1369773 - Assertion failure: ionRecovery_.empty(), at js/src/vm/Stack.cpp:1436 with OOM

Status: RESOLVED DUPLICATE of bug 1464829

(Core :: JavaScript Engine, defect, P3)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision aeb3d0ca558f (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2 --ion-eager --baseline-eager):

loadFile(`
function f(x, y) {
    for (var i=0; i<40; i++) {
	var stack = getBacktrace({args: true, locals: true, thisprops: true});
    }
}
f(1, 2);
`);
function loadFile(lfVarx) {
    oomTest(new Function(lfVarx));
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000c09798 in js::jit::JitActivation::~JitActivation (this=0x7fffffffb6c0, __in_chrg=<optimized out>) at js/src/vm/Stack.cpp:1436
#0  0x0000000000c09798 in js::jit::JitActivation::~JitActivation (this=0x7fffffffb6c0, __in_chrg=<optimized out>) at js/src/vm/Stack.cpp:1436
#1  0x00000000006fa69f in EnterIon (data=..., cx=0x7ffff6924000) at js/src/jit/Ion.cpp:2799
#2  js::jit::IonCannon (cx=cx@entry=0x7ffff6924000, state=...) at js/src/jit/Ion.cpp:2902
#3  0x0000000000532e02 in js::RunScript (cx=0x7ffff6924000, state=...) at js/src/vm/Interpreter.cpp:390
#4  0x0000000000533257 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6924000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:488
#5  0x0000000000533538 in InternalCall (cx=cx@entry=0x7ffff6924000, args=...) at js/src/vm/Interpreter.cpp:515
#6  0x000000000053366d in js::Call (cx=cx@entry=0x7ffff6924000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:534
#7  0x00000000009231f8 in JS_CallFunction (cx=cx@entry=0x7ffff6924000, obj=..., fun=..., fun@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2850
#8  0x000000000086e314 in OOMTest (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1541
#9  0x000000000053e37f in js::CallJSNative (cx=cx@entry=0x7ffff6924000, native=0x86def0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
#10 0x0000000000533123 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6924000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470
#11 0x0000000000533538 in InternalCall (cx=cx@entry=0x7ffff6924000, args=...) at js/src/vm/Interpreter.cpp:515
#12 0x000000000053363a in js::CallFromStack (cx=cx@entry=0x7ffff6924000, args=...) at js/src/vm/Interpreter.cpp:521
#13 0x000000000060c97f in js::jit::DoCallFallback (cx=0x7ffff6924000, frame=0x7fffffffc298, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc248, res=...) at js/src/jit/BaselineIC.cpp:2453
#14 0x000027dc9195fd77 in ?? ()
[...]
rax	0x0	0
rbx	0x7ffff6924000	140737330167808
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffb570	140737488336240
rsp	0x7fffffffb510	140737488336144
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7fffffffb6c0	140737488336576
r13	0x7fffffffbae0	140737488337632
r14	0x7fffffffb5c0	140737488336320
r15	0x7ffff6924000	140737330167808
rip	0xc09798 <js::jit::JitActivation::~JitActivation()+904>
=> 0xc09798 <js::jit::JitActivation::~JitActivation()+904>:	movl   $0x0,0x0
   0xc097a3 <js::jit::JitActivation::~JitActivation()+915>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Iain, this seems oom/oomTest-related, do you mind taking a look?

Comment 3

[Iain Ireland [:iain]]

It looks like this was fixed by Bug 1464829: specifically, these lines here: https://searchfox.org/mozilla-central/source/js/src/jit/BaselineBailouts.cpp#1608-1612. However, I don't have access to the bug, so I don't know how closely that bug duplicates this one.

There's some sort of race condition necessary to trigger this bug: I can only replicate it in an optimized build with offthread compiles enabled. I haven't managed to pinpoint the exact race. Oddly enough, I can almost explain what's going on without involving threads at all. 

GetBacktrace uses recovery info to find the environment chain. This invalidates the script, triggering a bailout. During the bailout, we trigger an OOM. The resulting exception bubbles back up to EnterIon (this bug predates the move to EnterJit). When the  JitActivation goes out of scope, the destructor asserts that the Ion recovery map is empty. However, because we failed halfway through the bailout, there's still an entry in the Ion recovery map, and the assertion fails.

Bug 1464829 adds a ScopeExit to ensure that the Ion recovery map is cleared even in case of failure. This fixes the assertion.

I'm not sure where the race condition enters the picture. My best guess is that we are somehow racing a recompilation that supports argument objects (as described here: https://searchfox.org/mozilla-central/source/js/src/jit/JitFrames.cpp#1987-1995), which would explain why this doesn't happen if we disable offthread compiles.

Nicolas, or somebody else with access to bug 1464829: does this make sense, given the context I am missing? I am pretty sure this bug can be closed as a duplicate of that one, but I don't want to leap to conclusions without reading the actual bug.

Comment 4

[Iain Ireland [:iain]]

Refreshing ni for nbp.

Comment 5

[Iain Ireland [:iain]]

Having been given access to bug 1464829, I can confirm that this is a clear duplicate.