Closed Bug 1204847 Opened 9 years ago Closed 9 years ago

Assertion failure: defined_, at js/src/asmjs/AsmJSValidate.cpp:1424 with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla43
Tracking Flags:
Tracking Status
firefox43 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file, 1 obsolete file)

oom-offthread.patch
(deleted), patch
luke
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision c69e31de9aec (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks): var lfcode = new Array(); lfcode.push = loadFile; oomAfterAllocations(50, 2); lfcode.push(` "use asm"; function f() { return +pow(.0, .0) `); function loadFile(lfVarx) { eval("(function() { " + lfVarx + " })();"); } Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000000000042d61c in (anonymous namespace)::ModuleValidator::Func::srcBegin (this=<optimized out>, this=<optimized out>) at js/src/asmjs/AsmJSValidate.cpp:1424 #1 0x000000000043fdc1 in srcBegin (this=<optimized out>, this=<optimized out>) at js/src/asmjs/AsmJSValidate.cpp:1424 #2 CheckFunctions (m=..., results=results@entry=0x7fff2462f620) at js/src/asmjs/AsmJSValidate.cpp:11043 #3 0x00000000005c2543 in CheckModule (compilationTimeReport=0x7fff2462f600, moduleOut=0x7fff2462f610, stmtList=0x7fff2462fa00, parser=..., cx=<optimized out>) at js/src/asmjs/AsmJSValidate.cpp:12386 #4 js::ValidateAsmJS (cx=<optimized out>, parser=..., stmtList=stmtList@entry=0x7f206028b140, validated=validated@entry=0x7fff2462fa00) at js/src/asmjs/AsmJSValidate.cpp:12470 #5 0x00000000004c582a in js::frontend::Parser<js::frontend::FullParseHandler>::asmJS (this=this@entry=0x7fff246317d0, list=0x7f206028b140) at js/src/frontend/Parser.cpp:2987 #6 0x00000000004da1af in js::frontend::Parser<js::frontend::FullParseHandler>::maybeParseDirective (this=this@entry=0x7fff246317d0, list=list@entry=0x7f206028b140, pn=pn@entry=0x7f206028b1b0, cont=cont@entry=0x7fff2462fa80) at js/src/frontend/Parser.cpp:3062 #7 0x00000000004f7c6c in js::frontend::Parser<js::frontend::FullParseHandler>::statements (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3128 #8 0x00000000004f7feb in js::frontend::Parser<js::frontend::FullParseHandler>::functionBody (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, kind=kind@entry=js::frontend::Expression, type=type@entry=js::frontend::Parser<js::frontend::FullParseHandler>::StatementListBody) at js/src/frontend/Parser.cpp:1141 #9 0x00000000004f8577 in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBodyGeneric (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, pn=pn@entry=0x7f206028b020, fun=fun@entry=..., kind=kind@entry=js::frontend::Expression) at js/src/frontend/Parser.cpp:2809 #10 0x00000000004ceb29 in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBody (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, pn=0x7f206028b020, fun=..., fun@entry=..., kind=kind@entry=js::frontend::Expression, generatorKind=generatorKind@entry=js::NotGenerator, inheritedDirectives=..., newDirectives=newDirectives@entry=0x7fff246300b0) at js/src/frontend/Parser.cpp:2613 #11 0x00000000004f8a7a in js::frontend::Parser<js::frontend::FullParseHandler>::functionDef (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, funName=..., funName@entry=..., kind=kind@entry=js::frontend::Expression, generatorKind=generatorKind@entry=js::NotGenerator, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictInvoked) at js/src/frontend/Parser.cpp:2443 #12 0x00000000004f9057 in js::frontend::Parser<js::frontend::FullParseHandler>::functionExpr (this=this@entry=0x7fff246317d0, invoked=js::frontend::Parser<js::frontend::FullParseHandler>::PredictInvoked) at js/src/frontend/Parser.cpp:2925 #13 0x00000000004fcdda in js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tt=<optimized out>, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictInvoked) at js/src/frontend/Parser.cpp:9148 #14 0x00000000004fec14 in js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tt=js::frontend::TOK_FUNCTION, allowCallSyntax=allowCallSyntax@entry=true, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictInvoked) at js/src/frontend/Parser.cpp:8450 #15 0x00000000004ff8c4 in js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictInvoked) at js/src/frontend/Parser.cpp:7376 #16 0x00000000004ffae6 in js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1 (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictInvoked) at js/src/frontend/Parser.cpp:6895 #17 0x00000000004ffd3e in js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1 (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictInvoked) at js/src/frontend/Parser.cpp:6947 #18 0x00000000004f91eb in js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictInvoked) at js/src/frontend/Parser.cpp:7062 #19 0x00000000004f988f in js::frontend::Parser<js::frontend::FullParseHandler>::expr (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictInvoked) at js/src/frontend/Parser.cpp:6763 #20 0x0000000000500155 in js::frontend::Parser<js::frontend::FullParseHandler>::parenExprOrGeneratorComprehension (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:9280 #21 0x00000000004fcd90 in js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tt=<optimized out>, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:9164 #22 0x00000000004fec14 in js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tt=js::frontend::TOK_LP, allowCallSyntax=allowCallSyntax@entry=true, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:8450 #23 0x00000000004ff8c4 in js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:7376 #24 0x00000000004ffae6 in js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1 (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:6895 #25 0x00000000004ffd3e in js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1 (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:6947 #26 0x00000000004f91eb in js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:7062 #27 0x00000000004f988f in js::frontend::Parser<js::frontend::FullParseHandler>::expr (this=this@entry=0x7fff246317d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:6763 #28 0x00000000004fa4d3 in js::frontend::Parser<js::frontend::FullParseHandler>::expressionStatement (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:4947 #29 0x00000000004f756d in js::frontend::Parser<js::frontend::FullParseHandler>::statement (this=this@entry=0x7fff246317d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:6655 #30 0x0000000000635b3f in BytecodeCompiler::compileScript (this=this@entry=0x7fff24631150, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:588 #31 0x00000000006360a3 in js::frontend::CompileScript (cx=cx@entry=0x7f2060206800, alloc=<optimized out>, scopeChain=..., enclosingStaticScope=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=source_@entry=0x0, extraSct=extraSct@entry=0x7fff246321f0, sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:807 #32 0x0000000000aeb839 in Evaluate (cx=cx@entry=0x7f2060206800, scope=..., staticScope=..., staticScope@entry=..., optionsArg=..., srcBuf=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4446 #33 0x0000000000aebbc4 in JS::Evaluate (cx=cx@entry=0x7f2060206800, options=..., bytes=<optimized out>, length=211, rval=rval@entry=...) at js/src/jsapi.cpp:4503 #34 0x0000000000b121c6 in Evaluate (rval=..., filename=0x7f205e240ec0 "/home/ubuntu/work/work-2015-09-15-11-07-31/mutant32344_testBug989166.js", optionsArg=..., cx=0x7f2060206800, cx@entry=0x7fff24632440) at js/src/jsapi.cpp:4520 #35 JS::Evaluate (cx=cx@entry=0x7f2060206800, optionsArg=..., filename=<optimized out>, rval=rval@entry=...) at js/src/jsapi.cpp:4556 #36 0x000000000048811e in LoadScript (cx=0x7f2060206800, argc=<optimized out>, vp=0x7fff24632738, scriptRelative=false) at js/src/shell/js.cpp:785 #37 0x00007f20616e6d68 in ?? () #38 0x0000000000000008 in ?? () #39 0x00007fff24632710 in ?? () #40 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7fff2462f6d0 140733803853520 rcx 0x7f206052c88d 139777031719053 rdx 0x0 0 rsi 0x7f20608019d0 139777034688976 rdi 0x7f20608001c0 139777034682816 rbp 0x7fff2462f3b0 140733803852720 rsp 0x7fff2462f3b0 140733803852720 r8 0x7f2061871780 139777051924352 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7f20607fdbe0 139777034673120 r11 0x0 0 r12 0x7fff2462f4e0 140733803853024 r13 0x7f2060205c00 139777028414464 r14 0x7fff2462f4b0 140733803852976 r15 0x7f205e3cf600 139776996734464 rip 0x42d61c <(anonymous namespace)::ModuleValidator::Func::srcBegin() const+28> => 0x42d61c <(anonymous namespace)::ModuleValidator::Func::srcBegin() const+28>: movl $0x590,0x0 0x42d627 <(anonymous namespace)::ModuleValidator::Func::srcBegin() const+39>: callq 0x49b880 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150911071052" and the hash "9394c5f63b56b784dcdb9f70fa0b7f428bdf4d8c". The "bad" changeset has the timestamp "20150911071250" and the hash "9c1c2581ad6501c9a8a36920043856d46ec19c20". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=9394c5f63b56b784dcdb9f70fa0b7f428bdf4d8c&tochange=9c1c2581ad6501c9a8a36920043856d46ec19c20
Attached patch oom-offthread.patch (deleted) — Splinter Review
Fortunately, bug 1181612 will bring type sanity to this line of code, by removing the reinterpret cast.
Assignee: nobody → benj
Status: NEW → ASSIGNED
Attachment #8661344 - Flags: review?(luke)
Attachment #8661344 - Flags: review?(luke) → review+
Attached patch maybeFunc contains AsmFunction (obsolete) (deleted) — Splinter Review
Assignee: benj → hv1989
Attachment #8661707 - Flags: review?(benj)
Comment on attachment 8661707 [details] [diff] [review] maybeFunc contains AsmFunction Apparently too late ;)
Attachment #8661707 - Attachment is obsolete: true
Attachment #8661707 - Flags: review?(benj)
https://hg.mozilla.org/mozilla-central/rev/2590668bd232
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox43: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
Assignee: hv1989 → benj
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: