Closed
Bug 1341326
Opened 7 years ago
Closed 7 years ago
Crash [@ js::frontend::ParseNodeAllocator::allocNode] with offThreadCompileModule and stack space exhaustion
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla54
Tracking | Status | |
---|---|---|
firefox51 | --- | unaffected |
firefox52 | --- | unaffected |
firefox53 | --- | unaffected |
firefox54 | --- | fixed |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])
Crash Data
Attachments
(1 file)
5.75 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision c3cbadc5d2fa (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe): function eval(source) { offThreadCompileModule(source); } var N = 10000; var left = repeat_str('(1&', N); var right = repeat_str(')', N); var str = 'actual = '.concat(left, '1', right, ';'); eval(str); function repeat_str(str, repeat_count) { var arr = new Array(--repeat_count); while (repeat_count != 0) arr[--repeat_count] = str; return str.concat.apply(str, arr); } Backtrace: received signal SIGSEGV, Segmentation fault. #0 0x0000000000d186a8 in js::frontend::ParseNodeAllocator::allocNode (this=0x7ffff40f8f50) at js/src/frontend/ParseNode.cpp:557 #1 0x0000000000d1a566 in js::frontend::ParseNodeAllocator::allocNode (this=this@entry=0x7ffff40f8f50) at js/src/frontend/ParseNode.cpp:569 #2 0x00000000004ae1ff in js::frontend::FullParseHandler::allocParseNode (size=48, this=<optimized out>) at js/src/frontend/FullParseHandler.h:35 #3 js::frontend::FullParseHandler::new_<js::frontend::NullaryNode, js::frontend::ParseNodeKind, js::frontend::TokenPos&>(js::frontend::ParseNodeKind&&, js::frontend::TokenPos&) (this=<optimized out>) at js/src/frontend/FullParseHandler.h:70 #4 js::frontend::FullParseHandler::newNumber (pos=..., decimalPoint=js::frontend::NoDecimal, value=1, this=<optimized out>) at js/src/frontend/FullParseHandler.h:132 #5 js::frontend::Parser<js::frontend::FullParseHandler>::newNumber (this=this@entry=0x7ffff40f8a90, tok=...) at js/src/frontend/Parser.h:1458 #6 0x00000000004d500a in js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr (this=this@entry=0x7ffff40f8a90, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, tt=js::frontend::TOK_NUMBER, possibleError=possibleError@entry=0x7ffff38fb4a0, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:9428 #7 0x00000000004d55a1 in js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr (this=this@entry=0x7ffff40f8a90, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, tt=js::frontend::TOK_NUMBER, allowCallSyntax=allowCallSyntax@entry=true, possibleError=possibleError@entry=0x7ffff38fb4a0, invoked=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:8384 #8 0x00000000004d6387 in js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr (this=this@entry=0x7ffff40f8a90, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x7ffff38fb4a0, invoked=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:7920 #9 0x00000000004d6891 in js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1 (this=this@entry=0x7ffff40f8a90, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x7ffff38fb4a0, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:7387 #10 0x00000000004d6c6e in js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1 (this=this@entry=0x7ffff40f8a90, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x7ffff38fb4a0, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:7453 #11 0x00000000004cfd43 in js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr (this=this@entry=0x7ffff40f8a90, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x0, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:7595 #12 0x00000000004d07c7 in js::frontend::Parser<js::frontend::FullParseHandler>::expr (this=this@entry=0x7ffff40f8a90, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x0, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:7218 #13 0x00000000004d15ff in js::frontend::Parser<js::frontend::FullParseHandler>::exprInParens (this=this@entry=0x7ffff40f8a90, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x0) at js/src/frontend/Parser.cpp:9514 #14 0x00000000004d4fa8 in js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr (this=this@entry=0x7ffff40f8a90, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, tt=<optimized out>, possibleError=possibleError@entry=0x0, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:9383 #15 0x00000000004d55a1 in js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr (this=this@entry=0x7ffff40f8a90, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, tt=js::frontend::TOK_LP, allowCallSyntax=allowCallSyntax@entry=true, possibleError=possibleError@entry=0x0, invoked=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:8384 #16 0x00000000004d6387 in js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr (this=this@entry=0x7ffff40f8a90, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x0, invoked=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:7920 [...] #127 0x00000000004d55a1 in js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr (this=0x7ffff40f8a90, yieldHandling=js::frontend::YieldIsKeyword, tripledotHandling=js::frontend::TripledotAllowed, tt=js::frontend::TOK_LP, allowCallSyntax=true, possibleError=0x0, invoked=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:8384 rax 0x0 0 rbx 0x7ffff40f8a90 140737288047248 rcx 0x0 0 rdx 0x4d4ff0 5066736 rsi 0x7ffff40f8d68 140737288047976 rdi 0x7ffff40f8f50 140737288048464 rbp 0x7ffff38fb010 140737279668240 rsp 0x7ffff38fb000 140737279668224 r8 0x7ffff38fb4a0 140737279669408 r9 0x1 1 r10 0x7ffff00bc000 140737220689920 r11 0x3 3 r12 0x7ffff40f8d68 140737288047976 r13 0x0 0 r14 0x7ffff40f91b0 140737288049072 r15 0x11 17 rip 0xd186a8 <js::frontend::ParseNodeAllocator::allocNode()+8> => 0xd186a8 <js::frontend::ParseNodeAllocator::allocNode()+8>: push %r13 0xd186aa <js::frontend::ParseNodeAllocator::allocNode()+10>: push %r12 Marking as fuzzblocker because stack space exhaustions are notoriously hard to track.
