Closed Bug 1249107 Opened 8 years ago Closed 8 years ago

Crash [@ UniquePtr] or Assertion failure: isLive(), at js/HashTable.h:774 with shell-function shortestPaths

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla47
Tracking Flags:
Tracking Status
firefox47 --- fixed

People

(Reporter: decoder, Assigned: fitzgen)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

Fix assertion failure when reaching start node in JS::ubi::ShortestPaths
4.96 KB, patch
jimb
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 6ea654cad929 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe min.js):

shortestPaths(this, [this], 5)


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
UniquePtr (aOther=<unknown type in /home/ubuntu/mozilla-central/js/src/opt64/dist/bin/js, CU 0x32a472a, DIE 0x33ea0f0>, this=0x8) at js/src/opt64/dist/include/mozilla/UniquePtr.h:229
#0  UniquePtr (aOther=<unknown type in /home/ubuntu/mozilla-central/js/src/opt64/dist/bin/js, CU 0x32a472a, DIE 0x33ea0f0>, this=0x8) at js/src/opt64/dist/include/mozilla/UniquePtr.h:229
#1  new_<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> > > (aU=aU@entry=<unknown type in /home/ubuntu/mozilla-central/js/src/opt64/dist/bin/js, CU 0x32a472a, DIE 0x33ea149>, aDst=0x8) at js/src/opt64/dist/include/mozilla/Vector.h:74
#2  internalAppend<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> > > (aU=aU@entry=<unknown type in /home/ubuntu/mozilla-central/js/src/opt64/dist/bin/js, CU 0x32a472a, DIE 0x33daef6>, this=this@entry=0x7ffff6917738) at js/src/opt64/dist/include/mozilla/Vector.h:1123
#3  mozilla::Vector<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> >, 0ul, mozilla::MallocAllocPolicy>::infallibleAppend<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> > >(mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> >&&) (this=this@entry=0x7ffff6917738, aU=aU@entry=<unknown type in /home/ubuntu/mozilla-central/js/src/opt64/dist/bin/js, CU 0x32a472a, DIE 0x3459af0>) at js/src/opt64/dist/include/mozilla/Vector.h:617
#4  0x00000000008629c6 in JS::ubi::ShortestPaths::Handler::operator() (this=0x7fffffffd350, traversal=..., origin=..., edge=..., back=<optimized out>, first=first@entry=false) at js/src/opt64/dist/include/js/UbiNodeShortestPaths.h:149
#5  0x0000000000864541 in JS::ubi::BreadthFirst<JS::ubi::ShortestPaths::Handler>::traverse (this=this@entry=0x7fffffffd4b0) at js/src/opt64/dist/include/js/UbiNodeBreadthFirst.h:151
#6  0x000000000083a85e in Create (targets=<unknown type in /home/ubuntu/mozilla-central/js/src/opt64/dist/bin/js, CU 0x32a472a, DIE 0x34b7828>, root=..., maxNumPaths=<optimized out>, noGC=<synthetic pointer>, rt=0x7ffff6937000) at js/src/opt64/dist/include/js/UbiNodeShortestPaths.h:254
#7  ShortestPaths (cx=0x7ffff6907000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:2624
#8  0x00000000008866e1 in CallJSNative (args=..., native=0x838c70 <ShortestPaths(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff6907000) at js/src/jscntxtinlines.h:235
[...]
#20 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7120
rax	0x1	1
rbx	0x7ffff69955e0	140737330632160
rcx	0x7ffff69955e0	140737330632160
rdx	0x8	8
rsi	0x7fffffffd0f0	140737488343280
rdi	0x7ffff6917738	140737330116408
rbp	0x7fffffffd3e0	140737488344032
rsp	0x7fffffffd088	140737488343176
r8	0x0	0
r9	0x50	80
r10	0x0	0
r11	0x1e	30
r12	0x7ffff6917720	140737330116384
r13	0x7fffffffd4b0	140737488344240
r14	0x3448cb9a	877185946
r15	0x7ffff3c14458	140737282917464
rip	0x861fca <mozilla::Vector<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> >, 0ul, mozilla::MallocAllocPolicy>::infallibleAppend<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> > >(mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> >&&)+26>
=> 0x861fca <mozilla::Vector<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> >, 0ul, mozilla::MallocAllocPolicy>::infallibleAppend<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> > >(mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> >&&)+26>:	mov    %rcx,(%rdx)
   0x861fcd <mozilla::Vector<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> >, 0ul, mozilla::MallocAllocPolicy>::infallibleAppend<mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> > >(mozilla::UniquePtr<JS::ubi::BackEdge, JS::DeletePolicy<JS::ubi::BackEdge> >&&)+29>:	add    $0x1,%rax
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160216024750" and the hash "374422755fccfd9e8296195ad60b6f4b752238e6".
The "bad" changeset has the timestamp "20160216032050" and the hash "d73b4d5f5d259b9015d7af8f7bfaae81d33529ec".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=374422755fccfd9e8296195ad60b6f4b752238e6&tochange=d73b4d5f5d259b9015d7af8f7bfaae81d33529ec
Guessing this is related to bug 961323. Nick, thoughts?
Blocks: 961323
Flags: needinfo?(nfitzgerald)
Assignee: nobody → nfitzgerald
Status: NEW → ASSIGNED
Flags: needinfo?(nfitzgerald)
The start node was being marked "visited" at the start of the traversal, but
this broke the invariant that if we come across a target node that is marked
"visited" then we had better have an entry for it in our results map. In order
to maintain this invariant and stop triggering these assertion failures, this
commit stops marking the start node as "visited" right off the bat.
Attachment #8722027 - Flags: review?(jimb)
Comment on attachment 8722027 [details] [diff] [review]
Fix assertion failure when reaching start node in JS::ubi::ShortestPaths

Review of attachment 8722027 [details] [diff] [review]:
-----------------------------------------------------------------

I think I've screwed up cases like this (paths that end at the starting node) too...
Attachment #8722027 - Flags: review?(jimb) → review+
https://hg.mozilla.org/mozilla-central/rev/8addcfb751ad
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox47: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: