Closed Bug 1456536 Opened Last year Closed Last year

Crash [@ EnsureGrayRoot] with OOM

Categories

(Core :: JavaScript: GC, defect, P1, critical)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox60 --- unaffected
firefox61 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, jsbugmon, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 26e53729a109 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

oomTest(new Function(`let a = grayRoot();`));


Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  EnsureGrayRoot (cx=0x7ffff5f15000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:6214
#1  0x00000000005b35be in js::CallJSNative (cx=0x7ffff5f15000, native=0x466290 <EnsureGrayRoot(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:280
#2  0x00000000005a7f1f in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f15000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:467
#3  0x00000000005a82fd in InternalCall (cx=0x7ffff5f15000, args=...) at js/src/vm/Interpreter.cpp:516
#4  0x000000000059a731 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:522
#5  Interpret (cx=0x7ffff5f15000, state=...) at js/src/vm/Interpreter.cpp:3084
#6  0x00000000005a79dd in js::RunScript (cx=0x7ffff5f15000, state=...) at js/src/vm/Interpreter.cpp:417
#7  0x00000000005a7fe7 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f15000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:489
#8  0x00000000005a82fd in InternalCall (cx=0x7ffff5f15000, args=...) at js/src/vm/Interpreter.cpp:516
#9  0x00000000005a8480 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535
#10 0x0000000000a44f0b in JS_CallFunction (cx=<optimized out>, obj=..., fun=..., fun@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2948
#11 0x00000000008b7803 in OOMTest (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1721
#12 0x00000000005b35be in js::CallJSNative (cx=0x7ffff5f15000, native=0x8b7410 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:280
[...]
#26 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9234
rax	0x0	0
rbx	0x0	0
rcx	0x0	0
rdx	0xfffdffffffffffff	-562949953421313
rsi	0x0	0
rdi	0x7ffff5f3e000	140737319788544
rbp	0x7fffffffbe00	140737488338432
rsp	0x7fffffffbda0	140737488338336
r8	0x7ffff5f15000	140737319620608
r9	0x7fffffffc3c0	140737488339904
r10	0x7ffff5f15000	140737319620608
r11	0x10	16
r12	0x7ffff5f15000	140737319620608
r13	0x466290	4612752
r14	0x7fffffffbe20	140737488338464
r15	0x7ffff486e140	140737295868224
rip	0x4662da <EnsureGrayRoot(JSContext*, unsigned int, JS::Value*)+74>
=> 0x4662da <EnsureGrayRoot(JSContext*, unsigned int, JS::Value*)+74>:	mov    (%rbx),%rax
   0x4662dd <EnsureGrayRoot(JSContext*, unsigned int, JS::Value*)+77>:	test   %rax,%rax
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/95f01f3075fe
user:        Steve Fink
date:        Wed Mar 15 17:03:42 2017 -0700
summary:     Bug 1337209 - Add JS shell test mechanism for gray marking, r=jonco

This iteration took 1.732 seconds to run.
(welp, the test mechanism seems to be working)
Component: JavaScript Engine → JavaScript: GC
Flags: needinfo?(sphink)
Priority: -- → P1
This just needs to handle allocation failure.
Assignee: nobody → jcoppeard
Attachment #8972879 - Flags: review?(sphink)
Comment on attachment 8972879 [details] [diff] [review]
bug1456536-gray-root-oom

Review of attachment 8972879 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/gc/RootMarking.cpp
@@ +502,5 @@
>        grayBufferState = GrayBufferState::Okay;
> +      for (GCZonesIter zone(rt); !zone.done(); zone.next()) {
> +          fprintf(stderr, "*** buffered %lu gray roots for zone %p\n",
> +                  zone->gcGrayRoots().length(), zone.get());
> +      }

I'm guessing you didn't mean to leave this debugging printf in.

::: js/src/shell/js.cpp
@@ +6246,5 @@
>      CallArgs args = CallArgsFromVp(argc, vp);
>  
>      auto priv = EnsureShellCompartmentPrivate(cx);
> +    if (!priv)
> +        return false;

Doh!
Attachment #8972879 - Flags: review?(sphink) → review+
(In reply to Steve Fink [:sfink] [:s:] (PTO June 31) from comment #4)
> I'm guessing you didn't mean to leave this debugging printf in.

Err yeah, that was supposed to be in a differnt patch.
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/927cb3d95ae5
Fix OOM handling in shell grayRoot() function r=sfink
https://hg.mozilla.org/mozilla-central/rev/927cb3d95ae5
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Flags: needinfo?(sphink) → in-testsuite+
You need to log in before you can comment on or make changes to this bug.