Closed Bug 1341299 Opened 7 years ago Closed 7 years ago

Hit MOZ_CRASH(Mutex ordering violation) at js/src/threading/Mutex.cpp:54 with evalInCooperativeThread

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1340822
Tracking Flags:
Tracking Status
firefox51 --- unaffected
firefox52 --- unaffected
firefox53 --- unaffected
firefox54 --- fixed

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update,ignore]) 

The following testcase crashes on mozilla-central revision d84beb192e57 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

for (i=0; i<100;++i)
  evalInCooperativeThread('');



Backtrace:

 received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffeadff700 (LWP 10710)]
0x0000000000a42a53 in js::Mutex::lock (this=0x7ffff694ea40) at js/src/threading/Mutex.cpp:54
#0  0x0000000000a42a53 in js::Mutex::lock (this=0x7ffff694ea40) at js/src/threading/Mutex.cpp:54
#1  0x0000000000d23037 in js::LockGuard<js::Mutex>::LockGuard (aLock=..., this=0x7fffeadfe820) at js/src/threading/LockGuard.h:25
#2  js::AutoLockHelperThreadState::AutoLockHelperThreadState(mozilla::detail::GuardObjectNotifier&&) (_notifier=<unknown type in /mnt/LangFuzz/work/builds/debug64/dist/bin/js, CU 0x586bcd8, DIE 0x5998c79>, this=0x7fffeadfe820) at js/src/vm/HelperThreads.h:546
#3  js::gc::GCRuntime::startBackgroundAllocTaskIfIdle (this=0x7ffff695e5f8) at js/src/gc/Allocator.cpp:274
#4  0x0000000000dcdd64 in js::gc::AutoMaybeStartBackgroundAllocation::~AutoMaybeStartBackgroundAllocation (this=0x7fffeadfe870, __in_chrg=<optimized out>) at js/src/gc/GCRuntime.h:1335
#5  js::Nursery::init (this=this@entry=0x7fffeaf0e080, maxNurseryBytes=maxNurseryBytes@entry=16777216, lock=...) at js/src/gc/Nursery.cpp:154
#6  0x0000000000df0973 in js::ZoneGroup::init (this=this@entry=0x7fffeaf0e000, maxNurseryBytes=16777216) at js/src/gc/ZoneGroup.cpp:39
#7  0x00000000009a6b29 in js::NewCompartment (cx=cx@entry=0x7ffff69bf000, principals=principals@entry=0x0, options=...) at js/src/jsgc.cpp:6813
#8  0x0000000000b1b346 in js::GlobalObject::new_ (cx=cx@entry=0x7ffff69bf000, clasp=clasp@entry=0x1ea9f80 <global_class>, principals=principals@entry=0x0, hookOption=hookOption@entry=JS::DontFireOnNewGlobalHook, options=...) at js/src/vm/GlobalObject.cpp:349
#9  0x00000000008cbc55 in JS_NewGlobalObject (cx=cx@entry=0x7ffff69bf000, clasp=clasp@entry=0x1ea9f80 <global_class>, principals=principals@entry=0x0, hookOption=hookOption@entry=JS::DontFireOnNewGlobalHook, options=...) at js/src/jsapi.cpp:1861
#10 0x0000000000456d45 in NewGlobalObject (cx=0x7ffff69bf000, options=..., principals=principals@entry=0x0) at js/src/shell/js.cpp:7377
#11 0x000000000045d934 in WorkerMain (arg=<optimized out>) at js/src/shell/js.cpp:3527
#12 0x000000000045f7d2 in js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::callMain<0ul> (this=0x7ffff6920440) at js/src/threading/Thread.h:234
#13 js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::Start (aPack=0x7ffff6920440) at js/src/threading/Thread.h:227
#14 0x00007ffff7bc16fa in start_thread (arg=0x7fffeadff700) at pthread_create.c:333
#15 0x00007ffff6c38b5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0x0	0
rbx	0x7ffff02b44f0	140737222755568
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffeadfe800	140737133930496
rsp	0x7fffeadfe790	140737133930384
r8	0x7ffff6ef7770	140737336276848
r9	0x7fffeadff700	140737133934336
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7ffff694ea40	140737330342464
r13	0x7fffeadfe828	140737133930536
r14	0x7ffff6919320	140737330123552
r15	0x0	0
rip	0xa42a53 <js::Mutex::lock()+867>
=> 0xa42a53 <js::Mutex::lock()+867>:	movl   $0x0,0x0
   0xa42a5e <js::Mutex::lock()+878>:	ud2    


Marking as fuzzblocker due to frequency and because it blocks further testing of evalInCooperativeThread.
NI from bhackett for this fuzzblocker.
Flags: needinfo?(bhackett1024)
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/fad2e60d7843
user:        Brian Hackett
date:        Fri Feb 17 05:13:11 2017 -0700
summary:     Bug 1337968 - Add API and shell harness for cooperative multithreading, r=jandem.

This iteration took 266.516 seconds to run.
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 9f871c40b36f).
Bug 1340822 fixed this issue (though I'll need to make sure this doesn't come back when we start having per-zone-group nurseries again).
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
FF54 was fixed in bug 1340822. Mark 54 fixed.
status-firefox54: affectedfixed
You need to log in before you can comment on or make changes to this bug.