Closed
Bug 1292564
Opened 8 years ago
Closed 8 years ago
Assertion failure: CurrentThreadIsGCSweeping(), at js/src/jsweakmap.cpp:35 with OOM and Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla51
People
(Reporter: decoder, Assigned: jonco)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
1.17 KB,
patch
|
terrence
:
review+
ritu
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 1576e7bc1bec (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):
loadFile(`
global = newGlobal();
Debugger(global).onDebuggerStatement = function (frame) {
frame.eval("f")
}
global.eval("function f(n){printprintprint} debugger");
`);
loadFile(lfLogBuffer);
function loadFile(lfVarx)
oomTest(Function(lfVarx))
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x00000000009958f8 in js::WeakMapBase::~WeakMapBase (this=0x7fffed05a400, __in_chrg=<optimized out>) at js/src/jsweakmap.cpp:35
#0 0x00000000009958f8 in js::WeakMapBase::~WeakMapBase (this=0x7fffed05a400, __in_chrg=<optimized out>) at js/src/jsweakmap.cpp:35
#1 0x0000000000b1ea0e in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value>, js::MovableCellHasher<js::HeapPtr<JSObject*> > >::~WeakMap (this=0x7fffed05a400, __in_chrg=<optimized out>) at js/src/jsweakmap.h:120
#2 js::ObjectValueMap::~ObjectValueMap (this=0x7fffed05a400, __in_chrg=<optimized out>) at js/src/jsweakmap.h:376
#3 js::ObjectWeakMap::~ObjectWeakMap (this=0x7fffed05a400, __in_chrg=<optimized out>) at js/src/jsweakmap.h:390
#4 js::DebugScopes::~DebugScopes (this=0x7fffed05a400, __in_chrg=<optimized out>) at js/src/vm/ScopeObject.cpp:2494
#5 0x0000000000b1ec76 in js_delete<js::DebugScopes> (p=0x7fffed05a400) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Utility.h:382
#6 JS::DeletePolicy<js::DebugScopes>::operator() (this=<optimized out>, ptr=0x7fffed05a400) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Utility.h:484
#7 mozilla::UniquePtr<js::DebugScopes, JS::DeletePolicy<js::DebugScopes> >::reset (aPtr=0x0, this=<synthetic pointer>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/UniquePtr.h:343
#8 mozilla::UniquePtr<js::DebugScopes, JS::DeletePolicy<js::DebugScopes> >::~UniquePtr (this=<synthetic pointer>, __in_chrg=<optimized out>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/UniquePtr.h:288
#9 js::DebugScopes::ensureCompartmentData (cx=cx@entry=0x7ffff6965000) at js/src/vm/ScopeObject.cpp:2596
#10 0x0000000000b1ed68 in js::DebugScopes::addDebugScope (cx=cx@entry=0x7ffff6965000, scope=..., debugScope=...) at js/src/vm/ScopeObject.cpp:2630
#11 0x0000000000b2b789 in GetDebugScopeForScope (si=..., cx=0x7ffff6965000) at js/src/vm/ScopeObject.cpp:2985
#12 GetDebugScope (cx=0x7ffff6965000, si=...) at js/src/vm/ScopeObject.cpp:3106
#13 0x0000000000b2b60e in GetDebugScope (cx=0x7ffff6965000, si=...) at js/src/vm/ScopeObject.cpp:3112
#14 0x0000000000b2ba0d in GetDebugScopeForMissing (si=..., cx=0x7ffff6965000) at js/src/vm/ScopeObject.cpp:3000
#15 GetDebugScope (cx=0x7ffff6965000, si=...) at js/src/vm/ScopeObject.cpp:3109
#16 0x0000000000b2c23b in js::GetDebugScopeForFrame (cx=cx@entry=0x7ffff6965000, frame=..., pc=pc@entry=0x7ffff69b7331 "sș\215\t\210\037\212\b") at js/src/vm/ScopeObject.cpp:3137
#17 0x0000000000a551fb in DebuggerGenericEval (cx=cx@entry=0x7ffff6965000, bindings=bindings@entry=..., options=..., vp=..., dbg=0x7fffe63d3000, scope=..., iter=0x7fffffff9a58, chars=...) at js/src/vm/Debugger.cpp:7961
#18 0x0000000000a56bfd in DebuggerFrame_eval (cx=0x7ffff6965000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:8025
#19 0x00007ffff7ff59a5 in ?? ()
#20 0x0000000000000216 in ?? ()
#21 0x00007fffffff9f00 in ?? ()
#22 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7fffed05a400 140737169957888
rcx 0x7ffff6c28a2d 140737333332525
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffff9040 140737488326720
rsp 0x7fffffff9030 140737488326704
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fdc740 140737353992000
r10 0x0 0
r11 0x0 0
r12 0x0 0
r13 0x7fffed05a400 140737169957888
r14 0x0 0
r15 0x0 0
rip 0x9958f8 <js::WeakMapBase::~WeakMapBase()+264>
=> 0x9958f8 <js::WeakMapBase::~WeakMapBase()+264>: movl $0x0,0x0
0x995903 <js::WeakMapBase::~WeakMapBase()+275>: ud2
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781". The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1
|
Assignee | |
Comment 2•8 years ago
|
||
Simplified test case:
oomTest(() => {
let global = newGlobal();
Debugger(global).onDebuggerStatement = function (frame) {
frame.eval("f")
}
global.eval("debugger")
}, false);|
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → jcoppeard
|
|
Assignee | |
Comment 3•8 years ago
|
||
I messed up part of the fix for bug 1288780 by adding a DeletePolicy that did the wrong thing, for the wrong class. Fortunately the fuzzers found the problem.
Attachment #8779383 -
Flags: review?(terrence)
|
||
Comment 4•8 years ago
|
||
Comment on attachment 8779383 [details] [diff] [review] bug1292564-debug-scope-oom Review of attachment 8779383 [details] [diff] [review]: ----------------------------------------------------------------- Wow, nice find indeed!
Attachment #8779383 -
Flags: review?(terrence) → review+
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/3d8a4df99f0f Fix OOM handling while constructing DebugScopes r=terrence
Backout by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/1b6779af98aa Backed out changeset 3d8a4df99f0f for rooting hazards
|
|
Assignee | |
Comment 7•8 years ago
|
||
I'm going to add roots in a couple of places and re-land.
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/c205c2aeb5db Fix OOM handling while constructing DebugScopes r=terrence
|
||
Comment 9•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/c205c2aeb5db
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox51:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Jon, it will be nice if we could have this backported to aurora, thanks!
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Comment 11•8 years ago
|
||
Comment on attachment 8779383 [details] [diff] [review] bug1292564-debug-scope-oom Approval Request Comment [Feature/regressing bug #]: Bug 1288780. [User impact if declined]: Possible crashes on OOM. [Describe test coverage new/current, TreeHerder]: On m-c since August 11th. [Risks and why]: Low. [String/UUID change made/needed]: None.
Flags: needinfo?(jcoppeard)
Attachment #8779383 -
Flags: approval-mozilla-aurora?
Comment on attachment 8779383 [details] [diff] [review] bug1292564-debug-scope-oom Crash fix, has stabilized on Nightly for a few days, Aurora50+
Attachment #8779383 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
||
Comment 13•8 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-aurora/rev/b263ff7776f2
You need to log in
before you can comment on or make changes to this bug.
Description
•