Closed
Bug 1111363
Opened 10 years ago
Closed 10 years ago
Crash [@ js::gc::GCRuntime::sweepBackgroundThings] or Assertion failure: JSVAL_IS_DOUBLE_IMPL(data), at dist/include/js/Value.h
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla37
Tracking | Status | |
---|---|---|
firefox37 | --- | affected |
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(3 files)
// Randomly chosen test: js/src/tests/ecma_5/Date/fractions.js Date(); // Randomly chosen test: js/src/jit-test/tests/basic/bug623859.js try { gcparam("maxBytes", gcparam("gcBytes") + 1); eval("\ var a = [];\ for (var i = 0; i < 99999; ++i) {\ a[i] = [];\ }\ ") } catch (e) {} // Randomly chosen test: js/src/jit-test/tests/ion/inlining/TypedObject-storage-transparent.js if (TypedObject) {}; asserts js debug shell on m-c changeset f14dcd1c8c0b with --fuzzing-safe --no-threads --ion-eager at Assertion failure: JSVAL_IS_DOUBLE_IMPL(data), at dist/include/js/Value.h. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are: http://hg.mozilla.org/mozilla-central/file/f14dcd1c8c0b/js/src/tests/ecma_5/Date/fractions.js http://hg.mozilla.org/mozilla-central/file/f14dcd1c8c0b/js/src/jit-test/tests/basic/bug623859.js http://hg.mozilla.org/mozilla-central/file/f14dcd1c8c0b/js/src/jit-test/tests/ion/inlining/TypedObject-storage-transparent.js === Tinderbox Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20141124173426" and the hash "672742f81e51". The "bad" changeset has the timestamp "20141124192527" and the hash "f7705f553b85". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=672742f81e51&tochange=f7705f553b85 Brian, is bug 1100170 a likely regressor?
Flags: needinfo?(bhackett1024)
Reporter | ||
Comment 1•10 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x3259d5, 0x000000010001f9a1 js-dbg-opt-64-dm-nsprBuild-darwin-f14dcd1c8c0b`JS::Value::toPrivate(this=<unavailable>) const + 145 at Value.h:1286, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x000000010001f9a1 js-dbg-opt-64-dm-nsprBuild-darwin-f14dcd1c8c0b`JS::Value::toPrivate(this=<unavailable>) const + 145 at Value.h:1286 frame #1: 0x00000001000afb03 js-dbg-opt-64-dm-nsprBuild-darwin-f14dcd1c8c0b`js::TypeDescr::finalize(js::FreeOp*, JSObject*) [inlined] js::TypeDescr& JSObject::as<js::TypeDescr>(this=<unavailable>) + 163 at TypedObject.h:187 frame #2: 0x00000001000afa69 js-dbg-opt-64-dm-nsprBuild-darwin-f14dcd1c8c0b`js::TypeDescr::finalize(fop=<unavailable>, obj=<unavailable>) + 9 at TypedObject.cpp:3214 frame #3: 0x00000001005f8828 js-dbg-opt-64-dm-nsprBuild-darwin-f14dcd1c8c0b`JSObject::finalize(this=0x0000000101f79100, fop=0x00007fff5fbff140) + 136 at jsobjinlines.h:89 frame #4: 0x00000001005f82af js-dbg-opt-64-dm-nsprBuild-darwin-f14dcd1c8c0b`unsigned long js::gc::Arena::finalize<JSObject>(this=0x0000000101f79000, fop=0x00007fff5fbff140, thingKind=<unavailable>, thingSize=128) + 511 at jsgc.cpp:498 (lldb)
Reporter | ||
Comment 2•10 years ago
|
||
This causes a malloc error on opt builds: (run with --fuzzing-safe --no-threads --ion-eager) CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests Also, js::gc::GCRuntime::sweepBackgroundThings is on the stack.
Reporter | ||
Updated•10 years ago
|
Crash Signature: [@ js::gc::GCRuntime::sweepBackgroundThings]
Keywords: crash
Summary: Assertion failure: JSVAL_IS_DOUBLE_IMPL(data), at dist/include/js/Value.h → Crash [@ js::gc::GCRuntime::sweepBackgroundThings] or Assertion failure: JSVAL_IS_DOUBLE_IMPL(data), at dist/include/js/Value.h
Comment 3•10 years ago
|
||
I've also been seeing this for a while but confused it with the other open JSVAL_IS_DOUBLE_IMPL bug. On Linux, this often crashes with glibc aborts (invalid free, etc).
Assignee | ||
Comment 4•10 years ago
|
||
The typed object tracing code requires that the trace list slot be a possibly null private pointer, which is pretty inflexible and difficult to achieve if we OOM while initializing a type descriptor. The attached patch changes things so that an empty trace list is indicated by the trace list slot still having its original undefined value.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8536544 -
Flags: review?(sphink)
Comment 5•10 years ago
|
||
Comment on attachment 8536544 [details] [diff] [review] patch Review of attachment 8536544 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/builtin/TypedObject.h @@ +183,5 @@ > // The list is three consecutive arrays of int32_t offsets, with each array > // terminated by -1. The arrays store offsets of string, object, and value > // references in the descriptor, in that order. > + bool hasTraceList() const { > + return !getFixedSlot(JS_DESCR_SLOT_TRACE_LIST).isUndefined(); getFixedSlot here, getReservedSlot in traceList(). I assume these can both be getFixedSlot then? I see 5 uses of *ReservedSlot for JS_DESCR_SLOT_TRACE_LIST, and I assume the other slots are handled similarly. Different bug, though.
Attachment #8536544 -
Flags: review?(sphink) → review+
Comment 6•10 years ago
|
||
This bug is btw a good example why not fixing bug 915336 is a big problem: The stack in this bug and bug 915336 are not distinguishable with any signatures. Only the fact that this particular issue also crashes (differently) makes it visible to us in fuzz testing. So if anyone wants to jump at bug 915336, that'd be great for making issues like this more visible to us.
Assignee | ||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/571e6519a2a6
Comment 8•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/571e6519a2a6
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
You need to log in
before you can comment on or make changes to this bug.
Description
•