Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Crash [@ js::types::TypeObject::addProperty] with OOM

RESOLVED FIXED in mozilla26

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: decoder, Assigned: decoder)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Trunk
mozilla26
x86
Linux
crash, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox24 affected, firefox25 affected)

Details

(crash signature)

Attachments

(2 attachments)

(Assignee)

Description

4 years ago
The following traces we're taken from mozilla-central revision 7130e5134a6e:

Program received signal SIGSEGV, Segmentation fault.
js::types::TypeObject::addProperty (this=0xf7469400, cx=0x9366458, id=$jsid(0x0), pprop=0xf7469418) at js/src/jsinfer.cpp:3691
3691        if (singleton && singleton->isNative()) {
#0  js::types::TypeObject::addProperty (this=0xf7469400, cx=0x9366458, id=$jsid(0x0), pprop=0xf7469418) at js/src/jsinfer.cpp:3691
#1  0x0813638f in js::types::TypeObject::getProperty (this=0xf7469400, cx=0x9366458, id=$jsid(0x0), own=false) at ../jsinferinlines.h:1663
#2  0x08137c40 in js::types::StackTypeSet::hasObjectFlags (this=0x93f9640, cx=0x9366458, flags=4194304) at js/src/jsinfer.cpp:1922
#3  0x0870a289 in MaybeEmulatesUndefined (op=0x9452fb0, cx=0x9366458) at js/src/ion/MIR.cpp:197
#4  MaybeEmulatesUndefined (op=0x9452fb0, cx=0x9366458) at js/src/ion/MIR.cpp:1426
#5  js::ion::MCompare::infer (this=0x9500d88, cx=0x9366458, inspector=0xffffb61c, pc=0x93f7535 "\022\005T") at js/src/ion/MIR.cpp:1430
#6  0x084d277c in js::ion::IonBuilder::jsop_compare (this=0xffffb660, op=JSOP_EQ) at js/src/ion/IonBuilder.cpp:5049
#7  0x084ea239 in js::ion::IonBuilder::inspectOpcode (this=0xffffb660, op=JSOP_EQ) at js/src/ion/IonBuilder.cpp:1158
[...]


The last hit to js_ReportOutOfMemory was this:


Breakpoint 1, js_ReportOutOfMemory (cx=0x9366458) at js/src/jscntxt.cpp:500
500     {
#0  js_ReportOutOfMemory (cx=0x9366458) at js/src/jscntxt.cpp:500
#1  0x081303cd in setPendingNukeTypes (cx=0x9366458, this=<optimized out>) at js/src/jsinfer.cpp:2865
#2  JSObject::makeLazyType (cx=0x9366458, obj=(JSObject * const) 0xf74350b0 [object JSON]) at js/src/jsinfer.cpp:6191
#3  0x08137d4e in getType (cx=0x9366458, this=<optimized out>) at ../jsobjinlines.h:774
#4  js::types::StackTypeSet::hasObjectFlags (this=0x93f9640, cx=0x9366458, flags=4194304) at js/src/jsinfer.cpp:1912
#5  0x0870a289 in MaybeEmulatesUndefined (op=0x9452fb0, cx=0x9366458) at js/src/ion/MIR.cpp:197
#6  MaybeEmulatesUndefined (op=0x9452fb0, cx=0x9366458) at js/src/ion/MIR.cpp:1426
#7  js::ion::MCompare::infer (this=0x9500d88, cx=0x9366458, inspector=0xffffb61c, pc=0x93f7535 "\022\005T") at js/src/ion/MIR.cpp:1430
[...]


This keeps triggering all the time, it's just hard to come up with a small test. Filing this so we have a signature on file and maybe the backtrace is already enough to see where the missing OOM check needs to be added. Ccing bhackett since it seems to be related to TI.
(Assignee)

Comment 1

4 years ago
Created attachment 749107 [details]
[crash-signature] Machine-readable crash signature
(Assignee)

Comment 2

4 years ago
I explicitly attached a very broad signature because I'm seeing a lot of different crashes that all go through addProperty/getProperty, crash at 0x1 and are OOM errors. Separating them with different signatures would probably take too much time and I think the risk of another (non-OOM) bug hitting this signature is very low. Hopefully it's also just one fix for all of these :D

Updated

4 years ago
Crash Signature: [@ js::types::TypeObject::addProperty(JSContext*, int, js::types::Property**) ]
Assignee: general → terrence
Blocks: 912928
(Assignee)

Comment 3

4 years ago
Created attachment 802702 [details] [diff] [review]
bug871862.patch

This is still one of the top OOM crashers for me, so I took a closer look again.

The problem is that an OOM path in JSObject::makeLazyType returns 0x1 on OOM, leading to singleton being 0x1. This case however isn't handled by any of the callers. Jandem suggested to return NULL instead, which solved my crash problem and seems to pass jit-tests.

Brian, can you check if this is the right thing to do? :)
Assignee: terrence → choller
Status: NEW → ASSIGNED
Attachment #802702 - Flags: review?(bhackett1024)
(Assignee)

Comment 4

4 years ago
Also note that the stacks in comment 0 are probably no longer accurate. Instead I'm seeing these now:


Program received signal SIGSEGV, Segmentation fault.
js::types::TypeObject::addProperty (this=0x7ffff624d350, cx=0x13f8630, id=<optimized out>, pprop=0x7ffff624d378) at js/src/jsinfer.cpp:2309
2309        if (singleton && singleton->isNative()) {
(gdb) bt
#0  js::types::TypeObject::addProperty (this=0x7ffff624d350, cx=0x13f8630, id=<optimized out>, pprop=0x7ffff624d378) at js/src/jsinfer.cpp:2309
#1  0x00000000005a3b49 in js::types::TypeObject::getProperty (this=0x7ffff624d350, cx=0x13f8630, id=140737323880960, own=true) at /srv/repos/mozilla-central/js/src/jsinferinlines.h:1503
#2  0x0000000000672f93 in EnsureTrackPropertyTypes (id=<optimized out>, obj=0x7ffff627da80, cx=0x13f8630) at ../jsinferinlines.h:555
#3  js::jit::ICUpdatedStub::addUpdateStubForValue (this=0x142a888, cx=0x13f8630, script=..., obj=..., id=..., val=...) at js/src/jit/BaselineIC.cpp:1355
#4  0x0000000000676c02 in TryAttachSetPropStub (attached=<synthetic pointer>, rhs=..., id=..., name=..., oldSlots=8, oldShape=..., obj=..., stub=0x15d63e8, pc=<optimized out>, script=..., cx=<optimized out>)
    at js/src/jit/BaselineIC.cpp:6706
#5  js::jit::DoSetPropFallback (cx=<optimized out>, frame=<optimized out>, stub=0x15d63e8, lhs=..., rhs=..., res=...) at /srv/repos/mozilla-central/js/src/jit/BaselineIC.cpp:6831
#6  0x00007ffff7f96bde in ?? ()
#7  0x0000000000000000 in ?? ()
(gdb) 


The reason for failure appears to be the same though.
(Assignee)

Updated

4 years ago
status-firefox24: --- → affected
Attachment #802702 - Flags: review?(bhackett1024) → review+
(Assignee)

Comment 5

4 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/9527d405ceea
https://hg.mozilla.org/mozilla-central/rev/9527d405ceea
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
(Assignee)

Updated

4 years ago
status-firefox25: --- → affected
You need to log in before you can comment on or make changes to this bug.