Closed Bug 1448691 Opened 7 years ago Closed 7 years ago

Assertion failure: isDouble(), at dist/include/js/Value.h:765 with OOM and asm.js

Categories

(Core :: JavaScript Engine, defect, P1)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox-esr52 --- unaffected
firefox59 --- unaffected
firefox60 --- unaffected
firefox61 --- fixed

People

(Reporter: decoder, Assigned: luke)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 6862624e24d0+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --baseline-eager): loadFile(` evaluate(\` (function() { 'use asm'; function g() {} return g }) \`, {})(); `); function loadFile(lfVarx) { try { oomTest(function() { eval(lfVarx); }); } catch (lfVare) {} } Backtrace: received signal SIGSEGV, Segmentation fault. #0 0x0000000000474068 in JS::Value::toPrivate (this=<optimized out>) at dist/include/js/Value.h:765 #1 0x0000000000db8d9c in js::WasmInstanceObject::exports (this=<optimized out>) at js/src/wasm/WasmJS.cpp:1165 #2 js::WasmInstanceObject::finalize (fop=<optimized out>, obj=0x7ffff58b5100) at js/src/wasm/WasmJS.cpp:983 #3 0x0000000000ec8308 in js::Class::doFinalize (this=<optimized out>, obj=0x7ffff58b5100, fop=0x7fffffffd310) at dist/include/js/Class.h:872 #4 JSObject::finalize (this=this@entry=0x7ffff58b5100, fop=fop@entry=0x7fffffffd310) at js/src/vm/JSObject-inl.h:108 #5 0x0000000000ec86fe in js::gc::Arena::finalize<JSObject> (this=this@entry=0x7ffff58b5000, fop=fop@entry=0x7fffffffd310, thingKind=thingKind@entry=js::gc::AllocKind::OBJECT8, thingSize=thingSize@entry=96) at js/src/gc/GC.cpp:590 #6 0x0000000000e8f276 in FinalizeTypedArenas<JSObject> (fop=0x7fffffffd310, src=0x7ffff55fc438, dest=..., thingKind=js::gc::AllocKind::OBJECT8, budget=..., keepArenas=js::gc::ArenaLists::KEEP_ARENAS) at js/src/gc/GC.cpp:648 #7 0x0000000000e8f698 in FinalizeArenas (keepArenas=js::gc::ArenaLists::KEEP_ARENAS, budget=..., thingKind=js::gc::AllocKind::OBJECT8, dest=..., src=<optimized out>, fop=0x7fffffffd310) at js/src/gc/GC.cpp:682 #8 js::gc::ArenaLists::foregroundFinalize (this=0x7ffff55fc0b0, fop=0x7fffffffd310, thingKind=<optimized out>, sliceBudget=..., sweepList=...) at js/src/gc/GC.cpp:5811 #9 0x0000000000e8fad0 in js::gc::GCRuntime::finalizeAllocKind (this=0x7ffff5f1a780, fop=<optimized out>, budget=..., zone=<optimized out>, kind=<optimized out>) at js/src/gc/GC.cpp:6106 #10 0x0000000000eaae0e in sweepaction::SweepActionCall<js::FreeOp*, js::SliceBudget&, JS::Zone*, js::gc::AllocKind>::run (args#3=<optimized out>, args#2=0x7ffff55fc000, args#1=..., args#0=0x7fffffffd310, gc=0x7ffff5f1a780, this=0x7ffff5f370c0) at js/src/gc/GC.cpp:6242 #11 sweepaction::SweepActionForEach<ContainerIter<mozilla::EnumSet<js::gc::AllocKind> >, mozilla::EnumSet<js::gc::AllocKind>, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&, JS::Zone*>::run (this=0x7ffff5f2a100, args#0=0x7ffff5f1a780, args#1=0x7fffffffd310, args#2=..., args#3=0x7ffff55fc000) at js/src/gc/GC.cpp:6301 #12 0x0000000000ecb40a in sweepaction::SweepActionSequence<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&, JS::Zone*>::run (this=0x7ffff5f172e0, args#0=0x7ffff5f1a780, args#1=0x7fffffffd310, args#2=..., args#3=0x7ffff55fc000) at js/src/gc/GC.cpp:6270 #13 0x0000000000ecb7ec in sweepaction::SweepActionForEach<js::gc::SweepGroupZonesIter, JSRuntime*, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run (this=0x7ffff5f38040, args#0=0x7ffff5f1a780, args#1=0x7fffffffd310, args#2=...) at js/src/gc/GC.cpp:6301 #14 0x0000000000ecb240 in sweepaction::SweepActionSequence<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run (this=0x7ffff5f17330, args#0=0x7ffff5f1a780, args#1=0x7fffffffd310, args#2=...) at js/src/gc/GC.cpp:6270 #15 0x0000000000ecb955 in sweepaction::SweepActionRepeatFor<js::gc::SweepGroupsIter, JSRuntime*, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run (this=0x7ffff5f38070, args#0=0x7ffff5f1a780, args#1=0x7fffffffd310, args#2=...) at js/src/gc/GC.cpp:6331 #16 0x0000000000e9e77e in js::gc::GCRuntime::performSweepActions (this=this@entry=0x7ffff5f1a780, budget=...) at js/src/gc/GC.cpp:6483 #17 0x0000000000ea1fe4 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff5f1a780, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME, session=...) at js/src/gc/GC.cpp:7066 #18 0x0000000000ea3349 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff5f1a780, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7395 #19 0x0000000000ea3a05 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff5f1a780, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7538 #20 0x0000000000ea3d49 in js::gc::GCRuntime::gc (this=this@entry=0x7ffff5f1a780, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7608 #21 0x0000000000be8c1b in JSRuntime::destroyRuntime (this=0x7ffff5f1a000) at js/src/vm/Runtime.cpp:321 #22 0x0000000000b45489 in js::DestroyContext (cx=0x7ffff5f16000) at js/src/vm/JSContext.cpp:252 #23 0x00000000009b5eca in JS_DestroyContext (cx=<optimized out>) at js/src/jsapi.cpp:506 #24 0x0000000000444196 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9440 rax 0x0 0 rbx 0x7ffff58b5100 140737312936192 rcx 0x7ffff6c282ad 140737333330605 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffcde0 140737488342496 rsp 0x7fffffffcde0 140737488342496 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4780 140737354024832 r10 0x58 88 r11 0x7ffff6b9e7a0 140737332766624 r12 0x7ffff58b5100 140737312936192 r13 0x203ece0 33811680 r14 0x40 64 r15 0x7fffffffcee0 140737488342752 rip 0x474068 <JS::Value::toPrivate() const+72> => 0x474068 <JS::Value::toPrivate() const+72>: movl $0x0,0x0 0x474073 <JS::Value::toPrivate() const+83>: ud2 I'm marking this s-s because this could indicate a GC problem (wrong type detected during GC finalize).
Flags: needinfo?(luke)
Attached patch fix-exports-oom (deleted) — Splinter Review
Bug 1412238 added a new OOM failure point before the EXPORTS_SLOT is initialized, breaking finalizer assumption. Trivial fix.
Assignee: nobody → luke
Flags: needinfo?(luke)
Attachment #8962498 - Flags: review?(bbouvier)
Comment on attachment 8962498 [details] [diff] [review] fix-exports-oom Review of attachment 8962498 [details] [diff] [review]: ----------------------------------------------------------------- LGTM, thanks. ::: js/src/wasm/WasmJS.cpp @@ +1028,5 @@ > for (uint32_t i = 0; i < globalObjs.length(); i++) { > if (globalObjs[i] && globals[i].isIndirect()) > indirectGlobals++; > } > #endif While you're around, there's a line below that's > 100 chars, can you wrap it please? or split it in two parts? Also, if any of the memory operations below (js::MakeUnique or resize thereafter), don't we need a ReportOutOfMemory too? @@ +1061,5 @@ > + // The INSTANCE_SLOT may not be initialized if Instance allocation fails, > + // leading to an observable "newborn" state in tracing/finalization. > + MOZ_ASSERT(obj->isNewborn()); > + > + // Root the Instance via WasmInstanceObject before any possible GC, nit: trailing whitespace, replace comma by dot.
Attachment #8962498 - Flags: review?(bbouvier) → review+
Priority: -- → P1
Blocks: 1412238
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Group: javascript-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: