Closed
Bug 1211331
Opened 9 years ago
Closed 9 years ago
Crash [@ js::UncheckedUnwrap]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | fixed |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker])
Crash Data
Attachments
(3 files)
The upcoming testcase crashes js debug shell on m-c changeset 5f16c6c2b969 with --fuzzing-safe --no-threads --no-ion --no-baseline at js::UncheckedUnwrap
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 5f16c6c2b969
autoBisect is running.
|
Reporter | |
Comment 1•9 years ago
|
||
|
|
Reporter | |
Comment 2•9 years ago
|
||
This also reproduces on nightly js shells:
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015/10/2015-10-05-mozilla-central-debug/jsshell-mac64.zip
|
|
Reporter | |
Comment 3•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x10b8a7, 0x000000010022aef4 js-dbg-64-dm-darwin-5f16c6c2b969`js::UncheckedUnwrap(JSObject*, bool, unsigned int*) [inlined] js::Class::isProxy(this=0xfffc4f4f4f4f4f4f) const at Class.h:762, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
* frame #0: 0x000000010022aef4 js-dbg-64-dm-darwin-5f16c6c2b969`js::UncheckedUnwrap(JSObject*, bool, unsigned int*) [inlined] js::Class::isProxy(this=0xfffc4f4f4f4f4f4f) const at Class.h:762
frame #1: 0x000000010022aef4 js-dbg-64-dm-darwin-5f16c6c2b969`js::UncheckedUnwrap(JSObject*, bool, unsigned int*) [inlined] js::IsProxy(obj=0x0000000102c5f140) + 6 at Proxy.h:434
frame #2: 0x000000010022aeee js-dbg-64-dm-darwin-5f16c6c2b969`js::UncheckedUnwrap(JSObject*, bool, unsigned int*) [inlined] js::IsWrapper(obj=0x0000000102c5f140) at jswrapper.h:275
frame #3: 0x000000010022aeee js-dbg-64-dm-darwin-5f16c6c2b969`js::UncheckedUnwrap(JSObject*, bool, unsigned int*) [inlined] bool JSObject::is<js::WrapperObject>(this=0x0000000102c5f140) const at WrapperObject.h:35
frame #4: 0x000000010022aeee js-dbg-64-dm-darwin-5f16c6c2b969`js::UncheckedUnwrap(wrapped=0x0000000102c5f140, stopAtOuter=true, flagsp=0x0000000000000000) + 14 at Wrapper.cpp:62
(lldb)
|
|
Reporter | |
Comment 4•9 years ago
|
||
This is causing a lot of hard-to-reproduce testcases also crashing [@ js::UncheckedUnwrap], setting [fuzzblocker].
Whiteboard: [fuzzblocker]
|
|
Reporter | |
Comment 5•9 years ago
|
||
Setting needinfo? from Nicolas for now, because the end of the testcase seems to involve getLcovInfo (until autoBisect gets a bisection report, assuming successful).
Flags: needinfo?(nicolas.b.pierron)
|
|
Reporter | |
Comment 6•9 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/e46f4a5bd558
user: Nick Fitzgerald
date: Tue Sep 22 12:15:23 2015 -0700
summary: Bug 1199216 - Implement JS::ubi::Node::size for JSScript referents; r=sfink
Nick, is bug 1199216 a likely regressor?
Blocks: 1199216
Flags: needinfo?(nfitzgerald)
|
||
Comment 7•9 years ago
|
||
Based on the backtrace and the testcase, I don't think that patch is a likely regressor.
Flags: needinfo?(nfitzgerald)
|
||
Comment 8•9 years ago
|
||
I will look at this issue tomorrow.
|
|
||
Comment 9•9 years ago
|
||
This bug is likely caused by either Bug 1191289 or Bug 1204554.
On first sight, This seems to be a testing function issue more than anything else.
Blocks: 1204554
|
|
||
Comment 10•9 years ago
|
||
Attachment #8670757 -
Flags: review?(terrence)
|
||
Comment 11•9 years ago
|
||
Comment on attachment 8670757 [details] [diff] [review]
Ensure that GC slices are terminated such that we can ''safely'' iterate the heap.
Review of attachment 8670757 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/jsopcode.cpp
@@ +36,5 @@
> #include "asmjs/AsmJSModule.h"
> #include "frontend/BytecodeCompiler.h"
> #include "frontend/SourceNotes.h"
> #include "js/CharacterEncoding.h"
> +#include "js/GCAPI.h"
gc/GCInternals.h should be sufficient.
