Closed
Bug 1282986
Opened 9 years ago
Closed 9 years ago
Assertion failure: (owner_.compareExchange(nullptr, this)), at dist/include/js/Utility.h:197
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla50
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | fixed |
People
(Reporter: decoder, Assigned: jonco)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
5.20 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d87b76177b2f (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --thread-count=2 --baseline-eager --ion-eager --ion-check-range-analysis --ion-extra-checks):
var lfLogBuffer = `
evalInWorker(\`
try { oomAfterAllocations(2); } catch(e) {}
\`);
`;
loadFile("");
loadFile(lfLogBuffer);
function loadFile(lfVarx) {
oomTest(function() {
let m = parseModule(lfVarx);
m.declarationInstantiation();
m.evaluation();
});
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x080df6c1 in js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion (this=0xffff9744) at dist/include/js/Utility.h:197
#1 0x0890ad47 in js::Nursery::setForwardingPointer (this=0xf794134c, oldData=0xf59503a0, newData=0xf5471900, direct=false) at js/src/gc/Nursery.cpp:303
#2 0x0890bac0 in js::Nursery::setElementsForwardingPointer (nelems=2, newHeader=<optimized out>, oldHeader=0xf5950390, this=<optimized out>) at js/src/gc/Nursery.cpp:330
#3 js::TenuringTracer::moveElementsToTenured (this=0xffff9c88, dst=0xf54718e0, src=0xf5950380, dstKind=js::gc::AllocKind::OBJECT2_BACKGROUND) at js/src/gc/Marking.cpp:2374
#4 0x0890bda6 in js::TenuringTracer::moveObjectToTenured (this=0xffff9c88, dst=0xf54718e0, src=0xf5950380, dstKind=js::gc::AllocKind::OBJECT2_BACKGROUND) at js/src/gc/Marking.cpp:2296
#5 0x0890c3a8 in js::TenuringTracer::moveToTenured (this=0xffff9c88, src=0xf5950380) at js/src/gc/Marking.cpp:2188
#6 0x0890c8c6 in js::TenuringTracer::traverse<JSObject> (this=0xffff9c88, objp=0xffff9938) at js/src/gc/Marking.cpp:2028
#7 0x08927f1a in js::TenuringTraversalFunctor<JS::Value>::operator()<JSObject> (this=<synthetic pointer>, trc=0xffff9c88, t=0xf5950380) at js/src/gc/Marking.cpp:2034
#8 js::DispatchTyped<js::TenuringTraversalFunctor<JS::Value>, js::TenuringTracer*>(js::TenuringTraversalFunctor<JS::Value>, JS::Value const&, js::TenuringTracer*&&) (f=..., val=...) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/32/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Value.h:1914
#9 0x0890e1b2 in js::TenuringTracer::traverse<JS::Value> (thingp=0xf58bb528, this=0xffff9c88) at js/src/gc/Marking.cpp:2043
#10 js::TenuringTracer::traceSlots (end=<optimized out>, vp=0xf58bb528, this=0xffff9c88) at js/src/gc/Marking.cpp:2264
#11 js::TenuringTracer::traceObjectSlots (this=0xffff9c88, nobj=0xf58bb4c0, start=7, length=5) at js/src/gc/Marking.cpp:2255
#12 0x0890e2d6 in js::gc::StoreBuffer::SlotsEdge::trace (this=0xf55d3c14, mover=...) at js/src/gc/Marking.cpp:2092
#13 0x0892812a in js::gc::StoreBuffer::MonoTypeBuffer<js::gc::StoreBuffer::SlotsEdge>::trace (this=0xf7941504, owner=0xf7941464, mover=...) at js/src/gc/Marking.cpp:2056
#14 0x089100c7 in js::gc::StoreBuffer::traceSlots (mover=..., this=0xf7941464) at js/src/gc/StoreBuffer.h:423
#15 js::Nursery::collect (this=0xf794134c, rt=0xf79410e8, reason=JS::gcreason::OUT_OF_NURSERY, pretenureGroups=0xffff9ef0) at js/src/gc/Nursery.cpp:431
#16 0x085675b4 in js::gc::GCRuntime::minorGCImpl (this=0xf7941320, reason=JS::gcreason::OUT_OF_NURSERY, pretenureGroups=0xffff9ef0) at js/src/jsgc.cpp:6555
#17 0x0856790e in js::gc::GCRuntime::minorGC (this=0xf7941320, cx=0xf7941000, reason=JS::gcreason::OUT_OF_NURSERY) at js/src/jsgc.cpp:6578
#18 0x088f9091 in js::gc::GCRuntime::tryNewNurseryObject<(js::AllowGC)1> (this=0xf7941320, cx=0xf7941000, thingSize=80, nDynamicSlots=0, clasp=0x8bb7c20 <js::ArrayObject::class_>) at js/src/gc/Allocator.cpp:87
#19 0x088fb1ff in js::Allocate<JSObject, (js::AllowGC)1> (cx=0xf7941000, kind=js::gc::AllocKind::OBJECT8_BACKGROUND, nDynamicSlots=0, heap=js::gc::DefaultHeap, clasp=0x8bb7c20 <js::ArrayObject::class_>) at js/src/gc/Allocator.cpp:51
#20 0x0812b9da in js::ArrayObject::createArrayInternal (cx=0xf7941000, kind=js::gc::AllocKind::OBJECT8_BACKGROUND, heap=js::gc::DefaultHeap, shape=..., group=...) at js/src/vm/ArrayObject-inl.h:54
#21 0x0812bc1c in js::ArrayObject::createArray (cx=0xf7941000, kind=js::gc::AllocKind::OBJECT8_BACKGROUND, heap=js::gc::DefaultHeap, shape=..., group=..., length=0, metadata=...) at js/src/vm/ArrayObject-inl.h:82
#22 0x0811cc38 in NewArray<4294967295u> (cxArg=0xf7941000, length=0, protoArg=..., newKind=js::GenericObject) at js/src/jsarray.cpp:3427
#23 0x0811cec3 in js::NewDenseFullyAllocatedArray (cx=<optimized out>, length=length@entry=0, proto=..., newKind=js::GenericObject) at js/src/jsarray.cpp:3469
#24 0x086624dd in js::ModuleBuilder::createArray<js::ExportEntryObject*> (this=0xffffa2c0, vector=...) at js/src/builtin/ModuleObject.cpp:1282
#25 0x0865938c in js::ModuleBuilder::initModule (this=0xffffa2c0) at js/src/builtin/ModuleObject.cpp:1069
#26 0x088d249a in BytecodeCompiler::compileModule (this=0xffffa688) at js/src/frontend/BytecodeCompiler.cpp:609
#27 0x088d286b in js::frontend::CompileModule (cx=0xf7941000, optionsInput=..., srcBuf=..., alloc=0xf7941298, sourceObjectOut=0x0) at js/src/frontend/BytecodeCompiler.cpp:781
#28 0x088d2a5f in js::frontend::CompileModule (cx=0xf7941000, options=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:798
#29 0x0808fbd9 in ParseModule (cx=0xf7941000, argc=1, vp=0xffffb3f0) at js/src/shell/js.cpp:3584
#30 0xf7fcd166 in ?? ()
#31 0xf79a81d0 in ?? ()
#32 0xf7fc3c5c in ?? ()
#33 0x081f3b10 in EnterBaseline (cx=0xf7fd04e0, cx@entry=0xf7941000, data=...) at js/src/jit/BaselineJIT.cpp:156
#34 0x081fde0f in js::jit::EnterBaselineMethod (cx=0xf7941000, state=...) at js/src/jit/BaselineJIT.cpp:194
#35 0x087016d0 in js::RunScript (cx=0xf7941000, state=...) at js/src/vm/Interpreter.cpp:388
#36 0x087019de in js::InternalCallOrConstruct (cx=0xf7941000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470
#37 0x08701c2d in InternalCall (cx=cx@entry=0xf7941000, args=...) at js/src/vm/Interpreter.cpp:497
#38 0x08701dbb in js::Call (cx=0xf7941000, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:516
#39 0x085209e5 in JS_CallFunction (cx=0xf7941000, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2817
#40 0x08894cc4 in OOMTest (cx=0xf7941000, argc=1, vp=0xffffbaa8) at js/src/builtin/TestingFunctions.cpp:1328
#41 0xf7fcd166 in ?? ()
[...]
#65 main (argc=8, argv=0xffffcbe4, envp=0xffffcc08) at js/src/shell/js.cpp:7432
eax 0x0 0
ebx 0x8be2ff4 146681844
ecx 0xf7d9c864 -136722332
edx 0x0 0
esi 0xffff9744 -26812
edi 0x8be5630 146691632
ebp 0xffff96e8 4294940392
esp 0xffff96c0 4294940352
eip 0x80df6c1 <js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion()+225>
=> 0x80df6c1 <js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion()+225>: movl $0x0,0x0
0x80df6cb <js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion()+235>: ud2
Test might be intermittent.
|
Assignee | |
Comment 1•9 years ago
|
||
This is because simulated OOM testing doesn't work if you have multiple runtimes in the same process. Making this work properly would mean passing a JSRuntime everywhere we allocate memory (which would be painful) or using TLS to get it which would be slow (probably). I think the best way forward is to disable creating workers while we are doing OOM testing.
|
|
Assignee | |
Comment 2•9 years ago
|
||
Patch to disable creation of workers while OOM testing.
Assignee: nobody → jcoppeard
Attachment #8766251 -
Flags: review?(terrence)
|
||
Updated•9 years ago
|
Attachment #8766251 -
Flags: review?(terrence) → review+
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 3•9 years ago
|
||
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20151027210448" and the hash "35f73f6ea2a90eb5ac45e5cc17efc351bfb4c2da".
The "bad" changeset has the timestamp "20151027214832" and the hash "e903447ff321014cca5a95ef4aff6b84c318fa0b".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=35f73f6ea2a90eb5ac45e5cc17efc351bfb4c2da&tochange=e903447ff321014cca5a95ef4aff6b84c318fa0b
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d88611ee1de7
Disallow creation of workers while running simulated OOM tests r=terrence
|
||
Comment 5•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in
before you can comment on or make changes to this bug.
Description
•