Assertion failure: (owner_.compareExchange(nullptr, this)), at dist/include/js/Utility.h:197

RESOLVED FIXED in Firefox 50

Status

()

Product:
Core
Component:
JavaScript Engine
Type:
defect
Importance:
--
critical
Status:
RESOLVED FIXED
Opened:
3 years ago
Updated:
3 years ago

People

(Reporter: decoder, Assigned: jonco)

Tracking

(Blocks 2 bugs, {assertion, testcase})

Version:
Trunk
Target:
mozilla50
Platform:
x86
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox50 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

bug1282986-no-workers-while-oom-testing
5.20 KB, patch
terrence
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision d87b76177b2f (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --thread-count=2 --baseline-eager --ion-eager --ion-check-range-analysis --ion-extra-checks):

var lfLogBuffer = `
    evalInWorker(\`
        try { oomAfterAllocations(2); } catch(e) {}
    \`);
`;
loadFile("");
loadFile(lfLogBuffer);
function loadFile(lfVarx) {
    oomTest(function() {
        let m = parseModule(lfVarx);
        m.declarationInstantiation();
        m.evaluation();
    });
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
#0  0x080df6c1 in js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion (this=0xffff9744) at dist/include/js/Utility.h:197
#1  0x0890ad47 in js::Nursery::setForwardingPointer (this=0xf794134c, oldData=0xf59503a0, newData=0xf5471900, direct=false) at js/src/gc/Nursery.cpp:303
#2  0x0890bac0 in js::Nursery::setElementsForwardingPointer (nelems=2, newHeader=<optimized out>, oldHeader=0xf5950390, this=<optimized out>) at js/src/gc/Nursery.cpp:330
#3  js::TenuringTracer::moveElementsToTenured (this=0xffff9c88, dst=0xf54718e0, src=0xf5950380, dstKind=js::gc::AllocKind::OBJECT2_BACKGROUND) at js/src/gc/Marking.cpp:2374
#4  0x0890bda6 in js::TenuringTracer::moveObjectToTenured (this=0xffff9c88, dst=0xf54718e0, src=0xf5950380, dstKind=js::gc::AllocKind::OBJECT2_BACKGROUND) at js/src/gc/Marking.cpp:2296
#5  0x0890c3a8 in js::TenuringTracer::moveToTenured (this=0xffff9c88, src=0xf5950380) at js/src/gc/Marking.cpp:2188
#6  0x0890c8c6 in js::TenuringTracer::traverse<JSObject> (this=0xffff9c88, objp=0xffff9938) at js/src/gc/Marking.cpp:2028
#7  0x08927f1a in js::TenuringTraversalFunctor<JS::Value>::operator()<JSObject> (this=<synthetic pointer>, trc=0xffff9c88, t=0xf5950380) at js/src/gc/Marking.cpp:2034
#8  js::DispatchTyped<js::TenuringTraversalFunctor<JS::Value>, js::TenuringTracer*>(js::TenuringTraversalFunctor<JS::Value>, JS::Value const&, js::TenuringTracer*&&) (f=..., val=...) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/32/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Value.h:1914
#9  0x0890e1b2 in js::TenuringTracer::traverse<JS::Value> (thingp=0xf58bb528, this=0xffff9c88) at js/src/gc/Marking.cpp:2043
#10 js::TenuringTracer::traceSlots (end=<optimized out>, vp=0xf58bb528, this=0xffff9c88) at js/src/gc/Marking.cpp:2264
#11 js::TenuringTracer::traceObjectSlots (this=0xffff9c88, nobj=0xf58bb4c0, start=7, length=5) at js/src/gc/Marking.cpp:2255
#12 0x0890e2d6 in js::gc::StoreBuffer::SlotsEdge::trace (this=0xf55d3c14, mover=...) at js/src/gc/Marking.cpp:2092
#13 0x0892812a in js::gc::StoreBuffer::MonoTypeBuffer<js::gc::StoreBuffer::SlotsEdge>::trace (this=0xf7941504, owner=0xf7941464, mover=...) at js/src/gc/Marking.cpp:2056
#14 0x089100c7 in js::gc::StoreBuffer::traceSlots (mover=..., this=0xf7941464) at js/src/gc/StoreBuffer.h:423
#15 js::Nursery::collect (this=0xf794134c, rt=0xf79410e8, reason=JS::gcreason::OUT_OF_NURSERY, pretenureGroups=0xffff9ef0) at js/src/gc/Nursery.cpp:431
#16 0x085675b4 in js::gc::GCRuntime::minorGCImpl (this=0xf7941320, reason=JS::gcreason::OUT_OF_NURSERY, pretenureGroups=0xffff9ef0) at js/src/jsgc.cpp:6555
#17 0x0856790e in js::gc::GCRuntime::minorGC (this=0xf7941320, cx=0xf7941000, reason=JS::gcreason::OUT_OF_NURSERY) at js/src/jsgc.cpp:6578
#18 0x088f9091 in js::gc::GCRuntime::tryNewNurseryObject<(js::AllowGC)1> (this=0xf7941320, cx=0xf7941000, thingSize=80, nDynamicSlots=0, clasp=0x8bb7c20 <js::ArrayObject::class_>) at js/src/gc/Allocator.cpp:87
#19 0x088fb1ff in js::Allocate<JSObject, (js::AllowGC)1> (cx=0xf7941000, kind=js::gc::AllocKind::OBJECT8_BACKGROUND, nDynamicSlots=0, heap=js::gc::DefaultHeap, clasp=0x8bb7c20 <js::ArrayObject::class_>) at js/src/gc/Allocator.cpp:51
#20 0x0812b9da in js::ArrayObject::createArrayInternal (cx=0xf7941000, kind=js::gc::AllocKind::OBJECT8_BACKGROUND, heap=js::gc::DefaultHeap, shape=..., group=...) at js/src/vm/ArrayObject-inl.h:54
#21 0x0812bc1c in js::ArrayObject::createArray (cx=0xf7941000, kind=js::gc::AllocKind::OBJECT8_BACKGROUND, heap=js::gc::DefaultHeap, shape=..., group=..., length=0, metadata=...) at js/src/vm/ArrayObject-inl.h:82
#22 0x0811cc38 in NewArray<4294967295u> (cxArg=0xf7941000, length=0, protoArg=..., newKind=js::GenericObject) at js/src/jsarray.cpp:3427
#23 0x0811cec3 in js::NewDenseFullyAllocatedArray (cx=<optimized out>, length=length@entry=0, proto=..., newKind=js::GenericObject) at js/src/jsarray.cpp:3469
#24 0x086624dd in js::ModuleBuilder::createArray<js::ExportEntryObject*> (this=0xffffa2c0, vector=...) at js/src/builtin/ModuleObject.cpp:1282
#25 0x0865938c in js::ModuleBuilder::initModule (this=0xffffa2c0) at js/src/builtin/ModuleObject.cpp:1069
#26 0x088d249a in BytecodeCompiler::compileModule (this=0xffffa688) at js/src/frontend/BytecodeCompiler.cpp:609
#27 0x088d286b in js::frontend::CompileModule (cx=0xf7941000, optionsInput=..., srcBuf=..., alloc=0xf7941298, sourceObjectOut=0x0) at js/src/frontend/BytecodeCompiler.cpp:781
#28 0x088d2a5f in js::frontend::CompileModule (cx=0xf7941000, options=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:798
#29 0x0808fbd9 in ParseModule (cx=0xf7941000, argc=1, vp=0xffffb3f0) at js/src/shell/js.cpp:3584
#30 0xf7fcd166 in ?? ()
#31 0xf79a81d0 in ?? ()
#32 0xf7fc3c5c in ?? ()
#33 0x081f3b10 in EnterBaseline (cx=0xf7fd04e0, cx@entry=0xf7941000, data=...) at js/src/jit/BaselineJIT.cpp:156
#34 0x081fde0f in js::jit::EnterBaselineMethod (cx=0xf7941000, state=...) at js/src/jit/BaselineJIT.cpp:194
#35 0x087016d0 in js::RunScript (cx=0xf7941000, state=...) at js/src/vm/Interpreter.cpp:388
#36 0x087019de in js::InternalCallOrConstruct (cx=0xf7941000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470
#37 0x08701c2d in InternalCall (cx=cx@entry=0xf7941000, args=...) at js/src/vm/Interpreter.cpp:497
#38 0x08701dbb in js::Call (cx=0xf7941000, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:516
#39 0x085209e5 in JS_CallFunction (cx=0xf7941000, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2817
#40 0x08894cc4 in OOMTest (cx=0xf7941000, argc=1, vp=0xffffbaa8) at js/src/builtin/TestingFunctions.cpp:1328
#41 0xf7fcd166 in ?? ()
[...]
#65 main (argc=8, argv=0xffffcbe4, envp=0xffffcc08) at js/src/shell/js.cpp:7432
eax	0x0	0
ebx	0x8be2ff4	146681844
ecx	0xf7d9c864	-136722332
edx	0x0	0
esi	0xffff9744	-26812
edi	0x8be5630	146691632
ebp	0xffff96e8	4294940392
esp	0xffff96c0	4294940352
eip	0x80df6c1 <js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion()+225>
=> 0x80df6c1 <js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion()+225>:	movl   $0x0,0x0
   0x80df6cb <js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion()+235>:	ud2

Test might be intermittent.
This is because simulated OOM testing doesn't work if you have multiple runtimes in the same process.  Making this work properly would mean passing a JSRuntime everywhere we allocate memory (which would be painful) or using TLS to get it which would be slow (probably).  I think the best way forward is to disable creating workers while we are doing OOM testing.
Patch to disable creation of workers while OOM testing.
Assignee: nobody → jcoppeard
Attachment #8766251 - Flags: review?(terrence)
Attachment #8766251 - Flags: review?(terrence) → review+
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151027210448" and the hash "35f73f6ea2a90eb5ac45e5cc17efc351bfb4c2da".
The "bad" changeset has the timestamp "20151027214832" and the hash "e903447ff321014cca5a95ef4aff6b84c318fa0b".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=35f73f6ea2a90eb5ac45e5cc17efc351bfb4c2da&tochange=e903447ff321014cca5a95ef4aff6b84c318fa0b
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d88611ee1de7
Disallow creation of workers while running simulated OOM tests r=terrence
https://hg.mozilla.org/mozilla-central/rev/d88611ee1de7
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox50: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in before you can comment on or make changes to this bug.