Closed
Bug 1503722
Opened 7 years ago
Closed 7 years ago
Crash [@ js::SharedScriptData::decRefCount] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla65
People
(Reporter: decoder, Assigned: iain)
References
Details
(Keywords: bugmon, crash, testcase, Whiteboard: [jsbugmon:update,bisect])
Crash Data
Attachments
(1 file, 2 obsolete files)
|
47 bytes,
text/x-phabricator-request
|
Details |
The following testcase crashes on mozilla-central revision 0029fe1e56d7 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-offthread-compile=off):
let THREAD_TYPE_PARSE = 4;
let t = cacheEntry("function f() { function g() { }; return 3; };");
evaluate(t, { sourceIsLazy: true, saveIncrementalBytecode: true });
for (var i = 1; gc(); ++i) {
oomAtAllocation(i, THREAD_TYPE_PARSE);
offThreadDecodeScript(t);
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 js::SharedScriptData::decRefCount (this=0x0) at js/src/vm/JSScript.h:1304
#1 0x0000555555d0e700 in JSScript::freeScriptData (this=0x7ffff4df7040) at js/src/vm/JSScript.cpp:2948
#2 mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRScript<(js::XDRMode)1>(js::XDRState<(js::XDRMode)1>*, JS::Handle<js::Scope*>, JS::Handle<js::ScriptSourceObject*>, JS::Handle<JSFunction*>, JS::MutableHandle<JSScript*>)::{lambda()#1}::operator()() const (__closure=0x7ffff57056e0) at js/src/vm/JSScript.cpp:710
#3 mozilla::ScopeExit<mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRScript<(js::XDRMode)1>(js::XDRState<(js::XDRMode)1>*, JS::Handle<js::Scope*>, JS::Handle<js::ScriptSourceObject*>, JS::Handle<JSFunction*>, JS::MutableHandle<JSScript*>)::{lambda()#1}>::~ScopeExit() (this=0x7ffff57056e0, __in_chrg=<optimized out>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/debug/dist/include/mozilla/ScopeExit.h:113
#4 js::XDRScript<(js::XDRMode)1> (xdr=xdr@entry=0x7ffff57059e0, scriptEnclosingScope=scriptEnclosingScope@entry=..., sourceObjectArg=..., fun=fun@entry=..., scriptp=...) at js/src/vm/JSScript.cpp:712
#5 0x0000555555e3f324 in js::XDRState<(js::XDRMode)1>::codeScript (this=this@entry=0x7ffff57059e0, scriptp=...) at js/src/vm/Xdr.cpp:226
#6 0x0000555555c53813 in js::ScriptDecodeTask::parse (this=0x7ffff5f31ac0, cx=0x7ffff5705c30) at js/src/vm/HelperThreads.cpp:618
#7 0x0000555555c4ee3f in js::HelperThread::handleParseWorkload (this=<optimized out>, locked=...) at js/src/vm/HelperThreads.cpp:2309
#8 0x0000555555c3b39c in js::HelperThread::threadLoop (this=this@entry=0x7ffff5f06e00) at js/src/vm/HelperThreads.cpp:2643
#9 0x0000555555c3b5a0 in js::HelperThread::ThreadMain (arg=0x7ffff5f06e00) at js/src/vm/HelperThreads.cpp:2084
#10 0x0000555555c66672 in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::callMain<0ul> (this=0x7ffff5f1b090) at js/src/threading/Thread.h:243
#11 js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start (aPack=0x7ffff5f1b090) at js/src/threading/Thread.h:236
#12 0x00007ffff7bc16ba in start_thread (arg=0x7ffff5707700) at pthread_create.c:333
#13 0x00007ffff6c2c41d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax 0x7ffff5705740 140737311168320
rbx 0x7ffff4df7040 140737301672000
rcx 0x0 0
rdx 0x20 32
rsi 0x7ffff5705560 140737311167840
rdi 0x0 0
rbp 0x7ffff57058b0 140737311168688
rsp 0x7ffff57055e8 140737311167976
r8 0x0 0
r9 0x0 0
r10 0x7ffff5f1c000 140737319649280
r11 0x7ffff483b000 140737295659008
r12 0x7ffff5705740 140737311168320
r13 0x55555698ffa0 93825013448608
r14 0x5555569a6b00 93825013541632
r15 0x0 0
rip 0x555555cf0f20 <js::SharedScriptData::decRefCount()>
=> 0x555555cf0f20 <js::SharedScriptData::decRefCount()>: mov (%rdi),%eax
0x555555cf0f22 <js::SharedScriptData::decRefCount()+2>: test %eax,%eax
Unfortunately I was not able to reproduce this to get a bisection. Setting needinfo? from Iain as a start.
Flags: needinfo?(iireland)
|
Assignee | |
Comment 2•7 years ago
|
||
This one's pretty straightforward. It looks like we are double-freeing the shared script data.
The first free happens here in shareScriptData: https://searchfox.org/mozilla-central/source/js/src/vm/JSScript.cpp#2982-2986
The second free happens here in a scriptDataGuard lambda: https://searchfox.org/mozilla-central/source/js/src/vm/JSScript.cpp#710-714
It looks like shareScriptData is called from other places that don't have a guard, and we need the guard to handle the rest of XDRScript, so the easiest fix might be to change JSScript::freeScriptData to check whether scriptData_ is null before decrementing its reference count.
Ted, thoughts? I know you have been working with this code recently.
Flags: needinfo?(iireland) → needinfo?(tcampbell)
|
||
Comment 3•7 years ago
|
||
(In reply to Iain Ireland [:iain] from comment #2)
> ... so the easiest
> fix might be to change JSScript::freeScriptData to check whether scriptData_
> is null before decrementing its reference count.
Agreed.
Flags: needinfo?(tcampbell)
|
|
Assignee | |
Comment 4•7 years ago
|
||
|
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → iireland
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9a56e222166a
Check for null in JSScript::freeScriptData r=tcampbell
|
||
Comment 6•7 years ago
|
||
Backed out changeset 9a56e222166a (bug 1503722) for spidermonkey failures
Log:
https://treeherder.mozilla.org/logviewer.html#?job_id=210819017&repo=autoland&lineNumber=93406
TEST-PASS | js/src/jit-test/tests/xdr/bug1427860.js | Success (code 59, args "--no-baseline --no-ion") [0.0 s]
[task 2018-11-09T14:29:06.638Z] {"action": "test_start", "jitflags": "--no-baseline --no-ion", "pid": 31785, "source": "jittests", "test": "xdr/bug1427860.js", "thread": "main", "time": 1541773746.5953639}
[task 2018-11-09T14:29:06.638Z] {"action": "test_end", "extra": {"jitflags": "--no-baseline --no-ion", "pid": 31785}, "jitflags": "--no-baseline --no-ion", "message": "Success", "pid": 31785, "source": "jittests", "status": "PASS", "test": "xdr/bug1427860.js", "thread": "main", "time": 1541773746.638454}
[task 2018-11-09T14:29:06.638Z] /builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5 ReferenceError: oomAtAllocation is not defined
[task 2018-11-09T14:29:06.638Z] Stack:
[task 2018-11-09T14:29:06.638Z] @/builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5
[task 2018-11-09T14:29:06.638Z] Exit code: 3
[task 2018-11-09T14:29:06.638Z] FAIL - xdr/bug1503722.js
[task 2018-11-09T14:29:06.638Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/xdr/bug1503722.js | /builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5 ReferenceError: oomAtAllocation is not defined (code 3, args "--ion-eager --ion-offthread-compile=off") [0.0 s]
[task 2018-11-09T14:29:06.638Z] {"action": "test_start", "jitflags": "--ion-eager --ion-offthread-compile=off", "pid": 31810, "source": "jittests", "test": "xdr/bug1503722.js", "thread": "main", "time": 1541773746.604125}
[task 2018-11-09T14:29:06.638Z] {"action": "test_end", "extra": {"jitflags": "--ion-eager --ion-offthread-compile=off", "pid": 31810}, "jitflags": "--ion-eager --ion-offthread-compile=off", "message": "/builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5 ReferenceError: oomAtAllocation is not defined", "pid": 31810, "source": "jittests", "status": "FAIL", "test": "xdr/bug1503722.js", "thread": "main", "time": 1541773746.638791}
[task 2018-11-09T14:29:06.638Z] INFO exit-status : 3
[task 2018-11-09T14:29:06.638Z] INFO timed-out : False
[task 2018-11-09T14:29:06.638Z] INFO stderr 2> /builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5 ReferenceError: oomAtAllocation is not defined
[task 2018-11-09T14:29:06.638Z] INFO stderr 2> Stack:
[task 2018-11-09T14:29:06.638Z] INFO stderr 2> @/builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5
[task 2018-11-09T14:29:06.653Z] /builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5 ReferenceError: oomAtAllocation is not defined
[task 2018-11-09T14:29:06.653Z] Stack:
[task 2018-11-09T14:29:06.653Z] @/builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5
[task 2018-11-09T14:29:06.653Z] Exit code: 3
[task 2018-11-09T14:29:06.654Z] FAIL - xdr/bug1503722.js
[task 2018-11-09T14:29:06.654Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/xdr/bug1503722.js | /builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5 ReferenceError: oomAtAllocation is not defined (code 3, args "") [0.1 s]
[task 2018-11-09T14:29:06.654Z] {"action": "test_start", "jitflags": "", "pid": 31791, "source": "jittests", "test": "xdr/bug1503722.js", "thread": "main", "time": 1541773746.599218}
[task 2018-11-09T14:29:06.654Z] {"action": "test_end", "extra": {"jitflags": "", "pid": 31791}, "jitflags": "", "message": "/builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5 ReferenceError: oomAtAllocation is not defined", "pid": 31791, "source": "jittests", "status": "FAIL", "test": "xdr/bug1503722.js", "thread": "main", "time": 1541773746.653368}
[task 2018-11-09T14:29:06.655Z] INFO exit-status : 3
[task 2018-11-09T14:29:06.655Z] INFO timed-out : False
[task 2018-11-09T14:29:06.655Z] INFO stderr 2> /builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5 ReferenceError: oomAtAllocation is not defined
[task 2018-11-09T14:29:06.656Z] INFO stderr 2> Stack:
[task 2018-11-09T14:29:06.656Z] INFO stderr 2> @/builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5
[task 2018-11-09T14:29:06.656Z] TEST-PASS | js/src/jit-test/tests/xdr/bug1503722.js | Success (code 59, args "--ion-eager --ion-offthread-compile=off --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads") [0.0 s]
[task 2018-11-09T14:29:06.656Z] {"action": "test_start", "jitflags": "--ion-eager --ion-offthread-compile=off --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads", "pid": 31812, "source": "jittests", "test": "xdr/bug1503722.js", "thread": "main", "time": 1541773746.608568}
[task 2018-11-09T14:29:06.656Z] {"action": "test_end", "extra": {"jitflags": "--ion-eager --ion-offthread-compile=off --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads", "pid": 31812}, "jitflags": "--ion-eager --ion-offthread-compile=off --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads", "message": "Success", "pid": 31812, "source": "jittests", "status": "PASS", "test": "xdr/bug1503722.js", "thread": "main", "time": 1541773746.65365}
[task 2018-11-09T14:29:06.656Z] /builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5 ReferenceError: oomAtAllocation is not defined
[task 2018-11-09T14:29:06.656Z] Stack:
[task 2018-11-09T14:29:06.656Z] @/builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5
[task 2018-11-09T14:29:06.656Z] Exit code: 3
[task 2018-11-09T14:29:06.656Z] FAIL - xdr/bug1503722.js
[task 2018-11-09T14:29:06.656Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/xdr/bug1503722.js | /builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5 ReferenceError: oomAtAllocation is not defined (code 3, args "--baseline-eager") [0.0 s]
[task 2018-11-09T14:29:06.656Z] {"action": "test_start", "jitflags": "--baseline-eager", "pid": 31830, "source": "jittests", "test": "xdr/bug1503722.js", "thread": "main", "time": 1541773746.613901}
[task 2018-11-09T14:29:06.656Z] {"action": "test_end", "extra": {"jitflags": "--baseline-eager", "pid": 31830}, "jitflags": "--baseline-eager", "message": "/builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5 ReferenceError: oomAtAllocation is not defined", "pid": 31830, "source": "jittests", "status": "FAIL", "test": "xdr/bug1503722.js", "thread": "main", "time": 1541773746.653806}
[task 2018-11-09T14:29:06.656Z] INFO exit-status : 3
[task 2018-11-09T14:29:06.656Z] INFO timed-out : False
[task 2018-11-09T14:29:06.656Z] INFO stderr 2> /builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5 ReferenceError: oomAtAllocation is not defined
[task 2018-11-09T14:29:06.656Z] INFO stderr 2> Stack:
[task 2018-11-09T14:29:06.656Z] INFO stderr 2> @/builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5
[task 2018-11-09T14:29:06.656Z] /builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5 ReferenceError: oomAtAllocation is not defined
[task 2018-11-09T14:29:06.656Z] Stack:
[task 2018-11-09T14:29:06.656Z] @/builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5
[task 2018-11-09T14:29:06.656Z] Exit code: 3
[task 2018-11-09T14:29:06.656Z] FAIL - xdr/bug1503722.js
[task 2018-11-09T14:29:06.656Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/xdr/bug1503722.js | /builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5 ReferenceError: oomAtAllocation is not defined (code 3, args "--no-baseline --no-ion") [0.0 s]
[task 2018-11-09T14:29:06.656Z] {"action": "test_start", "jitflags": "--no-baseline --no-ion", "pid": 31832, "source": "jittests", "test": "xdr/bug1503722.js", "thread": "main", "time": 1541773746.6179569}
[task 2018-11-09T14:29:06.656Z] {"action": "test_end", "extra": {"jitflags": "--no-baseline --no-ion", "pid": 31832}, "jitflags": "--no-baseline --no-ion", "message": "/builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5 ReferenceError: oomAtAllocation is not defined", "pid": 31832, "source": "jittests", "status": "FAIL", "test": "xdr/bug1503722.js", "thread": "main", "time": 1541773746.653962}
[task 2018-11-09T14:29:06.656Z] INFO exit-status : 3
[task 2018-11-09T14:29:06.656Z] INFO timed-out : False
[task 2018-11-09T14:29:06.656Z] INFO stderr 2> /builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5 ReferenceError: oomAtAllocation is not defined
[task 2018-11-09T14:29:06.656Z] INFO stderr 2> Stack:
[task 2018-11-09T14:29:06.656Z] INFO stderr 2> @/builds/worker/workspace/build/src/js/src/jit-test/tests/xdr/bug1503722.js:7:5
[task 2018-11-09T14:29:06.666Z] TEST-PASS | js/src/jit-test/tests/xdr/classes.js | Success (code 0, args "") [0.0 s]
Push with failures:
https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=9a56e222166a7782bac4775046ea4b9d13eeb624
Backout:
https://hg.mozilla.org/integration/autoland/rev/f21eb25a48d6cb9327623a57b68fe41dc1742b70
Flags: needinfo?(iireland)
|
|
Assignee | |
Comment 7•7 years ago
|
||
|
||
Updated•7 years ago
|
Attachment #9023992 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 8•7 years ago
|
||
|
|
||
Updated•7 years ago
|
Attachment #9024006 -
Attachment is obsolete: true
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/76e2c4ebce30
Check for null in JSScript::freeScriptData r=tcampbell
|
|
Assignee | |
Comment 10•7 years ago
|
||
Note to self: running jit_test.py locally will not warn you if you forgot to include |skip-if: !('oomAtAllocation' in this)| in your testcase.
Flags: needinfo?(iireland)
|
|
||
Comment 11•7 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
|
||
Updated•7 years ago
|
status-firefox63:
--- → wontfix
status-firefox64:
--- → wontfix
status-firefox-esr60:
--- → wontfix
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•