1354480 - Crash [@ js::gc::IsInsideNursery] with Debugger

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision b043233ec04f (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

test = "function f(a) { return a } f`a$b`";
evalWithCache(test, {});
dbg = new Debugger();
gczeal(9, 1);
dbg.findScripts('January 0 0 is invalid');
function evalWithCache(code, ctx) {
    ctx.global = newGlobal();
    evaluate(code, ctx)
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x00000000004fdc18 in js::gc::IsInsideNursery (cell=0xfff9000000000000) at dist/include/js/HeapAPI.h:328
#0  0x00000000004fdc18 in js::gc::IsInsideNursery (cell=0xfff9000000000000) at dist/include/js/HeapAPI.h:328
#1  js::gc::Cell::isTenured (this=0xfff9000000000000) at js/src/gc/Heap.h:251
#2  js::gc::TenuredCell::arena (this=0xfff9000000000000) at js/src/gc/Heap.h:1242
#3  0x0000000000df8fa8 in js::gc::TenuredCell::zoneFromAnyThread (this=<optimized out>) at js/src/gc/Heap.h:1271
#4  JSObject::zoneFromAnyThread (this=0x7ffff46c1080) at js/src/jsobj.h:308
#5  js::CheckTracedThing<JSObject> (trc=trc@entry=0x7fffffffabf8, thing=0x7ffff46c1080) at js/src/gc/Marking.cpp:216
#6  0x0000000000e2182f in DoCallback<JSObject*> (trc=0x7fffffffabf0, thingp=0x7ffff4324118, name=0x10df1f8 "hashmap value") at js/src/gc/Tracer.cpp:49
#7  0x0000000000965187 in JS::GCPointerPolicy<JSObject*>::trace (name=0x10df1f8 "hashmap value", vp=<optimized out>, trc=0x7fffffffabf8) at dist/include/js/GCPolicyAPI.h:120
#8  JS::GCHashMap<JSObject*, JSObject*, js::TemplateRegistryHashPolicy, js::SystemAllocPolicy, JS::DefaultMapSweepPolicy<JSObject*, JSObject*> >::trace (trc=0x7fffffffabf8, this=0x7ffff692aca8) at dist/include/js/GCHashTable.h:67
#9  JSCompartment::trace (this=0x7ffff692a800, trc=trc@entry=0x7fffffffabf8) at js/src/jscompartment.cpp:715
#10 0x0000000000991fe2 in js::gc::GCRuntime::updateZonePointersToRelocatedCells (this=this@entry=0x7ffff695e678, zone=zone@entry=0x7ffff4339000, lock=...) at js/src/jsgc.cpp:2548
#11 0x00000000009be0b8 in js::gc::GCRuntime::compactPhase (this=this@entry=0x7ffff695e678, reason=reason@entry=JS::gcreason::DEBUG_GC, sliceBudget=..., lock=...) at js/src/jsgc.cpp:5721
#12 0x00000000009beaa4 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff695e678, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC, lock=...) at js/src/jsgc.cpp:6216
#13 0x00000000009bfcd4 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff695e678, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6453
#14 0x00000000009c05c8 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff695e678, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6602
#15 0x00000000009c1f6c in js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff695e678) at js/src/jsgc.cpp:7137
#16 0x0000000000d33995 in js::gc::GCRuntime::gcIfNeededPerAllocation (this=0x7ffff695e678, cx=cx@entry=0x7ffff694c000) at js/src/gc/Allocator.cpp:230
#17 0x0000000000d41aa8 in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=<optimized out>, cx=0x7ffff694c000, kind=js::gc::AllocKind::ACCESSOR_SHAPE) at js/src/gc/Allocator.cpp:191
#18 0x0000000000d4524a in js::Allocate<js::AccessorShape, (js::AllowGC)1> (cx=cx@entry=0x7ffff694c000) at js/src/gc/Allocator.cpp:142
#19 0x0000000000a025a1 in js::Shape::new_ (nfixed=7, other=..., cx=0x7ffff694c000) at js/src/vm/Shape-inl.h:111
#20 js::PropertyTree::getChild (this=this@entry=0x7ffff424ca68, cx=cx@entry=0x7ffff694c000, parentArg=parentArg@entry=0x7ffff469c468, child=child@entry=...) at js/src/jspropertytree.cpp:185
#21 0x0000000000bbc49b in js::NativeObject::getChildProperty (cx=cx@entry=0x7ffff694c000, obj=obj@entry=..., parent=..., parent@entry=..., child=child@entry=...) at js/src/vm/Shape.cpp:355
#22 0x0000000000bd1527 in js::NativeObject::addPropertyInternal (cx=cx@entry=0x7ffff694c000, obj=obj@entry=..., id=..., id@entry=..., getter=0x7ffff46ac900, setter=0x0, slot=16777215, attrs=112, flags=0, entry=0x0, allowDictionary=true, keep=...) at js/src/vm/Shape.cpp:529
#23 0x0000000000bd21ca in js::NativeObject::putProperty (cx=cx@entry=0x7ffff694c000, obj=..., obj@entry=..., id=id@entry=..., getter=0x7ffff46ac900, setter=0x0, slot=slot@entry=16777215, attrs=112, flags=0) at js/src/vm/Shape.cpp:678
#24 0x0000000000b86894 in AddOrChangeProperty (cx=cx@entry=0x7ffff694c000, obj=obj@entry=..., id=id@entry=..., desc=...) at js/src/vm/NativeObject.cpp:1260
#25 0x0000000000b875b1 in js::NativeDefineProperty (cx=cx@entry=0x7ffff694c000, obj=..., id=..., id@entry=..., desc_=..., result=...) at js/src/vm/NativeObject.cpp:1484
#26 0x00000000009ee3ef in js::DefineProperty (cx=cx@entry=0x7ffff694c000, obj=..., id=..., id@entry=..., value=..., getter=<optimized out>, setter=setter@entry=0x0, attrs=80, result=...) at js/src/jsobj.cpp:2754
#27 0x00000000009f199e in js::DefineProperty (cx=cx@entry=0x7ffff694c000, obj=..., obj@entry=..., id=..., id@entry=..., value=..., value@entry=..., getter=<optimized out>, setter=setter@entry=0x0, attrs=80) at js/src/jsobj.cpp:2785
#28 0x000000000094831b in DefinePropertyById (cx=cx@entry=0x7ffff694c000, obj=..., obj@entry=..., id=..., id@entry=..., value=..., get=..., set=..., attrs=80, flags=0) at js/src/jsapi.cpp:2210
#29 0x0000000000949718 in JS_DefineProperties (cx=cx@entry=0x7ffff694c000, obj=..., obj@entry=..., ps=0x1e6c700 <js::SavedFrame::protoAccessors+96>) at js/src/jsapi.cpp:3232
#30 0x0000000000b5af2e in js::GlobalObject::resolveConstructor (cx=cx@entry=0x7ffff694c000, global=..., key=key@entry=JSProto_SavedFrame) at js/src/vm/GlobalObject.cpp:238
#31 0x0000000000b5b5c8 in js::GlobalObject::ensureConstructor (cx=cx@entry=0x7ffff694c000, global=..., global@entry=..., key=key@entry=JSProto_SavedFrame) at js/src/vm/GlobalObject.cpp:122
#32 0x0000000000bb48a2 in js::GlobalObject::getOrCreateSavedFramePrototype (global=..., cx=0x7ffff694c000) at js/src/vm/GlobalObject.h:405
#33 js::SavedFrame::create (cx=cx@entry=0x7ffff694c000) at js/src/vm/SavedStacks.cpp:527
#34 0x0000000000bdde9e in js::SavedStacks::createFrameFromLookup (this=this@entry=0x7ffff692b0f8, cx=cx@entry=0x7ffff694c000, lookup=..., lookup@entry=...) at js/src/vm/SavedStacks.cpp:1517
#35 0x0000000000bde00e in js::SavedStacks::getOrCreateSavedFrame (this=this@entry=0x7ffff692b0f8, cx=cx@entry=0x7ffff694c000, lookup=lookup@entry=...) at js/src/vm/SavedStacks.cpp:1504
#36 0x0000000000bdf6c5 in js::SavedStacks::insertFrames(JSContext*, js::FrameIter&, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=this@entry=0x7ffff692b0f8, cx=cx@entry=0x7ffff694c000, iter=..., frame=..., frame@entry=..., capture=capture@entry=<unknown type in /mnt/LangFuzz/work/builds/debug64/dist/bin/js, CU 0x4dc95f6, DIE 0x502f07a>) at js/src/vm/SavedStacks.cpp:1410
#37 0x0000000000bdfb67 in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=0x7ffff692b0f8, cx=cx@entry=0x7ffff694c000, frame=frame@entry=..., capture=capture@entry=<unknown type in /mnt/LangFuzz/work/builds/debug64/dist/bin/js, CU 0x4dc95f6, DIE 0x502f6e2>) at js/src/vm/SavedStacks.cpp:1177
#38 0x000000000094bdd8 in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (cx=0x7ffff694c000, stackp=..., capture=<unknown type in /mnt/LangFuzz/work/builds/debug64/dist/bin/js, CU 0x33fde2b, DIE 0x35a49e6>) at js/src/jsapi.cpp:7084
#39 0x000000000094beab in CaptureStack (cx=<optimized out>, stack=...) at js/src/jsexn.cpp:362
#40 0x00000000009504ab in js::ErrorToException (cx=0x7ffff694c000, reportp=0x7fffffffcc20, callback=<optimized out>, userRef=<optimized out>) at js/src/jsexn.cpp:680
#41 0x0000000000953a54 in js::ReportErrorNumberVA (cx=0x7ffff694c000, flags=flags@entry=0, callback=0x92ccf0 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0, errorNumber=<optimized out>, ap=ap@entry=0x7fffffffccb0, argumentsType=js::ArgumentsAreLatin1) at js/src/jscntxt.cpp:890
#42 0x0000000000953e3d in JS_ReportErrorNumberLatin1VA (cx=<optimized out>, errorCallback=<optimized out>, userRef=<optimized out>, errorNumber=<optimized out>, ap=ap@entry=0x7fffffffccb0) at js/src/jsapi.cpp:5796
#43 0x0000000000953ed8 in JS_ReportErrorNumberLatin1 (cx=cx@entry=0x7ffff694c000, errorCallback=<optimized out>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=40) at js/src/jsapi.cpp:5785
#44 0x00000000009f93a1 in js::ReportNotObject (cx=cx@entry=0x7ffff694c000, v=...) at js/src/jsobj.cpp:88
#45 0x0000000000b1cf23 in js::NonNullObject (cx=0x7ffff694c000, v=...) at js/src/jsobj.h:1334
#46 0x0000000000b14b14 in js::Debugger::findScripts (cx=0x7ffff694c000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:4719
#47 0x0000000000545550 in js::CallJSNative (cx=cx@entry=0x7ffff694c000, native=0xb146d0 <js::Debugger::findScripts(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:291
[...]
#60 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:8664
rax	0xfff90000000fffe8	-1970324835926040
rbx	0x7ffff46c1080	140737294110848
rcx	0x0	0
rdx	0x1	1
rsi	0x7ffff46c1080	140737294110848
rdi	0xfff9000000000000	-1970324836974592
rbp	0x7fffffffaae0	140737488333536
rsp	0x7fffffffaae0	140737488333536
r8	0x1	1
r9	0xc	12
r10	0x0	0
r11	0x246	582
r12	0x7fffffffabf8	140737488333816
r13	0x7ffff695e000	140737330405376
r14	0x7ffff4324300	140737290322688
r15	0xffffffffffffff	72057594037927935
rip	0x4fdc18 <js::gc::TenuredCell::arena() const+24>
=> 0x4fdc18 <js::gc::TenuredCell::arena() const+24>:	mov    (%rax),%eax
   0x4fdc1a <js::gc::TenuredCell::arena() const+26>:	lea    -0x1(%rax),%edx


Not marking s-s because this seems to be Debugger only.

Comment 1

[Jon Coppeard (:jonco)]

Attachment: bug1354480-compartment-tracing

So the problem here is that a compartment can still be live even though its global is not traced.  That means that any JSCompartment members traced via the global trace hook must also be swept, and that wasn't happening for the template literal map.

I also renameed JSCompartment::trace to traceGlobal because the different between that and traceRoots has confused me for ages.  I also realised we don't have to both trace and sweep these edges when compacting - either is enough (I went with sweeping).

Comment 2

[Steve Fink [:sfink] [:s:]]

Comment on attachment 8857013 [details] [diff] [review]
bug1354480-compartment-tracing

Review of attachment 8857013 [details] [diff] [review]:
-----------------------------------------------------------------

That does make more sense.

Comment 3

[Nick Fitzgerald [:fitzgen] [⏰PST; UTC-8]]

(In reply to Jon Coppeard (:jonco) from comment #1)
> I also renameed JSCompartment::trace to traceGlobal because the different
> between that and traceRoots has confused me for ages.  I also realised we
> don't have to both trace and sweep these edges when compacting - either is
> enough (I went with sweeping).

I have been confused by this in the past as well -- happy to see the situation improve a little.

Comment 4

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/92c59df5e13c
Sweep compartment's template literal map r=sfink

Comment 5

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/92c59df5e13c