Closed
Bug 1459860
Opened 6 years ago
Closed 6 years ago
Crash [@ __memcpy_sse2_unaligned] or Assertion failure: found(), at js/HashTable.h:948 with off-thread module compilation and GC
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla62
People
(Reporter: decoder, Assigned: jonco)
Details
(6 keywords, Whiteboard: [jsbugmon:update,ignore][adv-main62-])
Crash Data
Attachments
(1 file)
|
1.34 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision fb435df9797a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe):
function eval(source) {
offThreadCompileModule(source);
let get = (eval("function w(){}") ++);
};
gczeal(21, 10);
gczeal(11, 8);
eval("");
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:35
#1 0x0000000000be46a4 in mozilla::Swap<js::gc::ChunkBitmap> (aX=..., aY=...) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/opt/dist/include/mozilla/Move.h:231
#2 0x0000000000bcbc6a in js::gc::MarkingValidator::nonIncrementalMark (this=0x7ffff3b1b190, session=...) at js/src/gc/GC.cpp:4772
#3 0x0000000000bcc2ca in js::gc::GCRuntime::computeNonIncrementalMarkingForValidation (this=this@entry=0x7ffff5f194b0, session=...) at js/src/gc/GC.cpp:4863
#4 0x0000000000bcc306 in js::gc::GCRuntime::beginSweepPhase (this=this@entry=0x7ffff5f194b0, reason=reason@entry=JS::gcreason::DEBUG_GC, session=...) at js/src/gc/GC.cpp:5840
#5 0x0000000000bd7048 in js::gc::GCRuntime::incrementalCollectSlice (this=0x7ffff5f194b0, budget=..., reason=JS::gcreason::DEBUG_GC, session=...) at js/src/gc/GC.cpp:7139
#6 0x0000000000bd8b17 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff5f194b0, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/gc/GC.cpp:7473
#7 0x0000000000bd90a1 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff5f194b0, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/gc/GC.cpp:7616
#8 0x0000000000bda0d8 in js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff5f194b0) at js/src/gc/GC.cpp:8173
#9 0x0000000000bda298 in js::gc::GCRuntime::gcIfNeededAtAllocation (this=0x7ffff5f194b0, cx=0x7ffff5f14000) at js/src/gc/Allocator.cpp:312
#10 0x0000000000bf53f9 in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=<optimized out>, cx=0x7ffff5f14000, kind=<optimized out>) at js/src/gc/Allocator.cpp:273
#11 0x0000000000bf54c2 in js::Allocate<JSObject, (js::AllowGC)1> (cx=cx@entry=0x7ffff5f14000, kind=kind@entry=js::gc::AllocKind::FUNCTION, nDynamicSlots=nDynamicSlots@entry=0, heap=<optimized out>, clasp=clasp@entry=0x1c6bfc0 <JSFunction::class_>) at js/src/gc/Allocator.cpp:52
#12 0x00000000008e0de0 in js::NativeObject::create (cx=0x7ffff5f14000, kind=<optimized out>, heap=<optimized out>, shape=..., group=...) at js/src/vm/NativeObject-inl.h:539
#13 0x0000000000978232 in NewObject (cx=cx@entry=0x7ffff5f14000, group=group@entry=..., kind=kind@entry=js::gc::AllocKind::FUNCTION, newKind=newKind@entry=js::SingletonObject, initialShapeFlags=initialShapeFlags@entry=0) at js/src/vm/JSObject.cpp:731
#14 0x00000000009787c3 in js::NewObjectWithClassProtoCommon (cx=0x7ffff5f14000, clasp=0x1c6bfc0 <JSFunction::class_>, protoArg=..., allocKind=<optimized out>, newKind=js::SingletonObject) at js/src/vm/JSObject.cpp:852
#15 0x00000000009873cc in js::NewObjectWithClassProto (newKind=js::SingletonObject, allocKind=js::gc::AllocKind::FUNCTION, proto=..., clasp=0x1c6bfc0 <JSFunction::class_>, cx=0x0) at js/src/vm/JSObject-inl.h:692
#16 js::NewObjectWithClassProto<JSFunction> (newKind=js::SingletonObject, allocKind=js::gc::AllocKind::FUNCTION, proto=..., cx=0x0) at js/src/vm/JSObject-inl.h:717
#17 js::NewFunctionWithProto (cx=cx@entry=0x7ffff5f14000, native=0x9e8170 <js::SavedFrame::parentProperty(JSContext*, unsigned int, JS::Value*)>, nargs=nargs@entry=0, flags=flags@entry=JSFunction::NATIVE_FUN, enclosingEnv=..., enclosingEnv@entry=..., atom=atom@entry=..., proto=..., allocKind=js::gc::AllocKind::FUNCTION, newKind=js::SingletonObject) at js/src/vm/JSFunction.cpp:2070
#18 0x000000000088dce0 in js::NewNativeFunction (flags=JSFunction::NATIVE_FUN, newKind=js::SingletonObject, allocKind=js::gc::AllocKind::FUNCTION, atom=..., nargs=0, native=<optimized out>, cx=0x7ffff5f14000) at js/src/vm/JSFunction.h:825
#19 DefineAccessorPropertyById (cx=cx@entry=0x7ffff5f14000, obj=obj@entry=..., id=id@entry=..., get=..., set=..., attrs=attrs@entry=0) at js/src/jsapi.cpp:2207
#20 0x000000000088e20e in JS_DefineProperties (cx=cx@entry=0x7ffff5f14000, obj=..., obj@entry=..., ps=0x1c724a0 <js::SavedFrame::protoAccessors+288>) at js/src/jsapi.cpp:3320
#21 0x000000000095b31c in js::GlobalObject::resolveConstructor (cx=cx@entry=0x7ffff5f14000, global=..., key=key@entry=JSProto_SavedFrame) at js/src/vm/GlobalObject.cpp:239
#22 0x00000000009e7085 in js::GlobalObject::ensureConstructor (key=JSProto_SavedFrame, global=..., cx=0x7ffff5f14000) at js/src/vm/GlobalObject.h:156
#23 js::GlobalObject::getOrCreateSavedFramePrototype (global=..., cx=0x7ffff5f14000) at js/src/vm/GlobalObject.h:381
#24 js::SavedFrame::create (cx=cx@entry=0x7ffff5f14000) at js/src/vm/SavedStacks.cpp:564
#25 0x00000000009f2626 in js::SavedStacks::createFrameFromLookup (this=this@entry=0x7ffff5f388e0, cx=cx@entry=0x7ffff5f14000, lookup=lookup@entry=...) at js/src/vm/SavedStacks.cpp:1677
#26 0x0000000000a02b02 in js::SavedStacks::getOrCreateSavedFrame (this=this@entry=0x7ffff5f388e0, cx=cx@entry=0x7ffff5f14000, lookup=lookup@entry=...) at js/src/vm/SavedStacks.cpp:1664
#27 0x0000000000a056d6 in js::SavedStacks::insertFrames(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=this@entry=0x7ffff5f388e0, cx=cx@entry=0x7ffff5f14000, frame=..., capture=<optimized out>) at js/src/vm/SavedStacks.cpp:1522
#28 0x0000000000a05f0a in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=0x7ffff5f388e0, cx=0x7ffff5f14000, frame=..., frame@entry=..., capture=<optimized out>) at js/src/vm/SavedStacks.cpp:1242
#29 0x00000000008750b9 in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (cx=<optimized out>, stackp=..., capture=<optimized out>) at js/src/jsapi.cpp:7761
#30 0x00000000008760bd in CaptureStack (stack=..., cx=0x7ffff5f14000) at js/src/jsexn.cpp:370
#31 js::ErrorToException (cx=0x7ffff5f14000, reportp=0x7fffffefdba0, callback=<optimized out>, userRef=<optimized out>) at js/src/jsexn.cpp:689
#32 0x00000000009778f6 in js::ReportErrorNumberVA (cx=0x7ffff5f14000, flags=flags@entry=0, callback=0x9686f0 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0, errorNumber=<optimized out>, argumentsType=argumentsType@entry=js::ArgumentsAreASCII, ap=0x7fffffefdc50) at js/src/vm/JSContext.cpp:838
#33 0x00000000008703dc in JS_ReportErrorNumberASCIIVA (cx=<optimized out>, errorCallback=<optimized out>, userRef=<optimized out>, errorNumber=<optimized out>, ap=ap@entry=0x7fffffefdc50) at js/src/jsapi.cpp:6447
#34 0x000000000087047a in JS_ReportErrorNumberASCII (cx=cx@entry=0x7ffff5f14000, errorCallback=errorCallback@entry=0x9686f0 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=<optimized out>) at js/src/jsapi.cpp:6436
#35 0x000000000096bf8e in js::ReportOverRecursed (maybecx=0x7ffff5f14000, errorNumber=<optimized out>) at js/src/vm/JSContext.cpp:337
#36 0x0000000000557500 in js::CheckRecursionLimit (limit=<optimized out>, cx=0x7ffff5f14000) at js/src/jsfriendapi.h:1072
#37 js::CheckRecursionLimit (cx=0x7ffff5f14000) at js/src/jsfriendapi.h:1100
#38 js::RunScript (cx=0x7ffff5f14000, state=...) at js/src/vm/Interpreter.cpp:379
#39 0x0000000000557b53 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff5f14000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:489
#40 0x0000000000557e55 in InternalCall (cx=cx@entry=0x7ffff5f14000, args=...) at js/src/vm/Interpreter.cpp:516
#41 0x0000000000557e95 in js::CallFromStack (cx=cx@entry=0x7ffff5f14000, args=...) at js/src/vm/Interpreter.cpp:522
#42 0x00000000005f68c1 in js::jit::DoCallFallback (cx=0x7ffff5f14000, frame=0x7fffffefe3c8, stub_=0x7ffff49bd170, argc=1, vp=0x7fffffefe378, res=...) at js/src/jit/BaselineIC.cpp:2382
#43 0x00002cb4ee9b0e81 in ?? ()
[...]
#65 0x0000000000000000 in ?? ()
rax 0xffff800000103de0 -140737487290912
rbx 0x7ffff3afc0a0 140737281769632
rcx 0x7e00 32256
rdx 0x3f00 16128
rsi 0x0 0
rdi 0x7fffffef8320 140737487274784
rbp 0x1b 27
rsp 0x7fffffef8318 140737487274776
r8 0x0 0
r9 0x7ffff3a00000 140737280737280
r10 0x7ffff3ddfd38 140737284799800
r11 0x7ffff3ddfc00 140737284799488
r12 0x0 0
r13 0x7ffff3c00000 140737282834432
r14 0x7fffffefc300 140737487291136
r15 0x7ffff3a00000 140737280737280
rip 0x7ffff6bd0840 <__memcpy_sse2_unaligned+32>
=> 0x7ffff6bd0840 <__memcpy_sse2_unaligned+32>: movdqu (%rsi),%xmm8
0x7ffff6bd0845 <__memcpy_sse2_unaligned+37>: cmp $0x20,%rdx
Marking s-s because the crash involves GC.
|
||
Updated•6 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
|
|
||
Comment 1•6 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 59005ba3cd3e). JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/c0f28a370935 user: Jon Coppeard date: Tue Apr 17 08:44:56 2018 +0200 summary: Bug 1453028 - Add new zeal modes to test the different parts of incremental sweeping r=sfink This iteration took 231.961 seconds to run.
|
||
Comment 2•6 years ago
|
||
Jon, you are probably best person to look into this.
Flags: needinfo?(jcoppeard)
Priority: -- → P1
|
||
Updated•6 years ago
|
status-firefox60:
--- → ?
status-firefox62:
--- → affected
status-firefox-esr52:
--- → ?
status-firefox-esr60:
--- → ?
|
Assignee | |
Comment 3•6 years ago
|
||
This is probably a bug in incremental marking validation, and nothing too serious.
|
||
Comment 4•6 years ago
|
||
sec-other because this seems to be a bug in the testing mode, and not reachable from web pages?
Keywords: sec-other
|
||
Comment 5•6 years ago
|
||
1. We can open this bug, right? 2. It seems like this probably should still be fixed soonish. P1?
|
|
Assignee | |
Comment 6•6 years ago
|
||
Off-thread parsing can allocate and hence race with incremental marking validation which copies the mark bits for all allocated cells. The fix is just to wait for any parsing to finish first. This is only affects builds made with --enable-gczeal.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8982466 -
Flags: review?(sphink)
|
||
Updated•6 years ago
|
Attachment #8982466 -
Flags: review?(sphink) → review+
|
|
||
Updated•6 years ago
|
Group: javascript-core-security
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/61714dbe02e1 Make incremental marking validation wait for off-thread parsing to finish r=sfink
|
||
Comment 8•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/61714dbe02e1
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
|
|
||
Comment 9•6 years ago
|
||
Doesn't sound worth the backport unless the fuzzers really want it.
Flags: in-testsuite+
|
||
Updated•6 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main62-]
You need to log in
before you can comment on or make changes to this bug.
Description
•