@@ +1951,5 @@
> {
> JSRuntime* rt = cx->runtime();
>
> // Collect the list of scripts which are part of the current compartment.
> + JS::FinishIncrementalGC(rt, JS::gcreason::API);
That's not quite right. What you actually want here is:
js::gc::AutoPrepareForTracing apft(rt, SkipAtoms);
Sorry I missed this in the review: I thought that we had hooked up ZonesIter to do this for you, but I guess we cannot because of its use from inside the GC.
Attachment #8670757 -
Flags: review?(terrence) → review+
|
|
||
Comment 12•9 years ago
|
||
I had to scope the statement to make it work with the test suite (coverage/simple.js), apparently the ZoneCellIter ensure that it has exclusive access while this class already take the exclusive access of the runtime.
Terrence, Would that be fine?
Assertion failure: !runtime->mainThreadHasExclusiveAccess, at /home/nicolas/mozilla/oom-repo/js/src/jscntxt.h:766
Program received signal SIGSEGV, Segmentation fault.
0x00000000004da106 in js::AutoLockForExclusiveAccess::init (this=0x7fffffff49a0, rt=0x130f610) at /home/nicolas/mozilla/oom-repo/js/src/jscntxt.h:766
766 MOZ_ASSERT(!runtime->mainThreadHasExclusiveAccess);
js/src/gdb/mozilla/asmjs.py: Allowing AsmJSFaultHandler to run.
Program received signal SIGSEGV, Segmentation fault.
0x00000000004da106 in js::AutoLockForExclusiveAccess::init (this=0x7fffffff49a0, rt=0x130f610) at /home/nicolas/mozilla/oom-repo/js/src/jscntxt.h:766
766 MOZ_ASSERT(!runtime->mainThreadHasExclusiveAccess);
(gdb) bt
#0 0x00000000004da106 in js::AutoLockForExclusiveAccess::init (this=0x7fffffff49a0, rt=0x130f610) at /home/nicolas/mozilla/oom-repo/js/src/jscntxt.h:766
#1 0x0000000000803ba4 in js::AutoLockForExclusiveAccess::AutoLockForExclusiveAccess(JSRuntime*, mozilla::detail::GuardObjectNotifier&&) (this=0x7fffffff49a0, rt=0x130f610, _notifier=<unknown type in /home/nicolas/mozilla/_build/js/bugzil.la/1211331/wip/x64/gcc48/dbg/js/src/shell/js, CU 0xbc92cf, DIE 0xd317f9>) at /home/nicolas/mozilla/oom-repo/js/src/jscntxt.h:778
#2 0x0000000000dc81ac in js::gc::AutoTraceSession::AutoTraceSession (this=0x7fffffff49a0, rt=0x130f610, heapState=JS::HeapState::MinorCollecting) at /home/nicolas/mozilla/oom-repo/js/src/jsgc.cpp:5651
#3 0x00000000009a057a in js::Nursery::collect (this=0x130fa70, rt=0x130f610, reason=JS::gcreason::EVICT_NURSERY, pretenureGroups=0x0) at /home/nicolas/mozilla/oom-repo/js/src/gc/Nursery.cpp:426
#4 0x0000000000dcaf28 in js::gc::GCRuntime::minorGCImpl (this=0x130fa18, reason=JS::gcreason::EVICT_NURSERY, pretenureGroups=0x0) at /home/nicolas/mozilla/oom-repo/js/src/jsgc.cpp:6566
#5 0x00000000006e919a in js::gc::GCRuntime::evictNursery (this=0x130fa18, reason=JS::gcreason::EVICT_NURSERY) at /home/nicolas/mozilla/oom-repo/js/src/gc/GCRuntime.h:611
#6 0x0000000000768959 in js::gc::ZoneCellIter::ZoneCellIter (this=0x7fffffff5060, zone=0x1340440, kind=js::gc::AllocKind::OBJECT_LIMIT) at /home/nicolas/mozilla/oom-repo/js/src/jsgcinlines.h:279
#7 0x0000000000e39784 in GenerateLcovInfo (cx=0x1332be0, comp=0x1472b10, out=...) at /home/nicolas/mozilla/oom-repo/js/src/jsopcode.cpp:1958
Flags: needinfo?(terrence)
|
||
Comment 14•9 years ago
|
||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
|
|
||
Updated•9 years ago
|
Flags: needinfo?(nicolas.b.pierron)
You need to log in
before you can comment on or make changes to this bug.
Description
•