Closed Bug 1412285 Opened 7 years ago Closed 7 years ago

Assertion failure: oom::maxAllocations == (18446744073709551615UL), at dist/include/js/Utility.h:335

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1411302
Tracking Flags:
Tracking Status
firefox58 --- affected

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update,ignore])

Attachments

(1 file)

Testcase
58.21 KB, text/plain
Details 
The following testcase crashes on mozilla-central revision d734e6acf777 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --baseline-eager --ion-offthread-compile=off --ion-eager):

See attachment.


Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000000000475cd8 in js::AutoEnterOOMUnsafeRegion::~AutoEnterOOMUnsafeRegion (this=<optimized out>, __in_chrg=<optimized out>) at dist/include/js/Utility.h:335
#1  0x0000000000e4cdec in mozilla::DebugOnly<js::AutoEnterOOMUnsafeRegion>::~DebugOnly (this=0x7ffff49fe590, __in_chrg=<optimized out>) at dist/include/mozilla/DebugOnly.h:87
#2  js::Nursery::doCollection (this=this@entry=0x7ffff4d2ad78, reason=reason@entry=JS::gcreason::DESTROY_RUNTIME, tenureCounts=...) at js/src/gc/Nursery.cpp:710
#3  0x0000000000e4fb35 in js::Nursery::collect (this=0x7ffff4d2ad78, reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/Nursery.cpp:619
#4  0x00000000009db667 in js::gc::GCRuntime::minorGC (this=0x7ffff4d28748, reason=JS::gcreason::DESTROY_RUNTIME, phase=<optimized out>) at js/src/jsgc.cpp:7676
#5  0x0000000000a0a011 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff4d28748, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:7258
#6  0x0000000000a0a862 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff4d28748, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:7450
#7  0x0000000000a0ab59 in js::gc::GCRuntime::gc (this=this@entry=0x7ffff4d28748, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:7517
#8  0x0000000000c0f585 in JSRuntime::destroyRuntime (this=0x7ffff4d28000) at js/src/vm/Runtime.cpp:320
#9  0x00000000009a3eb9 in js::DestroyContext (cx=0x7ffff4d30000) at js/src/jscntxt.cpp:254
#10 0x000000000046dfa0 in <lambda()>::operator() (__closure=0x7ffff49fed90) at js/src/shell/js.cpp:3551
#11 WorkerMain (arg=<optimized out>) at dist/include/mozilla/ScopeExit.h:112
#12 0x00000000004750d2 in js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::callMain<0ul> (this=0x7ffff691e220) at js/src/threading/Thread.h:239
#13 js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::Start (aPack=0x7ffff691e220) at js/src/threading/Thread.h:232
#14 0x00007ffff7bc16fa in start_thread (arg=0x7ffff49ff700) at pthread_create.c:333
#15 0x00007ffff6c38b5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0x0	0
rbx	0x7ffff4d2ad78	140737300835704
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7ffff49fe520	140737297507616
rsp	0x7ffff49fe510	140737297507600
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff49ff700	140737297512192
r10	0x0	0
r11	0x0	0
r12	0x7ffff4d28000	140737300824064
r13	0x7ffff4d28000	140737300824064
r14	0x7ffff4d287d8	140737300826072
r15	0x7ffff4d30000	140737300856832
rip	0x475cd8 <js::AutoEnterOOMUnsafeRegion::~AutoEnterOOMUnsafeRegion()+216>
=> 0x475cd8 <js::AutoEnterOOMUnsafeRegion::~AutoEnterOOMUnsafeRegion()+216>:	movl   $0x0,0x0
   0x475ce3 <js::AutoEnterOOMUnsafeRegion::~AutoEnterOOMUnsafeRegion()+227>:	ud2


This bug has been a huge problem for quite a while now, I just wasn't able to isolate a test for it. When running the test, you can randomly get all sorts of assertions, I'm primarily interested in fixing the one in the subject of this bug.
Attached file Testcase 

    
    

    
  
NI from jandem to get this fuzzblocker fixed.
Flags: needinfo?(jdemooij)

    
  
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]

    
    

    
  
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ac88bbf2856d
user:        André Bargull
date:        Wed Oct 11 05:36:38 2017 -0700
summary:     Bug 1407584 - Part 2: Update test262 files. rs=Waldo

This iteration took 272.918 seconds to run.

    
  
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]

    
    

    
  
JSBugMon: The testcase found in this bug no longer reproduces (tried revision ae49d4a57622).
Priority: -- → P1

    
    

    
  
decoder, are you still seeing that, now that the compareExchange bug is fixed?
Flags: needinfo?(jdemooij) → needinfo?(choller)

    
    

    
  
(In reply to Jan de Mooij [:jandem] from comment #5)
> decoder, are you still seeing that,

Er, seeing *this*.

    
    

    
  
This stopped showing up in fuzzing on Oct 27, so I assume it got fixed by the compareExchange bug. Thanks!
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(choller)
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: