Closed Bug 1304543 Opened 8 years ago Closed 8 years ago

Crash [@ js::gc::TenuredCell::arena] or Assertion failure: aIndex < mLength, at dist/include/mozilla/Vector.h:466

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox52 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])

Crash Data

Attachments

(2 files)

Testcase
1.70 KB, text/plain
Details
bug1304543-nursery-minimise
2.26 KB, patch
terrence
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 560b2c805bf7 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --thread-count=2 --baseline-eager):

See attached testcase.



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x086445db in js::gc::TenuredCell::arena (this=<optimized out>) at js/src/gc/Heap.h:1245
#0  0x086445db in js::gc::TenuredCell::arena (this=<optimized out>) at js/src/gc/Heap.h:1245
#1  js::gc::TenuredCell::zoneFromAnyThread (this=<optimized out>) at js/src/gc/Heap.h:1271
#2  IsAboutToBeFinalizedInternal<js::Scope> (thingp=0xf442a074) at js/src/gc/Marking.cpp:2720
#3  0x083a2db9 in IsAboutToBeFinalizedFunctor::operator()<JSObject> (this=<synthetic pointer>, t=0xf442a074) at js/src/jsgc.cpp:3430
#4  JS::DispatchTraceKindTyped<IsAboutToBeFinalizedFunctor, js::gc::Cell**&> (traceKind=<optimized out>, f=...) at dist/include/js/TraceKind.h:186
#5  js::gc::UniqueIdGCPolicy::needsSweep (cell=0xf442a074) at js/src/jsgc.cpp:3441
#6  0x083c7b30 in JS::GCHashMap<js::gc::Cell*, unsigned long long, js::PointerHasher<js::gc::Cell*, 3u>, js::SystemAllocPolicy, js::gc::UniqueIdGCPolicy>::sweep (this=0xf42e0054) at dist/include/js/GCHashTable.h:77
#7  0x083b795f in JS::Zone::sweepUniqueIds (fop=0xffffc710, this=<optimized out>) at js/src/jsgc.cpp:3447
#8  js::gc::GCRuntime::beginSweepingZoneGroup (this=0xf794a498, lock=...) at js/src/jsgc.cpp:5066
#9  0x083b92e7 in js::gc::GCRuntime::beginSweepPhase (this=0xf794a498, destroyingRuntime=true, lock=...) at js/src/jsgc.cpp:5193
#10 0x083bf7df in js::gc::GCRuntime::incrementalCollectSlice (this=0xf794a498, budget=..., reason=JS::gcreason::DESTROY_RUNTIME, lock=...) at js/src/jsgc.cpp:5901
#11 0x083c08af in js::gc::GCRuntime::gcCycle (this=0xf794a498, nonincrementalByAPI=true, budget=..., reason=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:6155
#12 0x083c0cae in js::gc::GCRuntime::collect (this=0xf794a498, nonincrementalByAPI=true, budget=..., reason=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:6283
#13 0x083c113e in js::gc::GCRuntime::gc (this=0xf794a498, gckind=GC_NORMAL, reason=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:6351
#14 0x084fe818 in JSRuntime::destroyRuntime (this=0xf794a108) at js/src/vm/Runtime.cpp:406
#15 0x08370e32 in JSContext::~JSContext (this=0xf794a000, __in_chrg=<optimized out>) at js/src/jscntxt.cpp:936
#16 0x08371740 in js_delete_poison<JSContext> (p=0xf794a000) at dist/include/js/Utility.h:393
#17 js::DestroyContext (cx=0xf794a000) at js/src/jscntxt.cpp:137
#18 0x08371775 in JS_DestroyContext (cx=0xf794a000) at js/src/jsapi.cpp:479
#19 0x0807193a in main (argc=5, argv=0xffffce14, envp=0xffffce2c) at js/src/shell/js.cpp:7684
eax	0x0	0
ebx	0xf3d00000	-204472320
ecx	0xf3da5080	-203796352
edx	0xf442a074	-196960140
esi	0xf42e0054	-198311852
edi	0xf3da5000	-203796480
ebp	0xf442a200	4098007552
esp	0xffffc560	4294952288
eip	0x86445db <IsAboutToBeFinalizedInternal<js::Scope>(js::Scope**)+59>
=> 0x86445db <IsAboutToBeFinalizedInternal<js::Scope>(js::Scope**)+59>:	mov    0x488(%eax),%esi
   0x86445e1 <IsAboutToBeFinalizedInternal<js::Scope>(js::Scope**)+65>:	xor    %eax,%eax


This is a GC crash with a range assert in a debug build, so very likely s-s.
Attached file Testcase 

    
    

    
  


  
This is a conflict between minimising the nursery size on OOM and nursery zeal mode, which always sets the nursery size to its maximum.  The fix is not to shrink the nursery if we're in this zeal mode.

This is not s-s since we don't enable GC zeal in release builds.
Assignee: nobody → jcoppeard

        Attachment #8793824 -
        Flags: review?(terrence.d.cole)

    
  
Blocks: 1294469
Group: javascript-core-security

    
    

    
  
Comment on attachment 8793824 [details] [diff] [review]
bug1304543-nursery-minimise

Review of attachment 8793824 [details] [diff] [review]:
-----------------------------------------------------------------

Ooh, good find!

        Attachment #8793824 -
        Flags: review?(terrence.d.cole) → review+

    
    

    
  
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/26b700f37539
Minimising nusery size conflicts with nursery zeal mode r=terrence

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/26b700f37539
Status: NEW → RESOLVED
Closed: 8 years ago

          status-firefox52:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: