1164532 - Assertion failure: !isInList(), at js/src/jsweakmap.cpp:42 with OOM

Status: RESOLVED DUPLICATE of bug 1165966

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 62d9b117c688 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

var g = newGlobal("ar-u-nu-arab", this);
function attach(g, i) {
    var dbg = Debugger(g);
    oomAfterAllocations(10);
}
for (var i = 0; i < 3; i++)
    attach(g, i);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000b99098 in js::WeakMapBase::~WeakMapBase (this=0x7ffff695db40, __in_chrg=<optimized out>) at js/src/jsweakmap.cpp:42
#0  0x0000000000b99098 in js::WeakMapBase::~WeakMapBase (this=0x7ffff695db40, __in_chrg=<optimized out>) at js/src/jsweakmap.cpp:42
#1  0x0000000000644e4e in ~WeakMap (this=0x7ffff695db40, __in_chrg=<optimized out>) at js/src/jsweakmap.h:111
#2  ~DebuggerWeakMap (this=0x7ffff695db40, __in_chrg=<optimized out>) at js/src/vm/Debugger.h:65
#3  js::Debugger::~Debugger (this=0x7ffff695d800, __in_chrg=<optimized out>) at js/src/vm/Debugger.cpp:388
#4  0x00000000006524eb in js_delete<js::Debugger> (p=0x7ffff695d800) at ../../dist/include/js/Utility.h:238
#5  operator() (this=<optimized out>, ptr=0x7ffff695d800) at ../../dist/include/js/Utility.h:329
#6  reset (aPtr=0x0, this=<synthetic pointer>) at ../../dist/include/mozilla/UniquePtr.h:308
#7  ~UniquePtr (this=<synthetic pointer>, __in_chrg=<optimized out>) at ../../dist/include/mozilla/UniquePtr.h:253
#8  js::Debugger::construct (cx=0x7ffff691b4e0, argc=1, vp=0x7ffff51e9140) at js/src/vm/Debugger.cpp:3113
#9  0x000000000067a652 in js::CallJSNative (cx=0x7ffff691b4e0, native=0x652060 <js::Debugger::construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#10 0x000000000066ad73 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:727
#11 0x0000000000664907 in Interpret (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:2955
#12 0x000000000066a843 in js::RunScript (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:677
#13 0x0000000000674efe in js::ExecuteKernel (cx=cx@entry=0x7ffff691b4e0, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:902
#14 0x0000000000677139 in js::Execute (cx=cx@entry=0x7ffff691b4e0, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:942
#15 0x0000000000a64f09 in ExecuteScript (cx=cx@entry=0x7ffff691b4e0, obj=..., scriptArg=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4160
#16 0x0000000000a650cb in JS_ExecuteScript (cx=cx@entry=0x7ffff691b4e0, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4182
#17 0x00000000004258cb in RunFile (compileOnly=false, file=0x7ffff699e400, filename=0x7fffffffdfc9 "min.js", cx=0x7ffff691b4e0) at js/src/shell/js.cpp:468
#18 Process (cx=cx@entry=0x7ffff691b4e0, filename=0x7fffffffdfc9 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:598
#19 0x000000000047140b in ProcessArgs (op=0x7fffffffda40, cx=0x7ffff691b4e0) at js/src/shell/js.cpp:5802
#20 Shell (envp=<optimized out>, op=0x7fffffffda40, cx=0x7ffff691b4e0) at js/src/shell/js.cpp:6071
#21 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6393
rax	0x0	0
rbx	0x7ffff695d800	140737330403328
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffc390	140737488339856
rsp	0x7fffffffc300	140737488339712
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffc0c0	140737488339136
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff695d800	140737330403328
r13	0x7ffff695db40	140737330404160
r14	0x0	0
r15	0x7ffff51e9158	140737305809240
rip	0xb99098 <js::WeakMapBase::~WeakMapBase()+856>
=> 0xb99098 <js::WeakMapBase::~WeakMapBase()+856>:	movl   $0x2a,0x0
   0xb990a3 <js::WeakMapBase::~WeakMapBase()+867>:	callq  0x48ec30 <abort()>

Comment 1

[Jan de Mooij [:jandem]]

Sorry for another NI request but according to decoder this one also blocks OOM testing, and I don't know who else is familiar with weakmaps.

Here Debugger::init() OOms, so we call ~Debugger -> ... -> ~WeakMapBase, where we assert the weakmap is not in the list.

The Debugger object has various weakmaps and I think Debugger::init() will add them to the list, but I'm not sure how this unlinking is supposed to work... Is that usually done in WeakMapBase::sweepCompartment? Or somewhere else?

Should we unlink the debugger's weakmaps in ~Debugger?

Comment 2

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a0dd5a83ba36
user:        Jan de Mooij
date:        Thu Jul 24 11:56:43 2014 +0200
summary:     Bug 1031529 part 2 - Remove JS_THREADSAFE #ifdefs everywhere. r=bhackett

changeset:   https://hg.mozilla.org/mozilla-central/rev/6426fef52f51
user:        Jan de Mooij
date:        Thu Jul 24 11:56:45 2014 +0200
summary:     Bug 1031529 part 3 - Step defining JS_THREADSAFE, remove --disable-threadsafe. r=glandium

This iteration took 72.604 seconds to run.

Comment 3

[Jon Coppeard (:jonco)]

This is fixed by the patch in bug 1165966.