1214006 - Crash [@ JSScript::traceChildren]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

// Adapted from randomly chosen test: js/src/jit-test/tests/baseline/bug1209585.js
function f() {
    var i = 1;
    do {
        try {
            oomAtAllocation(i);
            (function() y)();
        } catch (e) {
            x = resetOOMFailure();
        }
        i++;
    } while (x);
}
f();
fullcompartmentchecks(true);

crashes js debug shell on m-c changeset f4215b484d52 with --fuzzing-safe --ion-offthread-compile=off --no-ion --no-baseline at JSScript::traceChildren

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r f4215b484d52

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a9f12b317316
user:        Jon Coppeard
date:        Wed Jul 01 18:53:04 2015 +0100
summary:     Bug 1155618 - Don't retry memory allocation if we're simulating OOM r=terrence

Jon, is bug 1155618 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x6da2a, 0x0000000100587134 js-dbg-64-dm-darwin-f4215b484d52`JSScript::traceChildren(this=0x0000000102e61a50, trc=0x00007fff5fbfee30) + 148 at jsscript.cpp:3776, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000100587134 js-dbg-64-dm-darwin-f4215b484d52`JSScript::traceChildren(this=0x0000000102e61a50, trc=0x00007fff5fbfee30) + 148 at jsscript.cpp:3776
    frame #1: 0x00000001008dbf68 js-dbg-64-dm-darwin-f4215b484d52`js::TraceChildren(trc=<unavailable>, thing=<unavailable>, kind=<unavailable>) + 40 at Tracer.cpp:204
    frame #2: 0x000000010051bd41 js-dbg-64-dm-darwin-f4215b484d52`js::gc::GCRuntime::checkForCompartmentMismatches(this=<unavailable>) + 433 at jsgc.cpp:3816
    frame #3: 0x000000010051bf1c js-dbg-64-dm-darwin-f4215b484d52`js::gc::GCRuntime::beginMarkPhase(this=0x0000000102d54408, reason=DESTROY_CONTEXT) + 60 at jsgc.cpp:3845
    frame #4: 0x00000001005273a3 js-dbg-64-dm-darwin-f4215b484d52`js::gc::GCRuntime::incrementalCollectSlice(this=0x0000000102d54408, budget=0x00007fff5fbff200, reason=DESTROY_CONTEXT) + 659 at jsgc.cpp:5948
(lldb)

Comment 2

[Jon Coppeard (:jonco)]

Attachment: bug1214006-script-atoms

JSScript::atoms can be null if we hit OOM in SaveSharedScriptData(), so we need to check that before tracing.

Comment 3

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/17268e61894d

Comment 4

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/17268e61894d

Comment 5

[Common User Network Terminal]

> Status: NEW → RESOLVED

Wrong. 

> Resolution: --- → FIXED

Nonsense. 

https://crash-stats.mozilla.com/report/list?product=Firefox&signature=JSScript%3A%3AtraceChildren#tab-reports
2,767 Results.

This defect still appears in v48.0a1 

This defect (a 'feature') was introduced in v40.0.

Re-opened as Bug 1259689.

Comment 6

[Christian Holler (:decoder)]

(In reply to Common User Network Terminal from comment #5)
> > Status: NEW → RESOLVED
> 
> Wrong. 

The crash you are seeing in crash stats might not necessarily be the issue this bug is about. The top frame crash signature here is a frequent one, involved in many kinds of garbage collector issues. There is probably more than just one bug with that signature in crash stats.