1285490 - Crash [@ js::EnqueuePendingParseTasksAfterGC]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 4764b9f8e6d4 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --without-intl-api --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --target=i686-pc-linux-gnu, run with --fuzzing-safe --ion-offthread-compile=off):

gczeal(4);
offThreadCompileScript(`
`);


Backtrace:

==23678==ERROR: AddressSanitizer: SEGV on unknown address 0x000ffffc (pc 0x097f43b2 bp 0xfff8bee8 sp 0xfff8bdc0 T0)
==23678==The signal is caused by a READ memory access.
    #0 0x97f43b1 in js::EnqueuePendingParseTasksAfterGC(JSRuntime*) js/src/gc/Heap.h:1147:34
    #1 0x92ac04c in js::AutoEnqueuePendingParseTasksAfterGC::~AutoEnqueuePendingParseTasksAfterGC() js/src/jsgc.cpp:6334:9
    #2 0x92ac04c in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) js/src/jsgc.cpp:6329
    #3 0x9278fdc in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::gcreason::Reason) js/src/jsgc.cpp:6356:5
    #4 0x99711e9 in JSRuntime::destroyRuntime() js/src/vm/Runtime.cpp:436:9
    #5 0x9181378 in JSContext::~JSContext() js/src/jscntxt.cpp:896:5
    #6 0x9178686 in void js_delete_poison<JSContext>(JSContext const*) dist/include/js/Utility.h:392:9
    #7 0x9178686 in js::DestroyContext(JSContext*) js/src/jscntxt.cpp:135
    #8 0x90fc5f0 in JS_DestroyRuntime(JSRuntime*) js/src/jsapi.cpp:464:5
    #9 0x81c8a34 in main js/src/shell/js.cpp:7459:5
    #10 0xf72fb636 in __libc_start_main (/lib32/libc.so.6+0x18636)
    #11 0x80abba8 in _start (/home/ubuntu/mozilla-central/js/src/dist/bin/js+0x80abba8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/gc/Heap.h:1147:34 in js::EnqueuePendingParseTasksAfterGC(JSRuntime*)
==23678==ABORTING


I thought this bug was fixed but apparently it's not. Marking s-s and fuzzblocker because it involves GC and is highly frequent.

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/0ca871e39a20
user:        Jan de Mooij
date:        Wed Jun 22 09:47:52 2016 +0200
summary:     Bug 1279295 - Create the runtime's JSContext when we create the runtime. r=luke

This iteration took 177.249 seconds to run.

Comment 2

[Jan de Mooij [:jandem]]

Attachment: Patch

Here's the patch, as discussed, to make off-thread parsing not be blocked on the pre-barrier verifier.

Comment 3

[Pulsebot]

Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0dd733f54a0d
Fix activeGCInAtomsZone to handle the pre-barrier verifier correctly. r=terrence

Comment 4

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/0dd733f54a0d

Comment 5

[Andrei Vaida [:avaida]]

This is still reproducible in low volume on Fx50, based on the last 3 months of crash data.

  SIGNATURE   | js::EnqueuePendingParseTasksAfterGC
  -------------------------------------------------
  CRASH STATS | http://tinyurl.com/jazmcxa
  -------------------------------------------------
  OVERVIEW    | 0 crashes on nightly 52
	      | 0 crashes on nightly 51
	      | 0 crashes on aurora 51
	      | 0 crashes on nightly 50
	      | 0 crashes on aurora 50
	      | 3 crashes on beta 50
  -------------------------------------------------
  LAST CRASH  | 2016-09-24 (on 50.0b1)