Closed Bug 1341326 Opened 7 years ago Closed 7 years ago

Crash [@ js::frontend::ParseNodeAllocator::allocNode] with offThreadCompileModule and stack space exhaustion

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla54
Tracking Status
firefox51 --- unaffected
firefox52 --- unaffected
firefox53 --- unaffected
firefox54 --- fixed

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision c3cbadc5d2fa (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):

function eval(source) {
    offThreadCompileModule(source);
}
var N = 10000;
var left = repeat_str('(1&', N);
var right = repeat_str(')', N);
var str = 'actual = '.concat(left, '1', right, ';');
eval(str);
function repeat_str(str, repeat_count) {
    var arr = new Array(--repeat_count);
    while (repeat_count != 0) arr[--repeat_count] = str;
    return str.concat.apply(str, arr);
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
#0  0x0000000000d186a8 in js::frontend::ParseNodeAllocator::allocNode (this=0x7ffff40f8f50) at js/src/frontend/ParseNode.cpp:557
#1  0x0000000000d1a566 in js::frontend::ParseNodeAllocator::allocNode (this=this@entry=0x7ffff40f8f50) at js/src/frontend/ParseNode.cpp:569
#2  0x00000000004ae1ff in js::frontend::FullParseHandler::allocParseNode (size=48, this=<optimized out>) at js/src/frontend/FullParseHandler.h:35
#3  js::frontend::FullParseHandler::new_<js::frontend::NullaryNode, js::frontend::ParseNodeKind, js::frontend::TokenPos&>(js::frontend::ParseNodeKind&&, js::frontend::TokenPos&) (this=<optimized out>) at js/src/frontend/FullParseHandler.h:70
#4  js::frontend::FullParseHandler::newNumber (pos=..., decimalPoint=js::frontend::NoDecimal, value=1, this=<optimized out>) at js/src/frontend/FullParseHandler.h:132
#5  js::frontend::Parser<js::frontend::FullParseHandler>::newNumber (this=this@entry=0x7ffff40f8a90, tok=...) at js/src/frontend/Parser.h:1458
#6  0x00000000004d500a in js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr (this=this@entry=0x7ffff40f8a90, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, tt=js::frontend::TOK_NUMBER, possibleError=possibleError@entry=0x7ffff38fb4a0, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:9428
#7  0x00000000004d55a1 in js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr (this=this@entry=0x7ffff40f8a90, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, tt=js::frontend::TOK_NUMBER, allowCallSyntax=allowCallSyntax@entry=true, possibleError=possibleError@entry=0x7ffff38fb4a0, invoked=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:8384
#8  0x00000000004d6387 in js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr (this=this@entry=0x7ffff40f8a90, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x7ffff38fb4a0, invoked=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:7920
#9  0x00000000004d6891 in js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1 (this=this@entry=0x7ffff40f8a90, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x7ffff38fb4a0, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:7387
#10 0x00000000004d6c6e in js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1 (this=this@entry=0x7ffff40f8a90, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x7ffff38fb4a0, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:7453
#11 0x00000000004cfd43 in js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr (this=this@entry=0x7ffff40f8a90, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x0, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:7595
#12 0x00000000004d07c7 in js::frontend::Parser<js::frontend::FullParseHandler>::expr (this=this@entry=0x7ffff40f8a90, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x0, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:7218
#13 0x00000000004d15ff in js::frontend::Parser<js::frontend::FullParseHandler>::exprInParens (this=this@entry=0x7ffff40f8a90, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x0) at js/src/frontend/Parser.cpp:9514
#14 0x00000000004d4fa8 in js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr (this=this@entry=0x7ffff40f8a90, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, tt=<optimized out>, possibleError=possibleError@entry=0x0, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:9383
#15 0x00000000004d55a1 in js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr (this=this@entry=0x7ffff40f8a90, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, tt=js::frontend::TOK_LP, allowCallSyntax=allowCallSyntax@entry=true, possibleError=possibleError@entry=0x0, invoked=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:8384
#16 0x00000000004d6387 in js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr (this=this@entry=0x7ffff40f8a90, yieldHandling=yieldHandling@entry=js::frontend::YieldIsKeyword, tripledotHandling=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x0, invoked=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:7920
[...]
#127 0x00000000004d55a1 in js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr (this=0x7ffff40f8a90, yieldHandling=js::frontend::YieldIsKeyword, tripledotHandling=js::frontend::TripledotAllowed, tt=js::frontend::TOK_LP, allowCallSyntax=true, possibleError=0x0, invoked=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:8384
rax	0x0	0
rbx	0x7ffff40f8a90	140737288047248
rcx	0x0	0
rdx	0x4d4ff0	5066736
rsi	0x7ffff40f8d68	140737288047976
rdi	0x7ffff40f8f50	140737288048464
rbp	0x7ffff38fb010	140737279668240
rsp	0x7ffff38fb000	140737279668224
r8	0x7ffff38fb4a0	140737279669408
r9	0x1	1
r10	0x7ffff00bc000	140737220689920
r11	0x3	3
r12	0x7ffff40f8d68	140737288047976
r13	0x0	0
r14	0x7ffff40f91b0	140737288049072
r15	0x11	17
rip	0xd186a8 <js::frontend::ParseNodeAllocator::allocNode()+8>
=> 0xd186a8 <js::frontend::ParseNodeAllocator::allocNode()+8>:	push   %r13
   0xd186aa <js::frontend::ParseNodeAllocator::allocNode()+10>:	push   %r12


Marking as fuzzblocker because stack space exhaustions are notoriously hard to track.
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/795c13350e9a
user:        Brian Hackett
date:        Wed Feb 15 10:39:44 2017 -0700
summary:     Bug 1337491 - Off thread parsing changes for multithreaded runtimes, r=jandem,jonco.

This iteration took 263.419 seconds to run.
Brian, is bug 1337491 a likely regressor?
Blocks: 1337491
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review
The stack limit is not being set anywhere for helper threads.  This also fixes an issue where the Thread() constructor did not copy its options (including the stack size), which was causing helper threads to be created with the default stack size, causing the testcase to crash on OS X earlier than the blame revision here.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8839682 - Flags: review?(jdemooij)
Comment on attachment 8839682 [details] [diff] [review]
patch

Review of attachment 8839682 [details] [diff] [review]:
-----------------------------------------------------------------

Hm good find.
Attachment #8839682 - Flags: review?(jdemooij) → review+
Pushed by bhackett@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f2019fbd6f8c
Set stack limit and stack size properly for helper threads, r=jandem.
Backed out for failing backup-point-bug1315634.js and more on arm:

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=f2019fbd6f8c41163eb540d798558d44fcf176f4&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=retry&filter-resultStatus=usercancel&filter-resultStatus=runnable
Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=79324861&repo=mozilla-inbound

[task 2017-02-22T12:20:23.760034Z] make[1]: Entering directory '/home/worker/workspace/build/src/obj-spider/js/src'
[task 2017-02-22T12:20:23.760085Z] /home/worker/workspace/build/src/obj-spider/_virtualenv/bin/python -u /home/worker/workspace/build/src/js/src/jit-test/jit_test.py \
[task 2017-02-22T12:20:23.760110Z]         --no-slow --no-progress --format=automation --jitflags=all \
[task 2017-02-22T12:20:23.760125Z] 		 \
[task 2017-02-22T12:20:23.760153Z] 		--jitflags=none --args=--baseline-eager -x ion/ -x asm.js/ \
[task 2017-02-22T12:20:23.760175Z]         ../../dist/bin/js 
[task 2017-02-22T12:20:25.037924Z] Exit code: -11
[task 2017-02-22T12:20:25.038001Z] FAIL - backup-point-bug1315634.js
[task 2017-02-22T12:20:25.038083Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/backup-point-bug1315634.js | Unknown (code -11, args "")
[task 2017-02-22T12:20:25.038118Z] INFO exit-status     : -11
[task 2017-02-22T12:20:25.038153Z] INFO timed-out       : False
[task 2017-02-22T12:20:25.038193Z] Exit code: -11
[task 2017-02-22T12:20:25.038222Z] FAIL - bug1323854-2.js
Flags: needinfo?(bhackett1024)
Backout by archaeopteryx@coole-files.de:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0bdfccec471f
Backed out changeset f2019fbd6f8c for failing backup-point-bug1315634.js and more on arm. r=backout
Pushed by bhackett@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b2b72530f293
Set stack limit and stack size properly for helper threads, r=jandem.
Flags: needinfo?(bhackett1024)
https://hg.mozilla.org/mozilla-central/rev/b2b72530f293
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
good news, I see a talos improvement for memory with this change:
== Change summary for alert #5237 (as of February 22 2017 16:23 UTC) ==

Improvements:

 12%  tp5o Private Bytes linux64 pgo e10s     1042362749.03 -> 922403190.15
 11%  tp5o Private Bytes linux64 opt e10s     1049379463.81 -> 930747181.16
  9%  tp5o Private Bytes linux64 opt          705075935.18 -> 643325375.12
  8%  tp5o Private Bytes linux64 pgo          705449315.09 -> 647177058.84

For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=5237
You need to log in before you can comment on or make changes to this bug.