Closed Bug 1394505 Opened 7 years ago Closed 7 years ago

Assertion failure: CurrentThreadCanAccessZone(zone), at js/src/gc/Heap.h:1341 with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla57
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

bug1394505-cancel-compilation
1.72 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision d10c97627b51 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-eager):

var lfLogBuffer = `
evalInWorker(\`
  for (let i = 0; i < 30; i++) {
    relazifyFunctions();
  }
\`);
`;
lfLogBuffer = lfLogBuffer.split('\n');
var lfCodeBuffer = "";
while (true) {
    var line = lfLogBuffer.shift();
    if (line == null) {
        loadFile(lfCodeBuffer);
    } else {
        lfCodeBuffer += line + "\n";
        function loadFile(lfVarx) {
            oomTest(function() {});
            evaluate(lfVarx);
        }
    }
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000509928 in js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Heap.h:1341
#0  0x0000000000509928 in js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Heap.h:1341
#1  0x0000000000b8f9ed in CancelOffThreadIonCompileLocked (selector=..., discardLazyLinkList=discardLazyLinkList@entry=false, lock=...) at js/src/vm/HelperThreads.cpp:309
#2  0x0000000000b8fcb6 in js::GlobalHelperThreadState::waitForAllThreadsLocked (this=0x7ffff694e800, lock=...) at js/src/vm/HelperThreads.cpp:1043
#3  0x0000000000524003 in js::oom::SimulateOOMAfter (allocations=allocations@entry=1, thread=thread@entry=2, always=always@entry=false) at js/src/jsutil.cpp:74
#4  0x00000000008845d1 in OOMTest (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1598
[...]
#8  0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff4149000	140737288376320
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffc9a0	140737488341408
rsp	0x7fffffffc990	140737488341392
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7fffffffca70	140737488341616
r13	0x0	0
r14	0x7ffff694e800	140737330341888
r15	0x7ffff694e840	140737330341952
rip	0x509928 <js::gc::TenuredCell::zone() const+344>
=> 0x509928 <js::gc::TenuredCell::zone() const+344>:	movl   $0x0,0x0
   0x509933 <js::gc::TenuredCell::zone() const+355>:	ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781".
The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1
Flags: needinfo?(jcoppeard)
The --enable-oom-breakpoint, OOM_VERBOSE=1 and js_failedAllocBreakpoint trick didn't seem to work here, the failure seemed to happen on another thread:

  allocation 23
  allocation 24
  finished after 23 allocations
thread 2
  allocation 1
Assertion failure: CurrentThreadCanAccessZone(zone), at /home/gkwubu/trees/mozilla-central/js/src/gc/Heap.h:1341
The problem is we call zone() on an IonBuilder's script which may be owned by another runtime, and this asserts.  I think it's safe to use zoneFromAnyThread() here since we expect to encounter objects that are owned by different runtimes.  The script should be held alive by the IonBuilder.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8903537 - Flags: review?(jdemooij)
Comment on attachment 8903537 [details] [diff] [review]
bug1394505-cancel-compilation

Review of attachment 8903537 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!
Attachment #8903537 - Flags: review?(jdemooij) → review+
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f45bc632fdc8
Avoid triggering zone assertion when cancelling code generation for IonBuilders owned by a different runtime r=jandem
https://hg.mozilla.org/mozilla-central/rev/f45bc632fdc8
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox57: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Is this worth backporting to Beta? Grafts cleanly if the answer is yes.
status-firefox55: --- → wontfix
status-firefox56: --- → affected
status-firefox-esr52: --- → wontfix
Flags: needinfo?(jcoppeard)
Flags: in-testsuite+
(In reply to Ryan VanderMeulen [:RyanVM] from comment #7)
The patch just removes the assertion and doesn't affect release builds.  I say let it ride the trains unless it's causing test failures.
Flags: needinfo?(jcoppeard)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: