1111363 - Crash [@ js::gc::GCRuntime::sweepBackgroundThings] or Assertion failure: JSVAL_IS_DOUBLE_IMPL(data), at dist/include/js/Value.h

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

// Randomly chosen test: js/src/tests/ecma_5/Date/fractions.js
Date();
// Randomly chosen test: js/src/jit-test/tests/basic/bug623859.js
try {
    gcparam("maxBytes", gcparam("gcBytes") + 1);
    eval("\
        var a = [];\
        for (var i = 0; i < 99999; ++i) {\
            a[i] = [];\
        }\
    ")
} catch (e) {}
// Randomly chosen test: js/src/jit-test/tests/ion/inlining/TypedObject-storage-transparent.js
if (TypedObject) {};

asserts js debug shell on m-c changeset f14dcd1c8c0b with --fuzzing-safe --no-threads --ion-eager at Assertion failure: JSVAL_IS_DOUBLE_IMPL(data), at dist/include/js/Value.h.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are:

http://hg.mozilla.org/mozilla-central/file/f14dcd1c8c0b/js/src/tests/ecma_5/Date/fractions.js
http://hg.mozilla.org/mozilla-central/file/f14dcd1c8c0b/js/src/jit-test/tests/basic/bug623859.js
http://hg.mozilla.org/mozilla-central/file/f14dcd1c8c0b/js/src/jit-test/tests/ion/inlining/TypedObject-storage-transparent.js

=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20141124173426" and the hash "672742f81e51".
The "bad" changeset has the timestamp "20141124192527" and the hash "f7705f553b85".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=672742f81e51&tochange=f7705f553b85

Brian, is bug 1100170 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x3259d5, 0x000000010001f9a1 js-dbg-opt-64-dm-nsprBuild-darwin-f14dcd1c8c0b`JS::Value::toPrivate(this=<unavailable>) const + 145 at Value.h:1286, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010001f9a1 js-dbg-opt-64-dm-nsprBuild-darwin-f14dcd1c8c0b`JS::Value::toPrivate(this=<unavailable>) const + 145 at Value.h:1286
    frame #1: 0x00000001000afb03 js-dbg-opt-64-dm-nsprBuild-darwin-f14dcd1c8c0b`js::TypeDescr::finalize(js::FreeOp*, JSObject*) [inlined] js::TypeDescr& JSObject::as<js::TypeDescr>(this=<unavailable>) + 163 at TypedObject.h:187
    frame #2: 0x00000001000afa69 js-dbg-opt-64-dm-nsprBuild-darwin-f14dcd1c8c0b`js::TypeDescr::finalize(fop=<unavailable>, obj=<unavailable>) + 9 at TypedObject.cpp:3214
    frame #3: 0x00000001005f8828 js-dbg-opt-64-dm-nsprBuild-darwin-f14dcd1c8c0b`JSObject::finalize(this=0x0000000101f79100, fop=0x00007fff5fbff140) + 136 at jsobjinlines.h:89
    frame #4: 0x00000001005f82af js-dbg-opt-64-dm-nsprBuild-darwin-f14dcd1c8c0b`unsigned long js::gc::Arena::finalize<JSObject>(this=0x0000000101f79000, fop=0x00007fff5fbff140, thingKind=<unavailable>, thingSize=128) + 511 at jsgc.cpp:498
(lldb)

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Opt stack

This causes a malloc error on opt builds: (run with --fuzzing-safe --no-threads --ion-eager)

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

Also, js::gc::GCRuntime::sweepBackgroundThings is on the stack.

Comment 3

[Christian Holler (:decoder)]

I've also been seeing this for a while but confused it with the other open JSVAL_IS_DOUBLE_IMPL bug. On Linux, this often crashes with glibc aborts (invalid free, etc).

Comment 4

[Brian Hackett [Laid off!]]

Attachment: patch

The typed object tracing code requires that the trace list slot be a possibly null private pointer, which is pretty inflexible and difficult to achieve if we OOM while initializing a type descriptor.  The attached patch changes things so that an empty trace list is indicated by the trace list slot still having its original undefined value.

Comment 5

[Steve Fink [:sfink] [:s:]]

Comment on attachment 8536544 [details] [diff] [review]
patch

Review of attachment 8536544 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/builtin/TypedObject.h
@@ +183,5 @@
>      // The list is three consecutive arrays of int32_t offsets, with each array
>      // terminated by -1. The arrays store offsets of string, object, and value
>      // references in the descriptor, in that order.
> +    bool hasTraceList() const {
> +        return !getFixedSlot(JS_DESCR_SLOT_TRACE_LIST).isUndefined();

getFixedSlot here, getReservedSlot in traceList(). I assume these can both be getFixedSlot then?

I see 5 uses of *ReservedSlot for JS_DESCR_SLOT_TRACE_LIST, and I assume the other slots are handled similarly. Different bug, though.

Comment 6

[Christian Holler (:decoder)]

This bug is btw a good example why not fixing bug 915336 is a big problem: The stack in this bug and bug 915336 are not distinguishable with any signatures. Only the fact that this particular issue also crashes (differently) makes it visible to us in fuzz testing.

So if anyone wants to jump at bug 915336, that'd be great for making issues like this more visible to us.

Comment 7

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/571e6519a2a6

Comment 8

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/571e6519a2a6