912283 - Crash [@ js::ObjectImpl::setFixedSlot] with OOM and StructType

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision d54e0cce6c17 (run with --fuzzing-safe):


gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
for (var i = 0; i < 4000; i++) {}
var PointType = new StructType({});
function foo() {
  var pt = new PointType();
  foo()
}
foo();

Comment 1

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 2c85e4d1d678).

Comment 2

[Christian Holler (:decoder)]

JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/5c2a0f1510bc
user:        Jason Orendorff
date:        Fri Sep 06 21:41:30 2013 -0500
summary:     Bug 895223, part 1 - Change perf/jsperf.cpp to use JSNative getters rather than PropertyOps. r=jandem.

This iteration took 368.234 seconds to run.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Jason, is bug 895223 a possible fix?

Comment 4

[Jason Orendorff [:jorendorff]]

No, I don't see how that could have fixed it.

Comment 5

[Niko Matsakis [:nmatsakis]]

There have been a lot of changes to the typed objects code since this occurred, including moving a large portion of it to self-hosting (which simplifies error handling). When I run the test I see an uncaught exception (OOM) -- it seems very likely that there was some big of code that was forgetting to check for a false return code. It'd be possible to track down precisely which change that was, but it doesn't strike me as worthwhile.

Comment 6

[Jon Coppeard (:jonco)]

I can't reproduce this, after fixing the testcase.