Closed Bug 1037685 Opened 10 years ago Closed 8 years ago

Assertion failure: inited == !getPrototype(key).isUndefined(), at vm/GlobalObject.h:184 with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1219128
Tracking Flags:
Tracking Status
firefox33 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:])

Attachments

(1 file)

[crash-signature] Machine-readable crash signature
(deleted), text/plain
Details 
The following testcase asserts on mozilla-central revision e1a037c085d1 (run with --fuzzing-safe):


try {
  try {
    x = evalcx('lazy');
    for (var i = 0; i != N; ++i) {}
  } catch (e) {}
  gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
  x--;
} catch(exc2) {}
var BUGNUMBER = 611276;
print(BUGNUMBER + ": " + x);
This is likely an OOM and not related to the ARM simulator, but this particular test only seems to reproduce there. Needinfo on jorendorff because it's OOM.
status-firefox33: --- → affected
Flags: needinfo?(jorendorff)
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Cool, this still reproduces.  ARM debug simulator build on Mac OS X 10.10, here's my configuration:

export CC='clang -m32'
export CXX='clang++ -m32'
export AR='ar'
export CONFARGS='--target=i686-apple-darwin10.0.0 --without-intl-api --enable-debug --disable-optimize --enable-threadsafe --enable-simulator=arm'
Assignee: nobody → lhansen
Status: NEW → ASSIGNED
Simpler:

try {
  x = evalcx('lazy');
  gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
  x--;
} catch(e) {}
print(x);
Reproduces also on Mac OS X 32-bit build.
Assignee: lhansen → nobody
Status: ASSIGNED → NEW
OS: Linux → All
Hardware: ARM → All
Can't reproduce on Linux, building with
CC="gcc -m32" CXX="g++ -m32" AR=ar ../configure --target=i686-pc-linux
and running with --fuzzing-safe.

Instead, I get

    uncaught exception: out of memory
    (Unable to print stack trace)

Christian, is it fixed?
Flags: needinfo?(jorendorff) → needinfo?(choller)
This is an automated crash issue comment:

Summary: Assertion failure: inited == !getPrototype(key).isUndefined(), at js/src/vm/GlobalObject.h:204
Build version: mozilla-central revision 5b2baa5e9356
Build flags: --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug
Runtime options: --fuzzing-safe --ion-offthread-compile=off min.js

Testcase:

 a = evalcx("lazy")
 oomTest(() => a.toString)

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000042d1dc in js::GlobalObject::classIsInitialized (key=JSProto_Function, this=0x7ffff3f8c060) at js/src/vm/GlobalObject.h:204
#0  0x000000000042d1dc in js::GlobalObject::classIsInitialized (key=JSProto_Function, this=0x7ffff3f8c060) at js/src/vm/GlobalObject.h:204
#1  0x0000000000525275 in classIsInitialized (key=JSProto_Function, this=0x7ffff3f8c060) at js/src/vm/GlobalObject.h:346
#2  functionObjectClassesInitialized (this=0x7ffff3f8c060) at js/src/vm/GlobalObject.h:209
#3  js::GlobalObject::getOrCreateObjectPrototype (this=0x7ffff3f8c060, cx=0x7ffff6907000) at js/src/vm/GlobalObject.h:342
#4  0x00000000008b2e44 in JS_ResolveStandardClass (cx=cx@entry=0x7ffff6907000, obj=..., obj@entry=..., id=..., id@entry=..., resolved=resolved@entry=0x7fffffffc940) at js/src/jsapi.cpp:1121
#5  0x000000000048af14 in sandbox_resolve (cx=0x7ffff6907000, obj=..., id=..., resolvedp=0x7fffffffc940) at js/src/shell/js.cpp:2621
#6  0x0000000000a9501d in CallResolveOp (recursedp=<synthetic pointer>, propp=..., id=..., obj=..., cx=0x7ffff6907000) at js/src/vm/NativeObject-inl.h:389
#7  js::LookupOwnPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7ffff6907000, obj=obj@entry=..., id=id@entry=..., propp=..., propp@entry=..., donep=donep@entry=0x7fffffffca20) at js/src/vm/NativeObject-inl.h:482
#8  0x0000000000ab8e74 in NativeGetPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7ffff6907000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:1992
#9  0x0000000000ab9560 in js::NativeGetProperty (cx=cx@entry=0x7ffff6907000, obj=..., receiver=..., receiver@entry=..., id=..., id@entry=..., vp=..., vp@entry=...) at js/src/vm/NativeObject.cpp:2036
#10 0x00000000009a181f in GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7ffff6907000) at js/src/vm/NativeObject.h:1475
#11 js::DirectProxyHandler::get (this=this@entry=0x1c260b0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff6907000, proxy=..., proxy@entry=..., receiver=receiver@entry=..., id=id@entry=..., vp=vp@entry=...) at js/src/proxy/DirectProxyHandler.cpp:237
#12 0x00000000009a3802 in js::CrossCompartmentWrapper::get (this=0x1c260b0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff6907000, wrapper=..., receiver=..., id=..., vp=...) at js/src/proxy/CrossCompartmentWrapper.cpp:165
#13 0x00000000009a3619 in js::Proxy::get (cx=0x7ffff6907000, proxy=..., receiver_=..., id=..., vp=...) at js/src/proxy/Proxy.cpp:300
#14 0x0000000000aba2f2 in GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff6907000) at js/src/jsobj.h:822
#15 js::GetProperty (cx=cx@entry=0x7ffff6907000, v=..., v@entry=..., name=..., name@entry=..., vp=vp@entry=...) at js/src/vm/Interpreter.cpp:4071
#16 0x0000000000aa8b5f in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=0x7ffff6907000) at js/src/vm/Interpreter.cpp:219
#17 Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:2521
#18 0x0000000000ab7318 in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:428
#19 0x0000000000ab765d in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:496
#20 0x0000000000ab812c in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:530
#21 0x00000000008ac824 in JS_CallFunction (cx=cx@entry=0x7ffff6907000, obj=..., fun=..., fun@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2858
#22 0x0000000000a3ba9b in OOMTest (cx=0x7ffff6907000, argc=<optimized out>, vp=0x7ffff3cb2090) at js/src/builtin/TestingFunctions.cpp:1292
#23 0x0000000000abe2b2 in js::CallJSNative (cx=0x7ffff6907000, native=0xa3b6b0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#24 0x0000000000ab7601 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:478
#25 0x0000000000aa8562 in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:2802
#26 0x0000000000ab7318 in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:428
#27 0x0000000000abcc79 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907000, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:684
#28 0x0000000000abcf58 in js::Execute (cx=cx@entry=0x7ffff6907000, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:717
#29 0x00000000008acab8 in ExecuteScript (cx=cx@entry=0x7ffff6907000, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4366
#30 0x00000000008acc93 in JS_ExecuteScript (cx=cx@entry=0x7ffff6907000, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4399
#31 0x00000000004298a6 in RunFile (compileOnly=false, file=0x7ffff3ca6c00, filename=0x7fffffffea68 "min.js", cx=0x7ffff6907000) at js/src/shell/js.cpp:522
#32 Process (cx=cx@entry=0x7ffff6907000, filename=0x7fffffffea68 "min.js", forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:747
#33 0x0000000000480ecc in ProcessArgs (op=0x7fffffffe590, cx=0x7ffff6907000) at js/src/shell/js.cpp:6548
#34 Shell (envp=<optimized out>, op=0x7fffffffe590, cx=0x7ffff6907000) at js/src/shell/js.cpp:6870
#35 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7234
rax	0x0	0
rbx	0x7ffff3f8c060	140737286553696
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffc780	140737488340864
rsp	0x7fffffffc780	140737488340864
r8	0x7ffff7fe77c0	140737354037184
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffc540	140737488340288
r11	0x7ffff6c27ee0	140737333329632
r12	0x7ffff6907000	140737330049024
r13	0x7ffff6907000	140737330049024
r14	0xfff9000000000000	-1970324836974592
r15	0x7ffff3f1cd00	140737286098176
rip	0x42d1dc <js::GlobalObject::classIsInitialized(JSProtoKey) const+28>
=> 0x42d1dc <js::GlobalObject::classIsInitialized(JSProtoKey) const+28>:	movl   $0xcc,0x0
   0x42d1e7 <js::GlobalObject::classIsInitialized(JSProtoKey) const+39>:	callq  0x4a61b0 <abort()>
@jorendorff: Bug is not fixed, new test is in the last comment. Also note that this bug probably has been filed multiple times, one of the dups is probably bug 1219128 which has some other info :)
Flags: needinfo?(jorendorff)
Duping forward since that information is quite useful.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → DUPLICATE
Flags: needinfo?(choller)
Severity: critical → S4
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: