Closed
Bug 1260259
Opened 9 years ago
Closed 9 years ago
Crash [@ matchOp] with OOM and strange crash address
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | fixed |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,bisect])
Crash Data
The following testcase crashes on mozilla-central revision 63be002b4a80 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks --ion-offthread-compile=off):
function oomTest(f) {
var i = 1;
do {
try {
oomAtAllocation(i);
f(RegExp.summary, "");
} catch (e) {
more = resetOOMFailure();
}
i++;
} while (more);
}
oomTest(
() => 3 | (function()function prototype() {
return i[expectTryValue];
})()
);
Backtrace:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 matchOp (id=..., op=js::jit::GuardIsObject, this=0xff8a5c30) at js/src/jit/CacheIR.h:329
#1 GetCacheIRReceiverForNativeReadSlot (receiver=0xff8a5c20, stub=0xf512b090) at js/src/jit/BaselineInspector.cpp:131
#2 js::jit::BaselineInspector::maybeInfoForPropertyOp (this=0xf515c0a8, pc=0xf50d7d42 "5", receivers=..., convertUnboxedGroups=...) at js/src/jit/BaselineInspector.cpp:179
#3 0x0835f3f0 in js::jit::IonBuilder::getPropTryInlineAccess (this=this@entry=0xf515c158, emitted=emitted@entry=0xff8a5d90, obj=obj@entry=0xf515e9d0, name=name@entry=0xf525fee0, barrier=barrier@entry=js::jit::NoBarrier, types=types@entry=0xf515c690) at js/src/jit/IonBuilder.cpp:11872
#4 0x08371df7 in js::jit::IonBuilder::jsop_getprop (this=this@entry=0xf515c158, name=0xf525fee0) at js/src/jit/IonBuilder.cpp:11106
#5 0x0836b1a3 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0xf515c158, op=op@entry=JSOP_GETPROP) at js/src/jit/IonBuilder.cpp:2017
#6 0x0836bb21 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0xf515c158) at js/src/jit/IonBuilder.cpp:1523
#7 0x0836c3f9 in js::jit::IonBuilder::build (this=this@entry=0xf515c158) at js/src/jit/IonBuilder.cpp:918
#8 0x0831c3cd in js::jit::IonCompile (cx=cx@entry=0xf7173020, script=script@entry=0xf527e0d0, baselineFrame=baselineFrame@entry=0xff8a6238, osrPc=osrPc@entry=0xf50d7d24 "う\232", constructing=constructing@entry=false, recompile=recompile@entry=false, optimizationLevel=js::jit::Normal) at js/src/jit/Ion.cpp:2143
#9 0x0831ceb3 in js::jit::Compile (cx=0xf7173020, script=script@entry=..., osrFrame=osrFrame@entry=0xff8a6238, osrPc=osrPc@entry=0xf50d7d24 "う\232", constructing=false, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2375
#10 0x0831d97d in BaselineCanEnterAtBranch (pc=0xf50d7d24 "う\232", osrFrame=0xff8a6238, script=..., cx=0xf7173020) at js/src/jit/Ion.cpp:2562
#11 js::jit::IonCompileScriptForBaseline (cx=cx@entry=0xf7173020, frame=frame@entry=0xff8a6238, pc=pc@entry=0xf50d7d24 "う\232") at js/src/jit/Ion.cpp:2620
#12 0x08269eda in js::jit::DoWarmUpCounterFallbackOSR (cx=0xf7173020, frame=0xff8a6238, stub=0xf5133050, infoPtr=0xff8a6214) at js/src/jit/BaselineIC.cpp:141
#13 0xf73db69d in ?? ()
#14 0xf5133050 in ?? ()
#15 0xf73d4c5c in ?? ()
#16 0x08261efa in EnterBaseline (cx=0xf5133050, cx@entry=0xf7173020, data=...) at js/src/jit/BaselineJIT.cpp:150
[...]
#24 0x080f01f7 in runOffThreadScript (cx=0xf7173020, argc=0, vp=0xff8a6ce0) at js/src/shell/js.cpp:3935
[...]
#53 main (argc=7, argv=0xff8a8244, envp=0xff8a8264) at js/src/shell/js.cpp:7443
eax 0x20202020 538976288
ebx 0x98cc950 160221520
ecx 0x94859240 -1803185600
edx 0x20202021 538976289
esi 0xf512b090 -183324528
edi 0xff8a5c30 -7709648
ebp 0xff8a5c58 4287257688
esp 0xff8a5c10 4287257616
eip 0x827e950 <js::jit::BaselineInspector::maybeInfoForPropertyOp(unsigned char*, mozilla::Vector<js::ReceiverGuard, 4u, js::jit::JitAllocPolicy>&, mozilla::Vector<js::ObjectGroup*, 4u, js::jit::JitAllocPolicy>&)+336>
=> 0x827e950 <js::jit::BaselineInspector::maybeInfoForPropertyOp(unsigned char*, mozilla::Vector<js::ReceiverGuard, 4u, js::jit::JitAllocPolicy>&, mozilla::Vector<js::ObjectGroup*, 4u, js::jit::JitAllocPolicy>&)+336>: cmpb $0x0,(%eax)
0x827e953 <js::jit::BaselineInspector::maybeInfoForPropertyOp(unsigned char*, mozilla::Vector<js::ReceiverGuard, 4u, js::jit::JitAllocPolicy>&, mozilla::Vector<js::ObjectGroup*, 4u, js::jit::JitAllocPolicy>&)+339>: je 0x827e9a0 <js::jit::BaselineInspector::maybeInfoForPropertyOp(unsigned char*, mozilla::Vector<js::ReceiverGuard, 4u, js::jit::JitAllocPolicy>&, mozilla::Vector<js::ObjectGroup*, 4u, js::jit::JitAllocPolicy>&)+416>
Strange crash address, marking s-s for now.
|
||
Comment 1•9 years ago
|
||
I fixed an OOM bug here recently, but will double check tomorrow.
Flags: needinfo?(jdemooij)
|
|
||
Comment 2•9 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #1)
> I fixed an OOM bug here recently, but will double check tomorrow.
Yup, this was fixed as part of bug 1258105. I can reproduce the crash without the OOM fix.
Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → FIXED
|
|
||
Updated•9 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•