Closed Bug 1292564 Opened 4 years ago Closed 4 years ago

Assertion failure: CurrentThreadIsGCSweeping(), at js/src/jsweakmap.cpp:35 with OOM and Debugger

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla51
Tracking Status
firefox50 --- fixed
firefox51 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 1576e7bc1bec (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

loadFile(`
  global = newGlobal();
  Debugger(global).onDebuggerStatement = function (frame) {
    frame.eval("f")
  }
  global.eval("function f(n){printprintprint} debugger");
`);
loadFile(lfLogBuffer);
function loadFile(lfVarx) 
  oomTest(Function(lfVarx))



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x00000000009958f8 in js::WeakMapBase::~WeakMapBase (this=0x7fffed05a400, __in_chrg=<optimized out>) at js/src/jsweakmap.cpp:35
#0  0x00000000009958f8 in js::WeakMapBase::~WeakMapBase (this=0x7fffed05a400, __in_chrg=<optimized out>) at js/src/jsweakmap.cpp:35
#1  0x0000000000b1ea0e in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value>, js::MovableCellHasher<js::HeapPtr<JSObject*> > >::~WeakMap (this=0x7fffed05a400, __in_chrg=<optimized out>) at js/src/jsweakmap.h:120
#2  js::ObjectValueMap::~ObjectValueMap (this=0x7fffed05a400, __in_chrg=<optimized out>) at js/src/jsweakmap.h:376
#3  js::ObjectWeakMap::~ObjectWeakMap (this=0x7fffed05a400, __in_chrg=<optimized out>) at js/src/jsweakmap.h:390
#4  js::DebugScopes::~DebugScopes (this=0x7fffed05a400, __in_chrg=<optimized out>) at js/src/vm/ScopeObject.cpp:2494
#5  0x0000000000b1ec76 in js_delete<js::DebugScopes> (p=0x7fffed05a400) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Utility.h:382
#6  JS::DeletePolicy<js::DebugScopes>::operator() (this=<optimized out>, ptr=0x7fffed05a400) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Utility.h:484
#7  mozilla::UniquePtr<js::DebugScopes, JS::DeletePolicy<js::DebugScopes> >::reset (aPtr=0x0, this=<synthetic pointer>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/UniquePtr.h:343
#8  mozilla::UniquePtr<js::DebugScopes, JS::DeletePolicy<js::DebugScopes> >::~UniquePtr (this=<synthetic pointer>, __in_chrg=<optimized out>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/UniquePtr.h:288
#9  js::DebugScopes::ensureCompartmentData (cx=cx@entry=0x7ffff6965000) at js/src/vm/ScopeObject.cpp:2596
#10 0x0000000000b1ed68 in js::DebugScopes::addDebugScope (cx=cx@entry=0x7ffff6965000, scope=..., debugScope=...) at js/src/vm/ScopeObject.cpp:2630
#11 0x0000000000b2b789 in GetDebugScopeForScope (si=..., cx=0x7ffff6965000) at js/src/vm/ScopeObject.cpp:2985
#12 GetDebugScope (cx=0x7ffff6965000, si=...) at js/src/vm/ScopeObject.cpp:3106
#13 0x0000000000b2b60e in GetDebugScope (cx=0x7ffff6965000, si=...) at js/src/vm/ScopeObject.cpp:3112
#14 0x0000000000b2ba0d in GetDebugScopeForMissing (si=..., cx=0x7ffff6965000) at js/src/vm/ScopeObject.cpp:3000
#15 GetDebugScope (cx=0x7ffff6965000, si=...) at js/src/vm/ScopeObject.cpp:3109
#16 0x0000000000b2c23b in js::GetDebugScopeForFrame (cx=cx@entry=0x7ffff6965000, frame=..., pc=pc@entry=0x7ffff69b7331 "sș\215\t\210\037\212\b") at js/src/vm/ScopeObject.cpp:3137
#17 0x0000000000a551fb in DebuggerGenericEval (cx=cx@entry=0x7ffff6965000, bindings=bindings@entry=..., options=..., vp=..., dbg=0x7fffe63d3000, scope=..., iter=0x7fffffff9a58, chars=...) at js/src/vm/Debugger.cpp:7961
#18 0x0000000000a56bfd in DebuggerFrame_eval (cx=0x7ffff6965000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:8025
#19 0x00007ffff7ff59a5 in ?? ()
#20 0x0000000000000216 in ?? ()
#21 0x00007fffffff9f00 in ?? ()
#22 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffed05a400	140737169957888
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffff9040	140737488326720
rsp	0x7fffffff9030	140737488326704
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fdc740	140737353992000
r10	0x0	0
r11	0x0	0
r12	0x0	0
r13	0x7fffed05a400	140737169957888
r14	0x0	0
r15	0x0	0
rip	0x9958f8 <js::WeakMapBase::~WeakMapBase()+264>
=> 0x9958f8 <js::WeakMapBase::~WeakMapBase()+264>:	movl   $0x0,0x0
   0x995903 <js::WeakMapBase::~WeakMapBase()+275>:	ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781".
The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1
Simplified test case:

oomTest(() => {
    let global = newGlobal();
    Debugger(global).onDebuggerStatement = function (frame) {
        frame.eval("f")
    }
    global.eval("debugger")
}, false);
Assignee: nobody → jcoppeard
Blocks: 1288780
I messed up part of the fix for bug 1288780 by adding a DeletePolicy that did the wrong thing, for the wrong class.  Fortunately the fuzzers found the problem.
Attachment #8779383 - Flags: review?(terrence)
Comment on attachment 8779383 [details] [diff] [review]
bug1292564-debug-scope-oom

Review of attachment 8779383 [details] [diff] [review]:
-----------------------------------------------------------------

Wow, nice find indeed!
Attachment #8779383 - Flags: review?(terrence) → review+
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3d8a4df99f0f
Fix OOM handling while constructing DebugScopes r=terrence
Backout by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1b6779af98aa
Backed out changeset 3d8a4df99f0f for rooting hazards
I'm going to add roots in a couple of places and re-land.
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c205c2aeb5db
Fix OOM handling while constructing DebugScopes r=terrence
https://hg.mozilla.org/mozilla-central/rev/c205c2aeb5db
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Jon, it will be nice if we could have this backported to aurora, thanks!
Flags: needinfo?(jcoppeard)
Comment on attachment 8779383 [details] [diff] [review]
bug1292564-debug-scope-oom

Approval Request Comment
[Feature/regressing bug #]: Bug 1288780.
[User impact if declined]: Possible crashes on OOM.
[Describe test coverage new/current, TreeHerder]: On m-c since August 11th.
[Risks and why]: Low.
[String/UUID change made/needed]: None.
Flags: needinfo?(jcoppeard)
Attachment #8779383 - Flags: approval-mozilla-aurora?
Comment on attachment 8779383 [details] [diff] [review]
bug1292564-debug-scope-oom

Crash fix, has stabilized on Nightly for a few days, Aurora50+
Attachment #8779383 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.