Closed Bug 1813387 Opened 2 years ago Closed 2 years ago

Assertion failure: isThrowingOutOfMemory(), at vm/JSContext.cpp:735

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
111 Branch
Tracking Flags:
Tracking Status
firefox111 --- fixed

People

(Reporter: lukas.bernhard, Assigned: iain)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

Bug 1813387: Fix error handling in tryAttachArrayConstructor r=jandem
(deleted), text/x-phabricator-request
Details

Steps to reproduce:

The attached sample asserts with isThrowingOutOfMemory(), at vm/JSContext.cpp:735, status is ExceptionStatus::OverRecursed. Tested on commit fb1e6d6e5735dcf12d96fde70351aca305961b53.
Commandline: obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js

with (this.newGlobal()) {
    function f2(a3, a4) {
        try {
            a4(undefined, a4);
        } catch(e7) {
            const v10 = new Int8Array(this, e7, undefined);
            Reflect.construct(Uint8ClampedArray, v10);
        }
    }   
    f2(f2, f2);
}

#0  JSContext::recoverFromOutOfMemory (this=0x7ffff7430b00)
    at js/src/vm/JSContext.cpp:735
#1  0x0000555557e0f425 in js::jit::InlinableNativeIRGenerator::tryAttachArrayConstructor (
    this=0x7fffffdfecd8) at js/src/jit/CacheIR.cpp:9668
#2  0x0000555557e08747 in js::jit::InlinableNativeIRGenerator::tryAttachStub (this=0x7fffffdfecd8) at js/src/jit/CacheIR.cpp:10173
#3  0x0000555557e150a0 in js::jit::CallIRGenerator::tryAttachInlinableNative (this=0x7fffffdfee78, flags=..., callee=...) at js/src/jit/CacheIR.cpp:10089
#4  js::jit::CallIRGenerator::tryAttachCallNative (this=0x7fffffdfee78, calleeFunc=...)
    at js/src/jit/CacheIR.cpp:10718
#5  js::jit::CallIRGenerator::tryAttachStub (this=0x7fffffdfee78)
    at js/src/jit/CacheIR.cpp:10873
#6  0x0000555557af0218 in js::jit::DoCallFallback (cx=<optimized out>, frame=0x7fffffdff178, stub=0x7ffff740cee8, argc=1, vp=0x7fffffdff110, res=...)
    at js/src/jit/BaselineIC.cpp:1545
Blocks: l11d-js-fuzzing, sm-runtime
Component: Untriaged → JavaScript Engine
Product: Firefox → Core

Looks like a small error handling issue in CacheIR

Severity: -- → S3
Flags: needinfo?(iireland)
Priority: -- → P3

If we call GlobalObject::getOrCreateArrayPrototype with a full stack, then defining properties on the prototype ends up calling the ArrayObject addProp hook. As part of this process we check for over-recursion and throw OverRecursed instead of OOM.

Assignee: nobody → iireland
Status: NEW → ASSIGNED
Flags: needinfo?(iireland)
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/744945bf1e33 Fix error handling in tryAttachArrayConstructor r=jandem

https://hg.mozilla.org/mozilla-central/rev/744945bf1e33

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox111: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: