1145426 - Crash [@ js::jit::Simulator::instructionDecode] or Assertion failure: obj->compartment() == obj2->compartment(), at gc/Marking.cpp involving --unboxed-objects

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

// Randomly chosen test: js/src/tests/ecma_6/String/normalize-generateddata-input.js
[
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] },
    { a: [0], b: [0], c: [0], d: [0], e: [0] }
];
gc();

asserts x86 js debug shell on m-c changeset cbd0efcd976c with --fuzzing-safe --no-threads --ion-eager --unboxed-objects at Assertion failure: obj->compartment() == obj2->compartment(), at gc/Marking.cpp and crashes js debug 32-bit ARM simulator builds at js::jit::Simulator::instructionDecode.

x86 configure options:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build --32" -r cbd0efcd976c

ARM simulator build configure options:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build --32 --enable-arm-simulator" -r cbd0efcd976c

Setting needinfo? from Brian since this seems to involve --unboxed-objects.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack for x86 debug shell

(lldb) bt 5
* thread #1: tid = 0xd902d, 0x001d8efe js-dbg-32-dm-nsprBuild-darwin-cbd0efcd976c`js::GCMarker::processMarkStackTop(this=<unavailable>, budget=<unavailable>) + 2670 at Marking.cpp:1654, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x001d8efe js-dbg-32-dm-nsprBuild-darwin-cbd0efcd976c`js::GCMarker::processMarkStackTop(this=<unavailable>, budget=<unavailable>) + 2670 at Marking.cpp:1654
    frame #1: 0x001bee24 js-dbg-32-dm-nsprBuild-darwin-cbd0efcd976c`js::GCMarker::drainMarkStack(this=0x03039314, budget=0xbfffe688) + 68 at Marking.cpp:1787
    frame #2: 0x00808e4c js-dbg-32-dm-nsprBuild-darwin-cbd0efcd976c`js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason) [inlined] js::gc::GCRuntime::drainMarkStack(this=<unavailable>, sliceBudget=0xbfffe688, phase=<unavailable>) + 39 at jsgc.cpp:5043
    frame #3: 0x00808e25 js-dbg-32-dm-nsprBuild-darwin-cbd0efcd976c`js::gc::GCRuntime::incrementalCollectSlice(this=0x030315b0, budget=0xbfffe688, reason=<unavailable>) + 773 at jsgc.cpp:5731
    frame #4: 0x00809b8d js-dbg-32-dm-nsprBuild-darwin-cbd0efcd976c`js::gc::GCRuntime::gcCycle(this=0x030315b0, incremental=<unavailable>, budget=0xbfffe688, reason=<unavailable>) + 461 at jsgc.cpp:5952
(lldb)

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack for x86 ARM simulator shell

(lldb) bt 5
* thread #1: tid = 0xdb627, 0x006c9ed6 js-dbg-32-dm-nsprBuild-armSim-darwin-cbd0efcd976c`js::jit::Simulator::instructionDecode(js::jit::SimInstruction*) [inlined] js::jit::SimInstruction::instructionBits(this=0x00000000) const at Simulator-arm.cpp:126, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x006c9ed6 js-dbg-32-dm-nsprBuild-armSim-darwin-cbd0efcd976c`js::jit::Simulator::instructionDecode(js::jit::SimInstruction*) [inlined] js::jit::SimInstruction::instructionBits(this=0x00000000) const at Simulator-arm.cpp:126
    frame #1: 0x006c9ed6 js-dbg-32-dm-nsprBuild-armSim-darwin-cbd0efcd976c`js::jit::Simulator::instructionDecode(js::jit::SimInstruction*) [inlined] js::jit::SimInstruction::bitField(hi=<unavailable>, lo=<unavailable>) const at Simulator-arm.cpp:146
    frame #2: 0x006c9ed6 js-dbg-32-dm-nsprBuild-armSim-darwin-cbd0efcd976c`js::jit::Simulator::instructionDecode(js::jit::SimInstruction*) [inlined] js::jit::SimInstruction::conditionField() const at Simulator-arm.cpp:163
    frame #3: 0x006c9ed6 js-dbg-32-dm-nsprBuild-armSim-darwin-cbd0efcd976c`js::jit::Simulator::instructionDecode(this=0x02008800, instr=0x00000000) + 214 at Simulator-arm.cpp:4154
    frame #4: 0x0074e236 js-dbg-32-dm-nsprBuild-armSim-darwin-cbd0efcd976c`void js::jit::Simulator::execute<false>(this=0x02008800) + 134 at Simulator-arm.cpp:4233
(lldb)

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

I've disabled testing --unboxed-objects for now, due to this [fuzzblocker].

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/9083621b0e2e
user:        Brian Hackett
date:        Thu Mar 12 17:09:21 2015 -0600
summary:     Bug 1135897 - Use unboxed objects for JSON objects and constant literals embedded in scripts, r=jandem.

Is bug 1135897 a likely regressor?

Comment 5

[Brian Hackett [Laid off!]]

Attachment: patch

Comment 6

[Brian Hackett [Laid off!]]

Oh, the above patch just addresses the ARM crash, I didn't notice this was crashing x86 too.  I'll write a separate patch for that.

Comment 7

[Brian Hackett [Laid off!]]

Attachment: x86 patch

Comment 8

[Jan de Mooij [:jandem]]

Comment on attachment 8580638 [details] [diff] [review]
patch

Review of attachment 8580638 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/vm/UnboxedObject.cpp
@@ +245,1 @@
>      JitCode *code = linker.newCode<NoGC>(cx, OTHER_CODE);

Not for this patch but maybe we can add a new CodeKind value before we enable unboxed objects, for memory reporting?

Comment 9

[Brian Hackett [Laid off!]]

Both parts:

https://hg.mozilla.org/integration/mozilla-inbound/rev/66536c9de5ff

Comment 10

[Guilherme Lima]

This patch fixed all the tests that weren't running on AWFY on x86 (Kraken and Shumway)!

Comment 11

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/66536c9de5ff