Closed Bug 1127303 Opened 8 years ago Closed 8 years ago

Crash [@ get] through [@ js::types::ConstraintTypeSet::sweep] with infinite recursion

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox38 --- fixed

People

(Reporter: decoder, Assigned: bhackett1024)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

patch
3.79 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision fc21937ca612 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with no options):

function test1() {}
function test() { test1.call(this); }
var length = 512 * 1024 - 1;
var obj = new test();
for(var i = 0 ; i < length ; i++) {
  obj.next = new (function  (   )  {  }  )  ();
  obj = obj.next;
}



Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x081e74a1 in get (this=<optimized out>)
    at ../../dist/include/mozilla/ThreadLocal.h:140
To enable execution of this file add
	add-auto-load-safe-path /home/ubuntu/mozilla-central/js/src/debug32/dist/bin/js-gdb.py
line to your configuration file "/home/ubuntu/.gdbinit".
To completely disable this security protection add
	set auto-load safe-path /
line to your configuration file "/home/ubuntu/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
	info "(gdb)Auto-loading safe path"
#0  0x081e74a1 in get (this=<optimized out>) at ../../dist/include/mozilla/ThreadLocal.h:140
#1  js::CurrentThreadIsIonCompiling () at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/gc/Barrier.cpp:67
#2  0x0811627c in js::gc::TenuredCell::readBarrier (thing=0xf4859010) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/gc/Heap.h:1350
#3  0x085e5f1a in js::types::TypeObjectKey::asTypeObject (this=0xf4859010) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinferinlines.h:113
#4  0x085f5fa3 in js::types::ConstraintTypeSet::sweep (this=0xd1e895c, zone=0xb0b9b00, oom=...) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinfer.cpp:4764
#5  0x0858edd5 in js::types::TypeObject::maybeSweep (this=this@entry=0xf4855fe8, oom=0xff543134, oom@entry=0x0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinfer.cpp:4905
#6  0x083231aa in flags (this=0xf4855fe8) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinfer.h:1096
#7  js::types::TypeObject::unknownProperties (this=0xf4855fe8) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinfer.h:1220
#8  0x085f5fab in js::types::ConstraintTypeSet::sweep (this=0xd1e894c, zone=0xb0b9b00, oom=...) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinfer.cpp:4764
#9  0x0858edd5 in js::types::TypeObject::maybeSweep (this=this@entry=0xf4855fd0, oom=0xff543234, oom@entry=0x0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinfer.cpp:4905
#10 0x083231aa in flags (this=0xf4855fd0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinfer.h:1096
#11 js::types::TypeObject::unknownProperties (this=0xf4855fd0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinfer.h:1220
[...]
#127 js::types::TypeObject::unknownProperties (this=0xf4855d18) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinfer.h:1220
eax	0x0	0
ebx	0x95bca38	157010488
ecx	0xb202	45570
edx	0xf4859010	-192573424
esi	0xf4859010	-192573424
edi	0xf4859010	-192573424
ebp	0xff543008	4283707400
esp	0xff542ff0	4283707376
eip	0x81e74a1 <js::CurrentThreadIsIonCompiling()+33>
=> 0x81e74a1 <js::CurrentThreadIsIonCompiling()+33>:	mov    %eax,(%esp)
   0x81e74a4 <js::CurrentThreadIsIonCompiling()+36>:	call   0x804ad70 <pthread_getspecific@plt>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/f8d8f84fc7bf
user:        Brian Hackett
date:        Mon Jan 26 08:17:45 2015 -0700
summary:     Bug 1124651 - Make sure type sets with unknown-properties objects are marked as unknown if those objects are swept, r=jandem.

This iteration took 568.631 seconds to run.
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review 
This isn't actually infinite recursion, the problem is that sweeping one object group can trigger sweeping of another object group, with no limit to the length of such chains or checks on our stack depth.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8561339 - Flags: review?(jdemooij)
Comment on attachment 8561339 [details] [diff] [review]
patch

Review of attachment 8561339 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/vm/ObjectGroup.h
@@ +394,5 @@
>      }
>  
> +    bool unknownPropertiesDontCheckGeneration() {
> +        MOZ_ASSERT_IF(flagsDontCheckGeneration() & OBJECT_FLAG_UNKNOWN_PROPERTIES,
> +                      hasAllFlags(OBJECT_FLAG_DYNAMIC_MASK));

hasAllFlags also calls flags() instead of flagsDontCheckGeneration().
Attachment #8561339 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/94441f9274e8
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox38: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.