1191635 - Crash [@ js::CurrentThreadCanAccessRuntime] or Crash [@ arena_run_split] with Worker

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision f3b757156f69 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --baseline-eager):

evalInWorker(`
  function dprint(s) {
    dprint();
  }
  dprint("Hello! Hello! Hello!");
`);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff45ff700 (LWP 48924)]
0x000000000070bbb0 in js::CurrentThreadCanAccessRuntime (rt=rt@entry=0x7ffff69a8000) at js/src/vm/Runtime.cpp:813
#0  0x000000000070bbb0 in js::CurrentThreadCanAccessRuntime (rt=rt@entry=0x7ffff69a8000) at js/src/vm/Runtime.cpp:813
#1  0x0000000000a7bf57 in runtimeFromMainThread (this=0x7ffff3a1d480) at js/src/gc/Heap.h:1272
#2  js::jit::AssertValidObjectPtr (cx=0x7ffff6998000, obj=0x7ffff3a1d480) at js/src/jit/VMFunctions.cpp:1130
#3  0x00007ffff7fdba51 in ?? ()
[...]
#10 0x0000000000000000 in ?? ()
rax	0x7ffff695d800	140737330403328
rbx	0x7ffff47c5da0	140737295179168
rcx	0x7ffff6998000	140737330642944
rdx	0x7ffff69a8000	140737330708480
rsi	0x7ffff3a1d480	140737280857216
rdi	0x7ffff69a8000	140737330708480
rbp	0x7ffff3e00010	140737284931600
rsp	0x7ffff3e00000	140737284931584
r8	0x0	0
r9	0x205	517
r10	0xfff9000000000000	-1970324836974592
r11	0x7ffff69a81e8	140737330708968
r12	0x7ffff6998000	140737330642944
r13	0x7ffff69a8000	140737330708480
r14	0x7ffff3a00000	140737280737280
r15	0x7ffff45fca70	140737293306480
rip	0x70bbb0 <js::CurrentThreadCanAccessRuntime(JSRuntime*)+16>
=> 0x70bbb0 <js::CurrentThreadCanAccessRuntime(JSRuntime*)+16>:	callq  0x708c30 <PR_GetCurrentThread()>
   0x70bbb5 <js::CurrentThreadCanAccessRuntime(JSRuntime*)+21>:	cmp    %rax,%rbx


Marking s-s due to possibly invalid/racy object pointer.

Comment 1

[Andrew McCreight [:mccr8]]

I think the test case is infinite recursion, so maybe we're triggering stack overflow code?

Comment 2

[Andrew McCreight [:mccr8]]

Jandem, could you triage this or find somebody to triage it? Thanks.

Comment 3

[Jan de Mooij [:jandem]]

This is a problem with the shell's evalInWorker function.

Comment 4

[Jan de Mooij [:jandem]]

Attachment: Patch

The test is running out of stack space. This patch calls JS_SetNativeStackQuota for the evalInWorker runtime and passes a stack limit to PR_CreateThread, doing both is necessary to fix this bug.

Comment 6

[Jan de Mooij [:jandem]]

Comment on attachment 8666096 [details] [diff] [review]
Patch

Review of attachment 8666096 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit-test/tests/basic/evalInWorker-stack-limit.js
@@ +3,5 @@
> +        function f() { f(); }
> +        try { f(); } catch(e) {}
> +    `);
> +} catch(e) {
> +    assertEq(e.toString().contains("--no-threads"), true);

I did s/contains/includes/ as |contains| is deprecated.

Comment 7

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/75c2c9a3e09d
user:        Lars T Hansen
date:        Wed Feb 25 18:43:51 2015 +0100
summary:     Bug 1136584 - Copy JIT options from global settings.  r=bhackett

This iteration took 193.919 seconds to run.

Comment 8

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/137ce8c2f14c

Comment 9

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/137ce8c2f14c