The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off): lfLogBuffer = ` buf = new ArrayBuffer(4096) function ffi() {} function FFI1(glob, imp, b) { "use asm" var f32=new glob.Float32Array(b); var f64=new glob.Float64Array(b); var ffi=imp.ffi; function g() { ffi(+f64[0]); } return g; } g = FFI1(this, {ffi}, buf) for (i of a) for (j of a) { u32 = i; } `.split('\n') lfCodeBuffer = ""; while (true) { line = lfLogBuffer.shift() if (line == null) break; lfCodeBuffer += line + "\n" } loadFile(lfCodeBuffer) function loadFile(lfVarx) { oomTest(function() { eval(lfVarx) }) } Backtrace: Program received signal SIGSEGV, Segmentation fault. __strlen_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S:50 #0 __strlen_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S:50 #1 0x085619f1 in js::ExpandErrorArgumentsVA (cx=cx@entry=0xf7a77020, callback=callback@entry=0x8546240 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=274, messagep=messagep@entry=0xffffa090, reportp=reportp@entry=0xffffa0a0, argumentsType=argumentsType@entry=js::ArgumentsAreASCII, ap=0xffffa138 "\360\004\227\365\315\006\032\b", ap@entry=0xffffa134 "") at js/src/jscntxt.cpp:616 #2 0x08561c6a in js::ReportErrorNumberVA (cx=0xf7a77020, flags=flags@entry=1, callback=callback@entry=0x8546240 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=274, argumentsType=argumentsType@entry=js::ArgumentsAreASCII, ap=ap@entry=0xffffa134 "") at js/src/jscntxt.cpp:752 #3 0x08563464 in JS_ReportErrorFlagsAndNumber (cx=cx@entry=0xf7a77020, flags=flags@entry=1, errorCallback=0x8546240 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=274) at js/src/jsapi.cpp:5582 #4 0x081dc9a7 in LinkFail (str=0x0, cx=0xf7a77020) at js/src/asmjs/AsmJS.cpp:7028 #5 CheckBuffer (buffer=..., bufferVal=..., module=..., cx=0xf7a77020) at js/src/asmjs/AsmJS.cpp:7434 #6 DynamicallyLinkModule (exportObj=..., moduleObj=..., args=..., cx=0xf7a77020) at js/src/asmjs/AsmJS.cpp:7464 #7 LinkAsmJS (cx=0xf7a77020, argc=3, vp=0xf5625120) at js/src/asmjs/AsmJS.cpp:7626 #8 0x0871e30a in js::CallJSNative (cx=0xf7a77020, native=0x81db3f0 <LinkAsmJS(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #9 0x0871a79d in js::Invoke (cx=0xf7a77020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:476 #10 0x0870a38a in Interpret (cx=cx@entry=0xf7a77020, state=...) at js/src/vm/Interpreter.cpp:2807 #11 0x0871a51f in js::RunScript (cx=cx@entry=0xf7a77020, state=...) at js/src/vm/Interpreter.cpp:426 #12 0x0871d30d in js::ExecuteKernel (cx=cx@entry=0xf7a77020, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=evalInFrame@entry=..., result=0xffffaf88) at js/src/vm/Interpreter.cpp:682 #13 0x084c5d2b in EvalKernel (cx=cx@entry=0xf7a77020, args=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., scopeobj=..., scopeobj@entry=..., pc=0xf5750769 "{") at js/src/builtin/Eval.cpp:332 #14 0x084c6732 in js::DirectEval (cx=cx@entry=0xf7a77020, args=...) at js/src/builtin/Eval.cpp:439 #15 0x08280335 in js::jit::DoCallFallback (cx=0xf7a77020, frame=0xffffafc8, stub_=0xf7aaa0b0, argc=1, vp=0xffffaf88, res=...) at js/src/jit/BaselineIC.cpp:6100 #16 0xf7fcedce in ?? () #17 0xf7aaa0b0 in ?? () #18 0xf7fc8c5c in ?? () #19 0x0825cd1a in EnterBaseline (cx=0xf7aaa0b0, cx@entry=0xf7a77020, data=...) at js/src/jit/BaselineJIT.cpp:150 #20 0x0827ab9e in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a77020, state=...) at js/src/jit/BaselineJIT.cpp:188 #21 0x0871a5bb in js::RunScript (cx=cx@entry=0xf7a77020, state=...) at js/src/vm/Interpreter.cpp:416 #22 0x0871a7fa in js::Invoke (cx=0xf7a77020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:494 #23 0x0871bf4a in js::Invoke (cx=cx@entry=0xf7a77020, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:528 #24 0x08556d30 in JS_CallFunction (cx=cx@entry=0xf7a77020, obj=..., fun=fun@entry=..., args=..., rval=rval@entry=...) at js/src/jsapi.cpp:2865 #25 0x0886737b in OOMTest (cx=0xf7a77020, argc=1, vp=0xf56250b8) at js/src/builtin/TestingFunctions.cpp:1311 [...] #47 main (argc=5, argv=0xffffcc24, envp=0xffffcc3c) at js/src/shell/js.cpp:7443 eax 0x0 0 ebx 0x98a9314 160076564 ecx 0x0 0 edx 0x0 0 esi 0x0 0 edi 0x0 0 ebp 0xffffa068 4294942824 esp 0xffff9fa4 4294942628 eip 0xf7d11e86 <__strlen_sse2_bsf+22> => 0xf7d11e86 <__strlen_sse2_bsf+22>: movdqu (%edi),%xmm1 0xf7d11e8a <__strlen_sse2_bsf+26>: pcmpeqb %xmm1,%xmm0

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/a196bd265eab user: Lars T Hansen date: Mon Nov 02 09:07:47 2015 +0100 summary: Bug 1218643 - remove support for deprecated asm.js heap length. r=luke This iteration took 328.457 seconds to run.

That patch did not introduce the bug, but it changed a constraint so that an existing OOM problem is revealed. The problem is that if a construction of an error message by JS_smprintf fails for OOM reasons then we start passing a null pointer around. The problem is not exactly pervasive but this is not the only place it occurs.

Ben, can you look at the AsmJS.cpp changes? Shu, can you look at the Debugger.cpp changes? Thx.

Comment on attachment 8742353 [details] [diff] [review] check return value from JS_smprintf Review of attachment 8742353 [details] [diff] [review]: ----------------------------------------------------------------- Looks good, thanks!

Missed a spot in the JS shell

Comment on attachment 8742355 [details] [diff] [review] check return value from JS_smprintf (Cleaning up my own mess here.) bbouvier r+'d the AsmJS.cpp bits on the previous patch. Shu, can you look at the remaining changes to Debugger.cpp and js.cpp? Thanks.

Comment on attachment 8742355 [details] [diff] [review] check return value from JS_smprintf Review of attachment 8742355 [details] [diff] [review]: ----------------------------------------------------------------- Woops, thanks for the fix.

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 67ac40fb8f68).

Did this somehow land?

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #9) > Did this somehow land? Not according to hg.mozilla.org. Note this is 32-bit only. It was reported on Linux but I've repro'd on Mac OS. (There was some bug traffic earlier this month re rewriting the printf library, and if that happened & landed it could have affected the OOM condition here.)

https://hg.mozilla.org/integration/mozilla-inbound/rev/ff00656a1bda864d16795701f976612100bc9baf Bug 1263902 - check return value from JS_smprintf. r=bbouvier, r=shu