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
Comment 1•7 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/795c13350e9a user: Brian Hackett date: Wed Feb 15 10:39:44 2017 -0700 summary: Bug 1337491 - Off thread parsing changes for multithreaded runtimes, r=jandem,jonco. This iteration took 263.419 seconds to run.
Brian, is bug 1337491 a likely regressor?
Blocks: 1337491
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 3•7 years ago
|
||
The stack limit is not being set anywhere for helper threads. This also fixes an issue where the Thread() constructor did not copy its options (including the stack size), which was causing helper threads to be created with the default stack size, causing the testcase to crash on OS X earlier than the blame revision here.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8839682 -
Flags: review?(jdemooij)
Updated•7 years ago
|
status-firefox51:
--- → unaffected
status-firefox52:
--- → unaffected
status-firefox53:
--- → unaffected
Comment 4•7 years ago
|
||
Comment on attachment 8839682 [details] [diff] [review] patch Review of attachment 8839682 [details] [diff] [review]: ----------------------------------------------------------------- Hm good find.
Attachment #8839682 -
Flags: review?(jdemooij) → review+
Pushed by bhackett@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/f2019fbd6f8c Set stack limit and stack size properly for helper threads, r=jandem.
Comment 6•7 years ago
|
||
Backed out for failing backup-point-bug1315634.js and more on arm: Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=f2019fbd6f8c41163eb540d798558d44fcf176f4&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=retry&filter-resultStatus=usercancel&filter-resultStatus=runnable Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=79324861&repo=mozilla-inbound [task 2017-02-22T12:20:23.760034Z] make[1]: Entering directory '/home/worker/workspace/build/src/obj-spider/js/src' [task 2017-02-22T12:20:23.760085Z] /home/worker/workspace/build/src/obj-spider/_virtualenv/bin/python -u /home/worker/workspace/build/src/js/src/jit-test/jit_test.py \ [task 2017-02-22T12:20:23.760110Z] --no-slow --no-progress --format=automation --jitflags=all \ [task 2017-02-22T12:20:23.760125Z] \ [task 2017-02-22T12:20:23.760153Z] --jitflags=none --args=--baseline-eager -x ion/ -x asm.js/ \ [task 2017-02-22T12:20:23.760175Z] ../../dist/bin/js [task 2017-02-22T12:20:25.037924Z] Exit code: -11 [task 2017-02-22T12:20:25.038001Z] FAIL - backup-point-bug1315634.js [task 2017-02-22T12:20:25.038083Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/backup-point-bug1315634.js | Unknown (code -11, args "") [task 2017-02-22T12:20:25.038118Z] INFO exit-status : -11 [task 2017-02-22T12:20:25.038153Z] INFO timed-out : False [task 2017-02-22T12:20:25.038193Z] Exit code: -11 [task 2017-02-22T12:20:25.038222Z] FAIL - bug1323854-2.js
Flags: needinfo?(bhackett1024)
Backout by archaeopteryx@coole-files.de: https://hg.mozilla.org/integration/mozilla-inbound/rev/0bdfccec471f Backed out changeset f2019fbd6f8c for failing backup-point-bug1315634.js and more on arm. r=backout
Pushed by bhackett@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/b2b72530f293 Set stack limit and stack size properly for helper threads, r=jandem.
Assignee | ||
Updated•7 years ago
|
Flags: needinfo?(bhackett1024)
Comment 9•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/b2b72530f293
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Comment 10•7 years ago
|
||
good news, I see a talos improvement for memory with this change: == Change summary for alert #5237 (as of February 22 2017 16:23 UTC) == Improvements: 12% tp5o Private Bytes linux64 pgo e10s 1042362749.03 -> 922403190.15 11% tp5o Private Bytes linux64 opt e10s 1049379463.81 -> 930747181.16 9% tp5o Private Bytes linux64 opt 705075935.18 -> 643325375.12 8% tp5o Private Bytes linux64 pgo 705449315.09 -> 647177058.84 For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=5237
You need to log in
before you can comment on or make changes to this bug.
Description
•