 is c9bf19d37fe0.
Rev c9bf19d37fe0: Updating... Compiling... Testing... Exit status: CRASHED signal 11 (SIGSEGV) (0.097 seconds)
bad (interesting) 
The following line is still under testing:
Try setting -s to c9bf19d37fe0, and -e to aae004a3c5d9, and re-run autoBisect.
autoBisect is likely incorrect here - perhaps the testcase isn't too reliable?
Crash Signature: [@ JSRope::flattenInternal] → [@ JSRope::flattenInternal<(JSRope::UsingBarrier)1>()]
Assignee: general → nobody
Mass-closing old JS OOM reports. I've confirmed that none of these signatures currently appear in FuzzManager, so we can safely assume that the code causing this is gone or has been fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: