Open Bug 1147837 Opened 9 years ago Updated 2 years ago

Trying to inspect any element on sparc64 with firefox 36.0.4 crashes

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Version:
36 Branch
Platform:
Sun
NetBSD
Type:
defect

Tracking

()

People

(Reporter: martin, Unassigned)

References

Details

Attachments

(1 file)

When converting XPCom arguments into JS::Value, make sure to canonicalize double NaNs
506 bytes, patch
Details | Diff | Splinter Review 
Right click on any element and select "Inspect Element" from the context menu:

Program received signal SIGSEGV, Segmentation fault.
[Switching to LWP 1]
storeBuffer (this=0x7fffffff97f8) at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/gc/Heap.h:1233
1233        return chunk()->info.trailer.storeBuffer;
(gdb) p *this
Cannot access memory at address 0x7fffffff97f8
(gdb) bt
#0  storeBuffer (this=0x7fffffff97f8) at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/gc/Heap.h:1233
#1  post (kind=js::HeapSlot::Slot, target=..., slot=0, owner=0x70000048710, this=0x70000048730)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/gc/Barrier.h:925
#2  set (v=..., slot=0, kind=js::HeapSlot::Slot, owner=0x70000048710, this=0x70000048730)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/gc/Barrier.h:903
#3  js::NativeObject::setSlot (this=0x70000048710, slot=<optimized out>, value=...)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/vm/NativeObject.h:796
#4  0xfffffffffe4eb82c in setSlotWithType (overwriting=false, value=..., shape=0x6fffe57e9c0, 
    cx=0xffffffffeefd4120, this=0x70000048710)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/vm/NativeObject-inl.h:364
#5  UpdateShapeTypeAndValue<(js::ExecutionMode)0> (cx=cx@entry=0xffffffffeefd4120, obj=0x70000048710, 
    shape=0x6fffe57e9c0, value=...) at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/vm/NativeObject.cpp:1162
#6  0xfffffffffe5020f4 in DefinePropertyOrElement<(js::ExecutionMode)0> (cx=cx@entry=0xffffffffeefd4120, obj=..., 
    id=..., getter=
    0xfffffffffe3ae0a0 <JS_PropertyStub(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>)>, 
    setter=0xfffffffffe3ae0c0 <JS_StrictPropertyStub(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>)>, attrs=<optimized out>, value=..., 
    callSetterAfterwards=<error reading variable: can't compute CFA for this frame>, 
    setterIsStrict=<error reading variable: can't compute CFA for this frame>)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/vm/NativeObject.cpp:1276
#7  0xfffffffffe50282c in js::DefineNativeProperty (cx=0xffffffffeefd4120, obj=..., id=..., value=..., 
    getter=0xfffffffffe3ae0a0 <JS_PropertyStub(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>)>, 
    setter=0xfffffffffe3ae0c0 <JS_StrictPropertyStub(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>)>, attrs=<optimized out>)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/vm/NativeObject.cpp:1525
#8  0xfffffffffe4c5184 in Interpret (cx=0xffffffffeefd4120, state=...)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/vm/Interpreter.cpp:3170
#9  0xfffffffffe4c9914 in js::RunScript (cx=cx@entry=0xffffffffeefd4120, state=...)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/vm/Interpreter.cpp:434
#10 0xfffffffffe4c9b14 in js::Invoke (cx=cx@entry=0xffffffffeefd4120, 
    args=<error reading variable: can't compute CFA for this frame>, construct=construct@entry=js::NO_CONSTRUCT)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/vm/Interpreter.cpp:503
#11 0xfffffffffe41b750 in js::CallOrConstructBoundFunction (cx=0xffffffffeefd4120, argc=<optimized out>, 
    vp=0xffffffffffff7d88) at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/jsfun.cpp:1579
#12 0xfffffffffe4c9c4c in CallJSNative (args=..., 
    native=0xfffffffffe41b520 <js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*)>, 
    cx=0xffffffffeefd4120) at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/jscntxtinlines.h:231
#13 js::Invoke (cx=cx@entry=0xffffffffeefd4120, args=<error reading variable: can't compute CFA for this frame>, 
    construct=construct@entry=js::NO_CONSTRUCT)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/vm/Interpreter.cpp:484
#14 0xfffffffffe4281ec in js_fun_apply (cx=0xffffffffeefd4120, argc=<optimized out>, vp=0xffffffffee51c128)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/jsfun.cpp:1319
#15 0xfffffffffe4c9c4c in CallJSNative (args=..., 
    native=0xfffffffffe427ee0 <js_fun_apply(JSContext*, unsigned int, JS::Value*)>, cx=0xffffffffeefd4120)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/jscntxtinlines.h:231
#16 js::Invoke (cx=0xffffffffeefd4120, args=<error reading variable: can't compute CFA for this frame>, 
    construct=<optimized out>) at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/vm/Interpreter.cpp:484
#17 0xfffffffffe4c6608 in Interpret (cx=0xffffffffeefd4120, state=...)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/vm/Interpreter.cpp:2541
#18 0xfffffffffe4c9914 in js::RunScript (cx=cx@entry=0xffffffffeefd4120, state=...)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/vm/Interpreter.cpp:434
#19 0xfffffffffe4c9b14 in js::Invoke (cx=cx@entry=0xffffffffeefd4120, 
    args=<error reading variable: can't compute CFA for this frame>, construct=construct@entry=js::NO_CONSTRUCT)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/vm/Interpreter.cpp:503
#20 0xfffffffffe4cbf78 in js::Invoke (cx=cx@entry=0xffffffffeefd4120, thisv=..., fval=..., argc=<optimized out>, 
    argv=<optimized out>, rval=...) at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/vm/Interpreter.cpp:540
#21 0xfffffffffe3cd75c in JS_CallFunctionValue (cx=cx@entry=0xffffffffeefd4120, obj=..., fval=..., args=..., 
    rval=...) at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/jsapi.cpp:4934
#22 0xfffffffff8a1452c in nsXPCWrappedJSClass::CallMethod (this=0xffffffffed724580, wrapper=<optimized out>, 
    methodIndex=<optimized out>, info_=0xffffffffef6af2e8, nativeParams=0xffffffffffff9520)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/xpconnect/src/XPCWrappedJSClass.cpp:1187
#23 0xfffffffff89fe124 in nsXPCWrappedJS::CallMethod (this=0xffffffffe9d924e0, methodIndex=<optimized out>, 
    info=0xffffffffef6af2e8, params=0xffffffffffff9520)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/xpconnect/src/XPCWrappedJS.cpp:532
#24 0xfffffffff8483890 in PrepareAndDispatch (self=0xffffffffeca1a9c0, methodIndex=<optimized out>, 
    args=<optimized out>)
    at /usr/pkgobj/www/firefox/work/mozilla-release/xpcom/reflect/xptcall/md/unix/xptcstubs_sparc64_openbsd.cpp:78
#25 0xfffffffff8485990 in SharedStub ()
    at /usr/pkgobj/www/firefox/work/mozilla-release/xpcom/reflect/xptcall/md/unix/xptcstubs_asm_sparc64_netbsd.s:57

Will analyze in more details later.
Did we inadvertently assume little-endian somewhere in the GC?
Flags: needinfo?(terrence)
I guess that would have triggered earlier - I have been using FF 36 since a week or so and this is the first crash I run into. Will debug it in more detail, but can't just right now (I hope for the weekend).
(In reply to Nathan Froyd [:froydnj] [:nfroyd] from comment #1)
> Did we inadvertently assume little-endian somewhere in the GC?

This code runs thousands of times a second, so I'd guess it's as Martin says and this would have fallen over much earlier if we had made that sort of assumption.

There's definitely something fishy going on here though. The code in question is slot.set(obj) -- to implement the barrier we do obj->chunk()->stuff. |obj->chunk()| is an address computation that masks off ChunkMask to get the aligned ChunkSize allocation (typically 1MiB). This particular obj->chunk()->stuff is accessing the second to last word, so the address that we /should/ be crashing on is 0x<something>fff8. First, the fact that its 0x<something>97f8 is really weird and could indicate some wrongness itself. The second weird thing is that, at least on linux, this is within the top 1MiB, which means the address we're pointing at should not be mappable via mmap as it would conflict with the process stack. Though I guess this is probably different on Illumos (or whatever Oracle zombie this is running under). 

TLDR; something weird is going on but it hard to tell what at this point.
Component: JavaScript Engine → JavaScript: GC
Flags: needinfo?(terrence)
Trying to run a debug version shows a strange mismatch between ArenaSize (4096) and pageSize (8192):

Assertion failure: OffsetFromAligned(p, pageSize) == 0, at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/gc/Memory.cpp:664

Program received signal SIGSEGV, Segmentation fault.
0xfffffffffd8f84b4 in js::gc::MarkPagesInUse (p=p@entry=0x6fffff01000, 
    size=size@entry=4096)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/src/gc/Memory.cpp:664
664         MOZ_ASSERT(OffsetFromAligned(p, pageSize) == 0);

in the second call (first one got a page aligned arena, of course) to

js::gc::Chunk::fetchNextDecommittedArena()

So is the configuration wrong (and should pick at least pageSize) for ArenaSize, or is that assert wrong and should test against ArenaSize?
I made that assertion test for 4096-byte alginment for now and then get further, right to the spot where we hit the original problem:

0xfffffffff4f87540 in DOUBLE_TO_JSVAL_IMPL (d=-nan(0xfffffffff8ab8)) at ../../../dist/include/js/Value.h:692
692         MOZ_ASSERT(l.asBits <= JSVAL_SHIFTED_TAG_MAX_DOUBLE);
(gdb) bt
#0  0xfffffffff4f87540 in DOUBLE_TO_JSVAL_IMPL (d=-nan(0xfffffffff8ab8)) at ../../../dist/include/js/Value.h:692
#1  0xfffffffff7f8f1e0 in JS::Value::setDouble (this=this@entry=0xffffffffffff8008, d=-nan(0xfffffffff8ab8))
    at ../../../dist/include/js/Value.h:1036
#2  0xfffffffff7fc18a4 in JS::Value::setNumber (this=0xffffffffffff8008, d=-nan(0xfffffffff8ab8))
    at ../../../dist/include/js/Value.h:1092
#3  0xfffffffff7fd7c8c in js::MutableValueOperations<JS::MutableHandle<JS::Value> >::setNumber (
    this=this@entry=0xffffffffffff7f20, d=-nan(0xfffffffff8ab8)) at ../../../dist/include/js/Value.h:1742
#4  0xfffffffff4fe1d84 in XPCConvert::NativeData2JS (d=<error reading variable: can't compute CFA for this frame>, 
    s=s@entry=0xffffffffffff8780, type=..., iid=iid@entry=0xffffffffffff8308, pErr=pErr@entry=0x0)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/xpconnect/src/XPCConvert.cpp:137
#5  0xfffffffff502d248 in nsXPCWrappedJSClass::CallMethod (this=0xffffffffe3784cf0, wrapper=0xffffffffe32fb680, 
    methodIndex=<optimized out>, info_=0xfffffffffe9a72e8, nativeParams=0xffffffffffff8780)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/xpconnect/src/XPCWrappedJSClass.cpp:1097
#6  0xfffffffff5026b0c in nsXPCWrappedJS::CallMethod (this=0xffffffffe32fb680, methodIndex=<optimized out>, 
    info=0xfffffffffe9a72e8, params=0xffffffffffff8780)
    at /usr/pkgobj/www/firefox/work/mozilla-release/js/xpconnect/src/XPCWrappedJS.cpp:532
#7  0xfffffffff46c2310 in PrepareAndDispatch (self=0xffffffffe1338180, methodIndex=4, args=0xffffffffffff8a68)
    at /usr/pkgobj/www/firefox/work/mozilla-release/xpcom/reflect/xptcall/md/unix/xptcstubs_sparc64_openbsd.cpp:78
#8  0xfffffffff46c54b0 in SharedStub ()
    at /usr/pkgobj/www/firefox/work/mozilla-release/xpcom/reflect/xptcall/md/unix/xptcstubs_asm_sparc64_netbsd.s:57

I think I saw some "NaN-normalization" code somewhere, so all NaNs stored should be equal to blessed binary patterns, but somehow this value seems to have escaped here.

Any pointers?
The patch makes it work for me. No idea, where the NaN comes from, so this might paper over something else. Does it ring a bell for someone?

Not sure wether we should do the same in the case nsXPTType::T_FLOAT case as well.
See Also: → 1218643
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: