1139466 - Crash since backtracking allocator

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Paul Rouget [:paul]]

With JS_GC_ZEAL=7.
B2G Desktop.
I run this app: https://github.com/mozilla/browser.html

The STR might be a bit difficult, I will try to build a test case.

Crashes have started right after bug 826741 landed.

Comment 1

[Paul Rouget [:paul]]

* thread #1: tid = 0x1cecb4, 0x0000000105a53534 XUL`js::jit::AssertValidObjectPtr(JSContext*, JSObject*) [inlined] js::ObjectGroup::compartment(this=0x2b2b2b2b2b2b2b2b) const at ObjectGroup.h:199, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
    frame #0: 0x0000000105a53534 XUL`js::jit::AssertValidObjectPtr(JSContext*, JSObject*) [inlined] js::ObjectGroup::compartment(this=0x2b2b2b2b2b2b2b2b) const at ObjectGroup.h:199
   196      }
   197
   198      JSCompartment *compartment() const {
-> 199          return compartment_;
   200      }
   201
   202    private:
(lldb) bt
* thread #1: tid = 0x1cecb4, 0x0000000105a53534 XUL`js::jit::AssertValidObjectPtr(JSContext*, JSObject*) [inlined] js::ObjectGroup::compartment(this=0x2b2b2b2b2b2b2b2b) const at ObjectGroup.h:199, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x0000000105a53534 XUL`js::jit::AssertValidObjectPtr(JSContext*, JSObject*) [inlined] js::ObjectGroup::compartment(this=0x2b2b2b2b2b2b2b2b) const at ObjectGroup.h:199
    frame #1: 0x0000000105a53534 XUL`js::jit::AssertValidObjectPtr(JSContext*, JSObject*) [inlined] JSObject::compartment(this=0x000000010ddc1b70) const + 3 at jsobj.h:172
    frame #2: 0x0000000105a53531 XUL`js::jit::AssertValidObjectPtr(cx=0x000000011c2d9740, obj=0x000000010ddc1b70) + 17 at VMFunctions.cpp:1143
    frame #3: 0x000000011f1a5115
    frame #4: 0x000000010589a73f XUL`js::jit::IonCannon(JSContext*, js::RunState&) [inlined] EnterIon(data=0x0000000128041d60) + 24 at Ion.cpp:2375
    frame #5: 0x000000010589a727 XUL`js::jit::IonCannon(cx=0x0000000000000003, state=0x00007fff5fbf1590) + 631 at Ion.cpp:2457
    frame #6: 0x000000010557a27a XUL`js::RunScript(cx=0x000000011c2d9740, state=0x00007fff5fbf1478) + 202 at Interpreter.cpp:428
    frame #7: 0x0000000105569921 XUL`js::Invoke(cx=0x000000011c2d9740, args=CallArgs at 0x00007fff5fbf1500, construct=<unavailable>) + 641 at Interpreter.cpp:517
    frame #8: 0x0000000105b69dfd XUL`js::CallOrConstructBoundFunction(cx=0x000000011c2d9740, argc=<unavailable>, vp=0x00007fff5fbf1698) + 829 at jsfun.cpp:1600
    frame #9: 0x000000011fdf8f59

Comment 2

[Jan de Mooij [:jandem]]

Do you get any assertion failures in debug builds?

Comment 3

[Paul Rouget [:paul]]

Nothing obvious. Maybe:

[26858] WARNING: XPCOM objects created/destroyed from static ctor/dtor: file /Users/paul/mozilla/gecko-projects/xpcom/base/nsTraceRefcnt.cpp, line 138
[26858] WARNING: XPCOM objects created/destroyed from static ctor/dtor: file /Users/paul/mozilla/gecko-projects/xpcom/base/nsTraceRefcnt.cpp, line 138
[26858] WARNING: XPCOM objects created/destroyed from static ctor/dtor: file /Users/paul/mozilla/gecko-projects/xpcom/base/nsTraceRefcnt.cpp, line 138
[Parent 26855] WARNING: NS_ENSURE_TRUE(currentInner) failed: file /Users/paul/mozilla/gecko-projects/dom/base/nsGlobalWindow.cpp, line 8897
[Child 26858] WARNING: '!compMgr', file /Users/paul/mozilla/gecko-projects/xpcom/glue/nsComponentManagerUtils.cpp, line 63
[Child 26858] WARNING: NS_ENSURE_TRUE(svc) failed: file /Users/paul/mozilla/gecko-projects/dom/ipc/nsIContentChild.cpp, line 31
[Child 26858] WARNING: Error constructing actor PJavaScriptChild: file ./PContentChild.cpp, line 985

Comment 4

[Jan de Mooij [:jandem]]

This is a bit worrisome because it looks like some kind of GC hazard.

Comment 5

[Brian Hackett [Laid off!]]

Any STR?

Comment 6

[Paul Rouget [:paul]]

The STR are a bit complicated:
- clone https://github.com/mozilla/browser.html , checkout commit 6d1c1747d7e89e5f1f411ef30719215969ed254e
- npm install
- npm run server
- build larch branch: https://hg.mozilla.org/projects/larch with --enable-application=b2g/graphene
- JS_GC_ZEAL=7 ./mach run --start-manifest http://localhost:8080/manifest.webapp

Comment 7

[[:fabrice] Fabrice Desré]

Note that I reverted bug 826741 on larch: https://hg.mozilla.org/projects/larch/log/2c63dd19399d/js/src/jit/IonOptimizationLevels.cpp

Comment 8

[Brian Hackett [Laid off!]]

(In reply to Paul Rouget [:paul] from comment #6)
> The STR are a bit complicated:
> - clone https://github.com/mozilla/browser.html , checkout commit
> 6d1c1747d7e89e5f1f411ef30719215969ed254e
> - npm install
> - npm run server
> - build larch branch: https://hg.mozilla.org/projects/larch with
> --enable-application=b2g/graphene
> - JS_GC_ZEAL=7 ./mach run --start-manifest
> http://localhost:8080/manifest.webapp

What platform and configuration flags are you building the larch branch with?

Comment 9

[[:fabrice] Fabrice Desré]

I get it to crash on linux desktop, with --enable-application=b2g/graphene --enable-debug-symbols

Paul is using Mac afaik.

Comment 10

[Brian Hackett [Laid off!]]

I keep getting a crash in what looks like IPC code, like:

[Child 80375] WARNING: pipe error: Broken pipe: file /Users/bhackett/mozilla-larch/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 728
[Child 80375] ###!!! ABORT: ActorDestroy by IPC channel failure at LayerTransactionChild: file /Users/bhackett/mozilla-larch/gfx/layers/ipc/LayerTransactionChild.cpp, line 140
[Child 80375] ###!!! ABORT: Aborting on channel error.: file /Users/bhackett/mozilla-larch/ipc/glue/MessageChannel.cpp, line 1584
localhost:mozilla-larch bhackett$ #01: mozilla::ipc::MessageChannel::OnChannelErrorFromLink()[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x80e47a]
#01: mozilla::layers::LayerTransactionChild::ActorDestroy(mozilla::ipc::IProtocolManager<mozilla::ipc::IProtocol>::ActorDestroyReason)[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x159781b]
#02: mozilla::ipc::ProcessLink::OnChannelError()[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x80fd57]
#02: mozilla::layers::PLayerTransactionChild::DestroySubtree(mozilla::ipc::IProtocolManager<mozilla::ipc::IProtocol>::ActorDestroyReason)[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x9693d4]
#03: non-virtual thunk to mozilla::ipc::ProcessLink::OnChannelError()[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x80fd8c]
#03: mozilla::layers::PCompositorChild::DestroySubtree(mozilla::ipc::IProtocolManager<mozilla::ipc::IProtocol>::ActorDestroyReason)[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0xcc8086]
#04: IPC::Channel::ChannelImpl::OnFileCanWriteWithoutBlocking(int)[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x79192e]
#04: mozilla::layers::PCompositorChild::OnChannelError()[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0xcc827e]
#05: base::MessagePumpLibevent::OnLibeventNotification(int, short, void*)[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x77be67]
#05: mozilla::ipc::MessageChannel::NotifyMaybeChannelError()[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x80e5db]
#06: event_process_active_single_queue[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x75b09d]
#06: mozilla::ipc::MessageChannel::OnNotifyMaybeChannelError()[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x80e76e]
#07: event_process_active[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x756ccc]
#07: void DispatchToMethod<mozilla::ipc::MessageChannel, void (mozilla::ipc::MessageChannel::*)()>(mozilla::ipc::MessageChannel*, void (mozilla::ipc::MessageChannel::*)(), Tuple0 const&)[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x827af3]
#08: event_base_loop[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x755d7e]
#08: RunnableMethod<mozilla::ipc::MessageChannel, void (mozilla::ipc::MessageChannel::*)(), Tuple0>::Run()[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x8279ee]
#09: base::MessagePumpLibevent::Run(base::MessagePump::Delegate*)[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x77c4ec]
#09: MessageLoop::RunTask(Task*)[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x7a5110]
#10: MessageLoop::RunInternal()[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x7a4ff5]
#10: MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&)[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x7a568f]
#11: MessageLoop::RunHandler()[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x7a4f05]
#11: MessageLoop::DoWork()[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x7a58b4]
#12: MessageLoop::Run()[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x7a4ead]
#12: mozilla::ipc::DoWorkRunnable::Run()[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x810bb2]
#13: base::Thread::ThreadMain()[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x7c2b80]
#13: nsThread::ProcessNextEvent(bool, bool*)[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x186d48]
#14: ThreadFunc(void*)[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x77d96c]
#14: NS_ProcessPendingEvents(nsIThread*, unsigned int)[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x1e05aa]
#15: _pthread_body[/usr/lib/system/libsystem_pthread.dylib +0x1899]
#15: nsBaseAppShell::NativeEventCallback()[/Users/bhackett/mozilla-larch/ff-dbg/dist/B2GDebug.app/Contents/MacOS/XUL +0x36d7149]
#16: _pthread_struct_init[/usr/lib/system/libsystem_pthread.dylib +0x172a]
[Child 80375] ###!!! ABORT: Aborting on channel error.: file /Users/bhackett/mozilla-larch/ipc/glue/MessageChannel.cpp, line 1584
Hit MOZ_CRASH() at /Users/bhackett/mozilla-larch/memory/mozalloc/mozalloc_abort.cpp:37

How can I avoid this crash?

Comment 11

[Paul Rouget [:paul]]

That's new. Maybe disable IPC: pref("dom.ipc.tabs.disabled", true);
… in b2g/graphene/graphene.js

JS crash still happens with this pref.

Comment 12

[Brian Hackett [Laid off!]]

Attachment: patch

OK, thanks!

I'm able to reproduce the crash, and this patch should fix it.  The issue is related to bug 1128490, which had an incomplete fix.  It checks for the script's arguments aliasing its formals, but if the script is in strict mode then this flag is false even though the lazy arguments can still be accessed.  The testcase below crashes without this patch, though maybe it should wait on landing for a bit.

"use strict";

function isNotEmpty(obj) {
    for (var i = 0 ; i < arguments.length; i++) {
        minorgc();
        var o = arguments[i];
    }
};

for (var i = 0; i < 1000; ++i)
    isNotEmpty([1]);

Comment 13

[Jan de Mooij [:jandem]]

Comment on attachment 8575657 [details] [diff] [review]
patch

Review of attachment 8575657 [details] [diff] [review]:
-----------------------------------------------------------------

Ugh, good catch.

Comment 14

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/42406a61f30d

Comment 15

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/42406a61f30d

Comment 16

[[:fabrice] Fabrice Desré]

Ryan, any reason this has not been marked as fixed?

Comment 17

[Andrew McCreight [:mccr8]]

Security bugs are not automatically closed, and sometimes the sheriffs forget to close them.

Comment 18

[Andrew McCreight [:mccr8]]

Could you nominate this for Aurora, Brian?  Thanks.

Comment 19

[Brian Hackett [Laid off!]]

(In reply to Andrew McCreight [:mccr8] from comment #18)
> Could you nominate this for Aurora, Brian?  Thanks.

The backtracking allocator is only on by default in 39 per bug 826741.  While asm.js uses the backtracking allocator in older versions, it isn't affected by this bug.