Closed Bug 1140643 Opened 5 years ago Closed 5 years ago

Assertion failure: !(IsScriptAboutToBeFinalized(&iter->script)), at js/src/jit/JitcodeMap.cpp:875 with OOM

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla39
Tracking Status
firefox37 --- unaffected
firefox38 --- unaffected
firefox39 --- verified
firefox-esr31 --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- unaffected
b2g-master --- fixed

People

(Reporter: decoder, Assigned: shu)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update,ignore])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 0189941a3fd5 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --ion-offthread-compile=off --ion-eager):

enableSPSProfiling();
loadFile('\
for (var i = 0; i < 2; i++) {\
    obj = { m: function () {} };\
    obj.watch("m", function () { float32 = 0 + obj.foo; });\
    obj.m = 0;\
}\
');
gcparam("maxBytes", gcparam("gcBytes") + (1)*1024);
newGlobal("same-compartment");
function loadFile(lfVarx) {
  evaluate(lfVarx, { noScriptRval : true, compileAndGo : true }); 
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000862f31 in js::jit::JitcodeGlobalEntry::IonEntry::sweep (this=this@entry=0x1b28e28) at js/src/jit/JitcodeMap.cpp:875
875	            MOZ_ALWAYS_FALSE(IsScriptAboutToBeFinalized(&iter->script));
#0  0x0000000000862f31 in js::jit::JitcodeGlobalEntry::IonEntry::sweep (this=this@entry=0x1b28e28) at js/src/jit/JitcodeMap.cpp:875
#1  0x00000000008c462a in js::jit::JitcodeGlobalEntry::sweep (this=this@entry=0x1b28e20) at js/src/jit/JitcodeMap.h:838
#2  0x00000000008828d8 in js::jit::JitcodeGlobalTable::sweep (this=<optimized out>, rt=<optimized out>) at js/src/jit/JitcodeMap.cpp:794
#3  0x0000000000aa4bee in js::gc::GCRuntime::beginSweepingZoneGroup (this=this@entry=0x1a126c8) at js/src/jsgc.cpp:5042
#4  0x0000000000aa66ba in js::gc::GCRuntime::beginSweepPhase (this=this@entry=0x1a126c8, lastGC=lastGC@entry=false) at js/src/jsgc.cpp:5198
#5  0x0000000000abd373 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x1a126c8, budget=..., reason=reason@entry=JS::gcreason::LAST_DITCH) at js/src/jsgc.cpp:5937
#6  0x0000000000abe0d6 in js::gc::GCRuntime::gcCycle (this=this@entry=0x1a126c8, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::LAST_DITCH) at js/src/jsgc.cpp:6126
#7  0x0000000000abe40d in js::gc::GCRuntime::collect (this=this@entry=0x1a126c8, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::LAST_DITCH) at js/src/jsgc.cpp:6238
#8  0x0000000000abf6da in js::gc::GCRuntime::gc (this=0x1a126c8, gckind=<optimized out>, reason=JS::gcreason::LAST_DITCH) at js/src/jsgc.cpp:6299
#9  0x0000000000550eb7 in GCIfNeeded (cx=0x1a4afd0) at js/src/gc/Allocator.cpp:99
#10 CheckAllocatorState<(js::AllowGC)1> (cx=0x1a4afd0, kind=js::gc::FINALIZE_BASE_SHAPE) at js/src/gc/Allocator.cpp:113
#11 0x00000000005a6f03 in js::Allocate<js::BaseShape, (js::AllowGC)1> (cx=0x1a4afd0) at js/src/gc/Allocator.cpp:242
#12 0x0000000000669484 in js::BaseShape::getUnowned (cx=cx@entry=0x1a4afd0, base=...) at js/src/vm/Shape.cpp:1377
#13 0x0000000000669854 in js::EmptyShape::getInitialShape (cx=0x1a4afd0, clasp=0x19a4c00, proto=..., parent=<optimized out>, metadata=0x0, nfixed=16, objectFlags=0) at js/src/vm/Shape.cpp:1668
#14 0x0000000000a71ad7 in NewObject (cx=0x1a4afd0, group=0x7ffff4776040, parent=..., kind=js::gc::FINALIZE_OBJECT16_BACKGROUND, newKind=js::SingletonObject) at js/src/jsobj.cpp:1196
#15 0x0000000000a7495c in js::NewObjectWithGivenTaggedProto (cxArg=0x1a4afd0, clasp=0x19a4c00, proto={static LazyProto = , proto = 0x0}, parentArg=..., allocKind=js::gc::FINALIZE_OBJECT16_BACKGROUND, newKind=js::SingletonObject) at js/src/jsobj.cpp:1282
#16 0x00000000005c3ebe in NewObjectWithGivenProto (newKind=js::SingletonObject, parent=..., proto=..., clasp=0x19a4c00, cx=0x1a4afd0) at js/src/jsobjinlines.h:629
#17 js::GlobalObject::createInternal (cx=cx@entry=0x1a4afd0, clasp=clasp@entry=0x19a4c00) at js/src/vm/GlobalObject.cpp:241
#18 0x00000000005c4115 in js::GlobalObject::new_ (cx=0x1a4afd0, clasp=0x19a4c00, principals=<optimized out>, hookOption=JS::DontFireOnNewGlobalHook, options=...) at js/src/vm/GlobalObject.cpp:295
#19 0x0000000000a06bb6 in JS_NewGlobalObject (cx=0x1a4afd0, clasp=0x19a4c00, principals=0x0, hookOption=JS::DontFireOnNewGlobalHook, options=...) at js/src/jsapi.cpp:1797
#20 0x000000000040b230 in NewGlobalObject (cx=cx@entry=0x1a4afd0, options=..., principals=principals@entry=0x0) at js/src/shell/js.cpp:5679
#21 0x0000000000412cc0 in NewGlobal (cx=0x1a4afd0, argc=<optimized out>, vp=0x7fffffffca78) at js/src/shell/js.cpp:4032
#22 0x0000000000613914 in js::CallJSNative (cx=0x1a4afd0, native=0x412c40 <NewGlobal(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:226
#23 0x00000000005fa300 in js::Invoke (cx=cx@entry=0x1a4afd0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#24 0x00000000005fb1a4 in js::Invoke (cx=0x1a4afd0, thisv=..., fval=..., argc=1, argv=<optimized out>, rval=JSVAL_VOID) at js/src/vm/Interpreter.cpp:554
#25 0x000000000080c08f in js::jit::DoCallFallback (cx=0x1a4afd0, frame=0x7fffffffcf08, stub_=<optimized out>, argc=1, vp=0x7fffffffceb8, res=JSVAL_VOID) at js/src/jit/BaselineIC.cpp:9648
[...]
#48 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x1b44950	28592464
rcx	0x7ffff6cb2f4d	140737333899085
rdx	0x0	0
rsi	0x7ffff6f86a80	140737336863360
rdi	0x7ffff6f85180	140737336856960
rbp	0x7fffffffb110	140737488335120
rsp	0x7fffffffb100	140737488335104
r8	0x7ffff7fe8740	140737354041152
r9	0x72746e65632d616c	8247338199356891500
r10	0x7fffffffae90	140737488334480
r11	0x7ffff6c3a940	140737333406016
r12	0x1b28e28	28479016
r13	0x7fffffffb160	140737488335200
r14	0x1a126c8	27338440
r15	0x1a126c8	27338440
rip	0x862f31 <js::jit::JitcodeGlobalEntry::IonEntry::sweep()+225>
=> 0x862f31 <js::jit::JitcodeGlobalEntry::IonEntry::sweep()+225>:	movl   $0x36b,0x0
   0x862f3c <js::jit::JitcodeGlobalEntry::IonEntry::sweep()+236>:	callq  0x404ac0 <abort@plt>


Marking s-s because this is GC-related and the assertion doesn't sound harmless.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150304221940" and the hash "be76c67b791a".
The "bad" changeset has the timestamp "20150304231536" and the hash "33e37e4feb3f".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=be76c67b791a&tochange=33e37e4feb3f
Shu-yu, is bug 1137780 a likely regressor?
Blocks: 1137780
Flags: needinfo?(shu)
Keywords: sec-high
Flags: needinfo?(shu)
Comment on attachment 8575653 [details] [diff] [review]
JitcodeGlobalMap marking must participate in iterative weak reference marking.

Review of attachment 8575653 [details] [diff] [review]:
-----------------------------------------------------------------

Egads! Watchpoints!
Attachment #8575653 - Flags: review?(terrence) → review+
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision b574129dcac0).
https://hg.mozilla.org/mozilla-central/rev/86c3fb9ff541
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.