1136597 - Crash [@ MarkInternal] or [@ js::gc::MarkCrossCompartmentObjectUnbarriered]

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

// jsfunfuzz-generated code
s = newGlobal()
evalcx('\
    function f(x) {\
        Math.i(x)\
    };\
    inputs = [ Boolean(), String(), { n() {} }, { n() {} },\
               /x/, { n() {} }, Number()\
    ];\
    for (var j = 0; j < 9999; ++j) {\
        try {\
            f()\
        } catch (e) {}\
    }\
    Map();\
    l = function() {};\
    m = function() {};\
    gcparam("maxBytes", gcparam("gcBytes") + 1);\
    newGlobal();\
', s);
// Randomly chosen test: js/src/jit-test/tests/debug/onExceptionUnwind-03.js
evalcx('    var g = newGlobal();\
    g.debuggeeGlobal = this;\
    g.eval("(" + function() {\
        dbg = new Debugger(debuggeeGlobal);\
        dbg.onExceptionUnwind = function(frame) {\
            for (var p = frame; p; p) {\
                p.callee + "f"\
            }\
        }\
    } + ")();");\
    (function() {\
        throw Error("a");\
    })();\
', s)

crashes js opt 32-bit shell on m-c changeset 0a8b3b67715a with --fuzzing-safe --no-threads --ion-eager at MarkInternal with js::gc::MarkCrossCompartmentObjectUnbarriered on the stack.

Configure options:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh ~/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --disable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--disable-debug --enable-more-deterministic --enable-nspr-build --32 -R ~/trees/mozilla-central" -r 0a8b3b67715a

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/55afade66202
user:        Jon Coppeard
date:        Mon Feb 23 10:06:02 2015 +0000
summary:     Bug 1134754 - Skip compacting zones when there is little benefit r=terrence

Jon, is bug 1134754 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x321684, 0x0010d94b js-32-dm-nsprBuild-darwin-0a8b3b67715a`void MarkInternal<JSObject>(JSTracer*, JSObject**) [inlined] js::gc::TenuredCell::zone() const + 2 at Heap.h:1328, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0010d94b js-32-dm-nsprBuild-darwin-0a8b3b67715a`void MarkInternal<JSObject>(JSTracer*, JSObject**) [inlined] js::gc::TenuredCell::zone() const + 2 at Heap.h:1328
    frame #1: 0x0010d949 js-32-dm-nsprBuild-darwin-0a8b3b67715a`void MarkInternal<JSObject>(JSTracer*, JSObject**) [inlined] JSObject::zone(this=0x02ad7020, this=<unavailable>) const at jsobj.h:292
    frame #2: 0x0010d949 js-32-dm-nsprBuild-darwin-0a8b3b67715a`void MarkInternal<JSObject>(trc=0x01824ca0, thingp=<unavailable>) + 89 at Marking.cpp:284
    frame #3: 0x00111b5d js-32-dm-nsprBuild-darwin-0a8b3b67715a`js::gc::MarkCrossCompartmentObjectUnbarriered(JSTracer*, JSObject*, JSObject**, char const*) [inlined] void js::gc::MarkUnbarriered<JSObject>(thingp=<unavailable>) + 61 at Marking.cpp:310
    frame #4: 0x00111b43 js-32-dm-nsprBuild-darwin-0a8b3b67715a`js::gc::MarkCrossCompartmentObjectUnbarriered(JSTracer*, JSObject*, JSObject**, char const*) [inlined] js::gc::MarkObjectUnbarriered(JSTracer*, JSObject**, char const*) at Marking.cpp:599
(lldb)

Comment 2

[Jon Coppeard (:jonco)]

Gary, how do I run that cross-compiled shell?  It built ok with the command given.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Set the LD_LIBRARY_PATH to <your objdir>/dist/lib then execute the js shell ?

Comment 4

[Jon Coppeard (:jonco)]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3)
That doesn't work, I get:

~/work/dev/js/src$ LD_LIBRARY_PATH=~/work/dev/js/src/test-build/dist/lib ./test-build/js/src/shell/js
dyld: Library not loaded: @executable_path/libplds4.dylib
  Referenced from: /Users/jon/work/dev/js/src/./test-build/js/src/shell/js
  Reason: no suitable image found.  Did find:
	/usr/local/lib/libplds4.dylib: mach-o, but wrong architecture
Trace/BPT trap: 5

I also tried dist/sdk/lib as I can see that contains libplds4.dylib.

I tried to reproduce on 32-bit linux and that didn't work either.

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

I suppose you're on a recent Mac?

What if you set DYLD_LIBRARY_PATH instead? Or don't set anything?

Comment 6

[Jon Coppeard (:jonco)]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #5)
Ah, DYLD_LIBRARY_PATH=test-build/dist/sdk/lib did the trick, thanks.  Reproduced at original changeset.

Comment 8

[Jon Coppeard (:jonco)]

Attachment: bug1136597-cross-compartment-debugger-marking

Now we don't always compact all collected zones we need to make sure cross compartment pointers in zones that are collected but not compacted get updated.

I also renamed the method to better reflect what it actually does.

Comment 9

[Terrence Cole [:terrence]]

Comment on attachment 8572017 [details] [diff] [review]
bug1136597-cross-compartment-debugger-marking

Review of attachment 8572017 [details] [diff] [review]:
-----------------------------------------------------------------

Makes sense.

Comment 10

[Jon Coppeard (:jonco)]

I'm replacing the test code with the testcase from bug 1137224 as this one fails with OOM on try.

Comment 11

[Jon Coppeard (:jonco)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/50913131140c

Comment 12

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/50913131140c