Closed Bug 1394505 Opened 7 years ago Closed 7 years ago

Assertion failure: CurrentThreadCanAccessZone(zone), at js/src/gc/Heap.h:1341 with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla57
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

bug1394505-cancel-compilation
1.72 KB, patch
jandem
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision d10c97627b51 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-eager): var lfLogBuffer = ` evalInWorker(\` for (let i = 0; i < 30; i++) { relazifyFunctions(); } \`); `; lfLogBuffer = lfLogBuffer.split('\n'); var lfCodeBuffer = ""; while (true) { var line = lfLogBuffer.shift(); if (line == null) { loadFile(lfCodeBuffer); } else { lfCodeBuffer += line + "\n"; function loadFile(lfVarx) { oomTest(function() {}); evaluate(lfVarx); } } } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000509928 in js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Heap.h:1341 #0 0x0000000000509928 in js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Heap.h:1341 #1 0x0000000000b8f9ed in CancelOffThreadIonCompileLocked (selector=..., discardLazyLinkList=discardLazyLinkList@entry=false, lock=...) at js/src/vm/HelperThreads.cpp:309 #2 0x0000000000b8fcb6 in js::GlobalHelperThreadState::waitForAllThreadsLocked (this=0x7ffff694e800, lock=...) at js/src/vm/HelperThreads.cpp:1043 #3 0x0000000000524003 in js::oom::SimulateOOMAfter (allocations=allocations@entry=1, thread=thread@entry=2, always=always@entry=false) at js/src/jsutil.cpp:74 #4 0x00000000008845d1 in OOMTest (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1598 [...] #8 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff4149000 140737288376320 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffc9a0 140737488341408 rsp 0x7fffffffc990 140737488341392 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x7fffffffca70 140737488341616 r13 0x0 0 r14 0x7ffff694e800 140737330341888 r15 0x7ffff694e840 140737330341952 rip 0x509928 <js::gc::TenuredCell::zone() const+344> => 0x509928 <js::gc::TenuredCell::zone() const+344>: movl $0x0,0x0 0x509933 <js::gc::TenuredCell::zone() const+355>: ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781". The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1
Flags: needinfo?(jcoppeard)
The --enable-oom-breakpoint, OOM_VERBOSE=1 and js_failedAllocBreakpoint trick didn't seem to work here, the failure seemed to happen on another thread: allocation 23 allocation 24 finished after 23 allocations thread 2 allocation 1 Assertion failure: CurrentThreadCanAccessZone(zone), at /home/gkwubu/trees/mozilla-central/js/src/gc/Heap.h:1341
The problem is we call zone() on an IonBuilder's script which may be owned by another runtime, and this asserts. I think it's safe to use zoneFromAnyThread() here since we expect to encounter objects that are owned by different runtimes. The script should be held alive by the IonBuilder.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8903537 - Flags: review?(jdemooij)
Comment on attachment 8903537 [details] [diff] [review] bug1394505-cancel-compilation Review of attachment 8903537 [details] [diff] [review]: ----------------------------------------------------------------- Thanks!
Attachment #8903537 - Flags: review?(jdemooij) → review+
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/f45bc632fdc8 Avoid triggering zone assertion when cancelling code generation for IonBuilders owned by a different runtime r=jandem
https://hg.mozilla.org/mozilla-central/rev/f45bc632fdc8
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox57: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Is this worth backporting to Beta? Grafts cleanly if the answer is yes.
status-firefox55: --- → wontfix
status-firefox56: --- → affected
status-firefox-esr52: --- → wontfix
Flags: needinfo?(jcoppeard)
Flags: in-testsuite+
(In reply to Ryan VanderMeulen [:RyanVM] from comment #7) The patch just removes the assertion and doesn't affect release builds. I say let it ride the trains unless it's causing test failures.
Flags: needinfo?(jcoppeard)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: