Closed Bug 1260725 Opened 9 years ago Closed 9 years ago

Assertion failure: get() (dereferencing a UniquePtr containing nullptr), at dist/include/mozilla/UniquePtr.h:319

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla48
Tracking Flags:
Tracking Status
firefox48 --- fixed

People

(Reporter: decoder, Assigned: fitzgen)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file, 1 obsolete file)

Handle and report OOM in census breakdown parsing
(deleted), patch
fitzgen
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision d5d53a3b4e50 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads): var dbg = new Debugger; dbg.onNewGlobalObject = function(global) { dbg.memory.takeCensus({}); }; oomTest(function() { newGlobal({}) }); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000471752 in mozilla::UniquePtr<JS::ubi::CountType, JS::DeletePolicy<JS::ubi::CountType> >::operator-> (this=0x7fffedb219b0) at js/src/debug64/dist/include/mozilla/UniquePtr.h:319 #0 0x0000000000471752 in mozilla::UniquePtr<JS::ubi::CountType, JS::DeletePolicy<JS::ubi::CountType> >::operator-> (this=0x7fffedb219b0) at js/src/debug64/dist/include/mozilla/UniquePtr.h:319 #1 0x0000000000ba6a09 in operator-> (this=0x7fffedb219b0) at js/src/debug64/dist/include/js/HashTable.h:1237 #2 JS::ubi::ByObjectClass::makeCount (this=0x7fffedb219a0) at js/src/vm/UbiNodeCensus.cpp:436 #3 0x0000000000ba6661 in JS::ubi::ByCoarseType::makeCount (this=0x7fffedb4d5b0) at js/src/vm/UbiNodeCensus.cpp:236 #4 0x00000000009f5229 in js::DebuggerMemory::takeCensus (cx=0x7ffff6908800, argc=<optimized out>, vp=<optimized out>) at js/src/vm/DebuggerMemory.cpp:401 #5 0x00007ffff7ff76b8 in ?? () #6 0x00007fffffffb400 in ?? () #7 0x00007fffffffb3b0 in ?? () #8 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7fffedb219a0 140737181260192 rcx 0x7ffff6ca5870 140737333844080 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffaeb0 140737488334512 rsp 0x7fffffffaeb0 140737488334512 r8 0x7ffff7fdf7c0 140737354004416 r9 0x6e552f616c6c697a 7950312812669856122 r10 0x7ffff6f76be0 140737336798176 r11 0x246 582 r12 0x7fffffffb180 140737488335232 r13 0x7fffffffaf30 140737488334640 r14 0x7ffff6908830 140737330055216 r15 0x7ffff6908800 140737330055168 rip 0x471752 <mozilla::UniquePtr<JS::ubi::CountType, JS::DeletePolicy<JS::ubi::CountType> >::operator->() const+28> => 0x471752 <mozilla::UniquePtr<JS::ubi::CountType, JS::DeletePolicy<JS::ubi::CountType> >::operator->() const+28>: movl $0x13f,0x0 0x47175d <mozilla::UniquePtr<JS::ubi::CountType, JS::DeletePolicy<JS::ubi::CountType> >::operator->() const+39>: callq 0x4a9b00 <abort()>
GetDefaultBreakdown() in vm/UbiNodeCensus.cpp needs OOM checks.
Flags: needinfo?(nfitzgerald)
This commit adds OOM checks that were missing to `GetDefaultBreakdown`. Additionally, it replaces uses of `js_new<T>` with `cx->new_<T>` so that OOMs are automatically reported on the context.
Attachment #8736381 - Flags: review?(jorendorff)
Assignee: nobody → nfitzgerald
Status: NEW → ASSIGNED
Flags: needinfo?(nfitzgerald)
Attachment #8736381 - Flags: review?(jorendorff) → review+
Fix failures from the try push where oomTest was not defined.
Attachment #8736460 - Flags: review+
Attachment #8736381 - Attachment is obsolete: true
https://hg.mozilla.org/mozilla-central/rev/7614fc1c6285
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox48: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Depends on: 1305436
No longer depends on: 1305436
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: