Closed Bug 1177122 Opened 9 years ago Closed 9 years ago

Assertion failure: (extractBuffer(&data, &size)), at js/src/vm/StructuredClone.cpp:725 with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox41 --- affected
firefox44 --- fixed

People

(Reporter: decoder, Assigned: lth)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file, 1 obsolete file)

bug1177122-sc-writer-oom.patch
(deleted), patch
evilpie
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 2694ff2ace6a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2): var a = [new Boolean(true),]; for (var i = 0; i < a.length; i++) { var x = a[i]; oomAfterAllocations(1); var y = deserialize(serialize(x)); } Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0000000000745442 in JSStructuredCloneWriter::~JSStructuredCloneWriter (this=0x7fffd2bd23a0, __in_chrg=<optimized out>) at js/src/vm/StructuredClone.cpp:725 #1 0x00000000007733aa in WriteStructuredClone (cx=cx@entry=0x7fd65801b330, v=..., v@entry=..., bufp=bufp@entry=0x7fffd2bd2820, nbytesp=nbytesp@entry=0x7fffd2bd2828, cb=cb@entry=0x0, cbClosure=<optimized out>, transferable=...) at js/src/vm/StructuredClone.cpp:370 #2 0x00000000007735ca in JS_WriteStructuredClone (cx=cx@entry=0x7fd65801b330, value=value@entry=..., bufp=bufp@entry=0x7fffd2bd2820, nbytesp=nbytesp@entry=0x7fffd2bd2828, optionalCallbacks=optionalCallbacks@entry=0x0, closure=closure@entry=0x0, transferable=transferable@entry=...) at js/src/vm/StructuredClone.cpp:1905 #3 0x0000000000773716 in JSAutoStructuredCloneBuffer::write (this=this@entry=0x7fffd2bd2820, cx=cx@entry=0x7fd65801b330, value=..., transferable=..., optionalCallbacks=optionalCallbacks@entry=0x0, closure=closure@entry=0x0) at js/src/vm/StructuredClone.cpp:2074 #4 0x00000000005920a3 in Serialize (cx=0x7fd65801b330, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1762 #5 0x0000000000696982 in js::CallJSNative (cx=0x7fd65801b330, native=0x592020 <Serialize(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:235 #6 0x0000000000686102 in js::Invoke (cx=cx@entry=0x7fd65801b330, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:709 #7 0x0000000000678292 in Interpret (cx=cx@entry=0x7fd65801b330, state=...) at js/src/vm/Interpreter.cpp:2962 #8 0x0000000000685b03 in js::RunScript (cx=cx@entry=0x7fd65801b330, state=...) at js/src/vm/Interpreter.cpp:653 #9 0x00000000006862bb in js::Invoke (cx=cx@entry=0x7fd65801b330, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:729 #10 0x0000000000687e89 in js::Invoke (cx=cx@entry=0x7fd65801b330, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fffd2bd4568, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:766 #11 0x00000000008b46aa in js::jit::DoCallFallback (cx=0x7fd65801b330, frame=0x7fffd2bd4598, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffd2bd4558, res=...) at js/src/jit/BaselineIC.cpp:9855 #12 0x00007fd65957fbdf in ?? () [...] #22 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7fffd2bd23a0 140736728998816 rcx 0x7fd6583ce88d 140558580115597 rdx 0x0 0 rsi 0x7fd6586a39d0 140558583085520 rdi 0x7fd6586a21c0 140558583079360 rbp 0x7fffd2bd2350 140736728998736 rsp 0x7fffd2bd2300 140736728998656 r8 0x7fd659713780 140558600320896 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fd65869fbe0 140558583069664 r11 0x0 0 r12 0x7fffd2bd23a8 140736728998824 r13 0x7fffd2bd2380 140736728998784 r14 0x0 0 r15 0x0 0 rip 0x745442 <JSStructuredCloneWriter::~JSStructuredCloneWriter()+850> => 0x745442 <JSStructuredCloneWriter::~JSStructuredCloneWriter()+850>: movl $0x2d5,0x0 0x74544d <JSStructuredCloneWriter::~JSStructuredCloneWriter()+861>: callq 0x494da0 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150524152820" and the hash "5f7e75cf1891". The "bad" changeset has the timestamp "20150524171021" and the hash "004de000947c". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=5f7e75cf1891&tochange=004de000947c
Assignee: nobody → lhansen
Reproduces in current m-i, also with no runtime flags and and with --no-ion --no-baseline.
Attached patch Patch (obsolete) (deleted) — Splinter Review
Attachment #8670732 - Flags: review?(evilpies)
Comment on attachment 8670732 [details] [diff] [review] Patch Review of attachment 8670732 [details] [diff] [review]: ----------------------------------------------------------------- I am not sure this is a good idea. Seems like just always crashing would be simpler and avoid problems if something else changes.
Comment on attachment 8670732 [details] [diff] [review] Patch Review of attachment 8670732 [details] [diff] [review]: ----------------------------------------------------------------- Let's just always crash when extractBuffer fails.
Attachment #8670732 - Flags: review?(evilpies) → review-
Attached patch bug1177122-sc-writer-oom.patch (deleted) — Splinter Review
A simpler solution.
Attachment #8670732 - Attachment is obsolete: true
Attachment #8671252 - Flags: review?(evilpies)
Attachment #8671252 - Flags: review?(evilpies) → review+
https://hg.mozilla.org/mozilla-central/rev/b31170d704ca
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: