Closed
Bug 1413063
Opened 7 years ago
Closed 7 years ago
UBSan: js/src/gc/Nursery.cpp:486:20: runtime error: division by zero [@ calcPromotionRate]
Categories
(Core :: JavaScript: GC, defect, P2)
Core
JavaScript: GC
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox56 | --- | unaffected |
firefox57 | --- | wontfix |
firefox58 | --- | affected |
People
(Reporter: tsmith, Assigned: pbone)
References
Details
(Keywords: csectype-undefined)
Attachments
(1 file, 1 obsolete file)
1.38 KB,
patch
|
pbone
:
review+
|
Details | Diff | Splinter Review |
This is triggered on start up when running Firefox built with "-fsanitize=float-divide-by-zero,integer-divide-by-zero" /mozilla-central/js/src/gc/Nursery.cpp:486:20: runtime error: division by zero #0 0x7f65721a406e in calcPromotionRate /mozilla-central/js/src/gc/Nursery.cpp:486:20 #1 0x7f65721a406e in js::Nursery::collect(JS::gcreason::Reason) /mozilla-central/js/src/gc/Nursery.cpp:652 #2 0x7f657176680a in js::gc::GCRuntime::minorGC(JS::gcreason::Reason, js::gcstats::PhaseKind) /mozilla-central/js/src/jsgc.cpp:7687:15 #3 0x7f657176aec5 in evictNursery /mozilla-central/js/src/gc/GCRuntime.h:1522:9 #4 0x7f657176aec5 in JS::AutoDisableGenerationalGC::AutoDisableGenerationalGC(JSContext*) /mozilla-central/js/src/jsgc.cpp:7708 #5 0x7f6571c6054a in JSRuntime::initSelfHosting(JSContext*) /mozilla-central/js/src/vm/SelfHosting.cpp:2872:35 #6 0x7f6571641a03 in JS::InitSelfHostedCode(JSContext*) /mozilla-central/js/src/jsapi.cpp:660:14 #7 0x7f6566347152 in nsXPConnect::InitStatics() /mozilla-central/js/xpconnect/src/nsXPConnect.cpp:135:10 #8 0x7f65662bac98 in xpcModuleCtor() /mozilla-central/js/xpconnect/src/XPCModule.cpp:13:5 #9 0x7f656cdb49e7 in Initialize() /mozilla-central/layout/build/nsLayoutModule.cpp:316:8 #10 0x7f65642d2cad in nsComponentManagerImpl::KnownModule::Load() /mozilla-central/xpcom/components/nsComponentManager.cpp:763:21 #11 0x7f65642d3f61 in nsFactoryEntry::GetFactory() /mozilla-central/xpcom/components/nsComponentManager.cpp:1785:19 #12 0x7f65642d5356 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /mozilla-central/xpcom/components/nsComponentManager.cpp:1083:41 #13 0x7f65642cccef in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /mozilla-central/xpcom/components/nsComponentManager.cpp:1446:10 #14 0x7f65642dc021 in CallGetService /mozilla-central/xpcom/components/nsComponentManagerUtils.cpp:67:43 #15 0x7f65642dc021 in nsGetServiceByContractID::operator()(nsID const&, void**) const /mozilla-central/xpcom/components/nsComponentManagerUtils.cpp:280 #16 0x7f6564178ae5 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) /mozilla-central/xpcom/base/nsCOMPtr.cpp:95:7 #17 0x7f656438f764 in nsCOMPtr /mozilla-central/objdir-ff-ubsan/dist/include/nsCOMPtr.h:928:5 #18 0x7f656438f764 in NS_InitXPCOM2 /mozilla-central/xpcom/build/XPCOMInit.cpp:709 #19 0x7f657090b276 in Initialize /mozilla-central/toolkit/xre/nsAppRunner.cpp:1573:8 #20 0x7f657090b276 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /mozilla-central/toolkit/xre/nsAppRunner.cpp:4844 #21 0x7f657090ceb5 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /mozilla-central/toolkit/xre/nsAppRunner.cpp:4943:21 #22 0x516f37 in do_main /mozilla-central/browser/app/nsBrowserApp.cpp:231:22 #23 0x516f37 in main /mozilla-central/browser/app/nsBrowserApp.cpp:304 #24 0x7f65858fa1c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308 #25 0x41f749 in _start (/mozilla-central/objdir-ff-ubsan/dist/bin/firefox+0x41f749) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /mozilla-central/js/src/gc/Nursery.cpp:486:20 in
Comment 1•7 years ago
|
||
Paul, I think you added this method. Can you take a look?
Flags: needinfo?(pbone)
Assignee | ||
Comment 2•7 years ago
|
||
Yes, this is my code. I'll look today.
Assignee: nobody → pbone
Status: NEW → ASSIGNED
Flags: needinfo?(pbone)
Assignee | ||
Comment 3•7 years ago
|
||
I was able to reproduce this locally but I have started a try job anyway. Try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=4db824b8af6cfa91939926191d56f2aa6df93c27&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=runnable
Attachment #8924055 -
Flags: review?(jcoppeard)
Assignee | ||
Comment 4•7 years ago
|
||
This code was introduced in Bug 1392511 which is in 57. However in the case that there is a division by zero the result is not used because *validForTenuring is set to false. Therefore I don't think this needs an uplift, but someone else may disagree.
status-firefox56:
--- → unaffected
status-firefox57:
--- → affected
status-firefox-esr52:
--- → unaffected
Depends on: 1392511
Priority: -- → P2
Comment 5•7 years ago
|
||
Comment on attachment 8924055 [details] [diff] [review] Bug 1413063 - Avoid divide by zero Review of attachment 8924055 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/gc/Nursery.cpp @@ +484,5 @@ > + */ > + *validForTenuring = used > capacity * 0.9f; > + } > + return tenured / used; > + } else { According to the coding style we should avoid an else block after a then block that ends in return, to simplify the control flow.
Attachment #8924055 -
Flags: review?(jcoppeard) → review+
Assignee | ||
Comment 6•7 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #5) > Comment on attachment 8924055 [details] [diff] [review] > Bug 1413063 - Avoid divide by zero > > Review of attachment 8924055 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: js/src/gc/Nursery.cpp > @@ +484,5 @@ > > + */ > > + *validForTenuring = used > capacity * 0.9f; > > + } > > + return tenured / used; > > + } else { > > According to the coding style we should avoid an else block after a then > block that ends in return, to simplify the control flow. Okay I'll fix this. It's weird to me from a functional programming perspective but that's okay.
Assignee | ||
Comment 7•7 years ago
|
||
Updated based on review feedback. r+ carried forward. Try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=e990dac7633981159317ab28ea8ce8
Attachment #8924055 -
Attachment is obsolete: true
Attachment #8924381 -
Flags: review+
Assignee | ||
Comment 8•7 years ago
|
||
Hi Tyson, Should we uplift this onto 57? Not that there shouldn't be a problem on 57 because the result of the divide-by-zero isn't used. However it is still undefined behaviour. Thanks.
Flags: needinfo?(twsmith)
Keywords: checkin-needed,
leave-open
Reporter | ||
Comment 9•7 years ago
|
||
Hi Paul, thanks for the fix!
> Should we uplift this onto 57?
On one hand UB is bad, whether the value is used or not other (potentially less obvious) bugs can be created depending on assumptions the compiler is free to make while compiling. On the other hand it is very close to release so I'd say no unless we are seeing issues we are fairly certain are related. In the end it's up to the release managers.
Flags: needinfo?(twsmith)
Flags: needinfo?(rkothari)
Flags: needinfo?(lhenry)
Assignee | ||
Comment 10•7 years ago
|
||
Yep, those were my thoughts as well. Thanks for raising this further.
Hi Dan, Naveed, would you be able to weigh in on this one? Would you consider this a must fix for 57? Based on comment 4, it doesn't sound like a must fix.
Flags: needinfo?(rkothari)
Flags: needinfo?(nihsanullah)
Flags: needinfo?(dveditz)
Comment 12•7 years ago
|
||
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/b34ad88764a9 Avoid divide by zero. r=jonco
Keywords: checkin-needed
Comment 13•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/b34ad88764a9
Reporter | ||
Comment 15•7 years ago
|
||
I also vote wontfix for 57.
Assignee | ||
Comment 16•7 years ago
|
||
It looks like this is wontfix, and 57's beta window is closing so I'm going to close this now.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Flags: needinfo?(nihsanullah)
Flags: needinfo?(dveditz)
Keywords: leave-open
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•