Crash in [@ js::TypeScript::Monitor]

RESOLVED WORKSFORME

Status

()

defect
P1
critical
RESOLVED WORKSFORME
3 months ago
2 months ago

People

(Reporter: calixte, Unassigned)

Tracking

({crash, regression})

Trunk
Unspecified
Windows 10
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox65 unaffected, firefox66 unaffected, firefox67 wontfix)

Details

(crash signature)

Reporter

Description

3 months ago

This bug is for crash report bp-9f2e877f-d3b4-4118-a297-0902d0190310.

Top 4 frames of crashing thread:

0 xul.dll js::TypeScript::Monitor js/src/vm/TypeInference-inl.h:721
1 xul.dll static bool js::jit::DoTypeMonitorFallback js/src/jit/BaselineIC.cpp:1415
2  @0x156d25b7c85 
3 xul.dll trunc 

There are 90 crashes in nightly 67 with buildid >= 20190307215858.

I can reproduce with url:
https://www.libellules.ch/dotclear/index.php?pages/Nouveau-test-de-vitesse-de-libellules.ch

In using mozregression, I get:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f7a8e21490276df21e5427e57e08797c2dcec26d&tochange=b8137cbaf9cfa4f4c45cb9bd82584b4375ba2662

So patches for bug 1532946 seem to be the culprits.

:jandem, could you investigate please ?

Flags: needinfo?(jdemooij)
Reporter

Updated

3 months ago
Has Regression Range: --- → yes
Has STR: --- → yes
Reporter

Comment 1

3 months ago

We're close the merge and the volume is pretty high for nightly.

Comment 2

3 months ago

Bughunter found https://www.nperf.com/es/ and two other urls which reproduces this on my local Fedora:

bp-7bfabb39-0b4f-4a76-95c8-272a60190310
bp-7b856431-0e57-4456-819d-e4e670190310

I see various other crashes including GC and ASAN use after poison.

Operating system: Linux
                  0.0.0 Linux 4.20.13-200.fc29.x86_64 #1 SMP Wed Feb 27 19:42:55 UTC 2019 x86_64
CPU: amd64
     family 6 model 45 stepping 2
     2 CPUs

GPU: UNKNOWN

Crash reason:  SIGSEGV /0x00000080
Crash address: 0x0
Process uptime: not available

Thread 0 (crashed)
 0  libxul.so!void js::GCMarker::traverse<js::ObjectGroup*>(js::ObjectGroup*) [HeapAPI.h:67424fa758d40134fdca363ec9a7a992aa92403f : 476 + 0x0]
    rax = 0x2b2b2b2b2b2fffe8   rdx = 0x2b2b2b2b2b200000
    rcx = 0x7ffffffffffea018   rbx = 0x00003e4dd9d4f060
    rsi = 0x2b2b2b2b2b2b2b2b   rdi = 0x00007f0c661170f8
    rbp = 0x00007ffe0a048e20   rsp = 0x00007ffe0a048e00
     r8 = 0x0000000000000000    r9 = 0x2b2b2b2b2b2b3b2b
    r10 = 0x0000000000001000   r11 = 0x0000000000016350
    r12 = 0x2b2b2b2b2b2b2b2b   r13 = 0x00007f0c661170f8
    r14 = 0x00007f0c661170f8   r15 = 0x00003e4dd9d4f060
    rip = 0x00007f0c7ba08349
    Found by: given as instruction pointer in context
 1  libxul.so!js::GCMarker::processMarkStackTop(js::SliceBudget&) [Marking.cpp:67424fa758d40134fdca363ec9a7a992aa92403f : 917 + 0x8]
    rbx = 0x00003e4dd9d4f060   rbp = 0x00007ffe0a048e90
    rsp = 0x00007ffe0a048e30   r12 = 0x00007ffe0a049000
    r13 = 0x00007f0c661170f8   r14 = 0x00007ffe0a049000
    r15 = 0x00003e4dd9d4f060   rip = 0x00007f0c7ba0a36b
    Found by: call frame info
 2  libxul.so!js::GCMarker::markUntilBudgetExhausted(js::SliceBudget&) [Marking.cpp:67424fa758d40134fdca363ec9a7a992aa92403f : 1598 + 0xb]
    rbx = 0x00007ffe0a049000   rbp = 0x00007ffe0a048ed0
    rsp = 0x00007ffe0a048ea0   r12 = 0x00007f0c66117110
    r13 = 0x00007f0c66117138   r14 = 0x00007f0c661170f8
    r15 = 0x00007f0c66116540   rip = 0x00007f0c7b9fcd20
    Found by: call frame info
 3  libxul.so!js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, js::gc::AutoGCSession&) [GC.cpp:67424fa758d40134fdca363ec9a7a992aa92403f : 5849 + 0xc]
    rbx = 0x000000000a049001   rbp = 0x00007ffe0a048f60
    rsp = 0x00007ffe0a048ee0   r12 = 0x00007f0c66116000
    r13 = 0x00007f0c661164f0   r14 = 0x00007f0c661170f8
    r15 = 0x00007f0c66116540   rip = 0x00007f0c7b9ffaa7
    Found by: call frame info
 4  libxul.so!js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, JS::GCReason) [GC.cpp:67424fa758d40134fdca363ec9a7a992aa92403f : 7398 + 0xf]
    rbx = 0x00007f0c66116540   rbp = 0x00007ffe0a048ff0
    rsp = 0x00007ffe0a048f70   r12 = 0x00007f0c802283c0
    r13 = 0x00007ffe0a048fa0   r14 = 0x0000000000000006
    r15 = 0x00007f0c661164f0   rip = 0x00007f0c7ba00c47
    Found by: call frame info
 5  libxul.so!js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::GCReason) [GC.cpp:67424fa758d40134fdca363ec9a7a992aa92403f : 7569 + 0x21]
    rbx = 0x0000000000000006   rbp = 0x00007ffe0a049050
    rsp = 0x00007ffe0a049000   r12 = 0x00007ffe0a049060
    r13 = 0x0000000000000008   r14 = 0x0000000000000000
    r15 = 0x00007f0c661164f0   rip = 0x00007f0c7ba01711
    Found by: call frame info
 6  libxul.so!js::gc::GCRuntime::startGC(JSGCInvocationKind, JS::GCReason, long) [GC.cpp:67424fa758d40134fdca363ec9a7a992aa92403f : 0 + 0xb]
    rbx = 0x0000000000000005   rbp = 0x00007ffe0a0490e0
    rsp = 0x00007ffe0a049060   r12 = 0x0001f4dce198e63c
    r13 = 0x00007ffe0a499e70   r14 = 0x0000000000000006
    r15 = 0x00007f0c661164f0   rip = 0x00007f0c7b9f2109
    Found by: call frame info
 7  libxul.so!js::gc::GCRuntime::gcIfRequested() [GC.cpp:67424fa758d40134fdca363ec9a7a992aa92403f : 7859 + 0xf]
    rbx = 0x00007f0c661164f0   rbp = 0x00007ffe0a049160
    rsp = 0x00007ffe0a0490f0   r12 = 0x0000000000000008
    r13 = 0x00007ffe0a499e70   r14 = 0x0000000000000006
    r15 = 0x00007ffe0a499401   rip = 0x00007f0c7b9e3640
    Found by: call frame info
 8  libxul.so!JSContext::handleInterrupt() [Runtime.cpp:67424fa758d40134fdca363ec9a7a992aa92403f : 409 + 0x5]
    rbx = 0x0000000000000000   rbp = 0x00007ffe0a0495e0
    rsp = 0x00007ffe0a049170   r12 = 0x0000000000000008
    r13 = 0x00007ffe0a499e70   r14 = 0x00007f0c66123000
    r15 = 0x00007ffe0a499401   rip = 0x00007f0c7b777906
    Found by: call frame info
 9  0x3ff905391b62
    rbx = 0x000032efd5900000   rbp = 0x00007ffe0a47fdc8
    rsp = 0x00007ffe0a0495f0   r12 = 0x0000000000000008
    r13 = 0x00007ffe0a499e70   r14 = 0x0000000000000000
    r15 = 0x00007ffe0a4994d0   rip = 0x00003ff905391b62
    Found by: call frame info
---

Operating system: Windows NT
                  10.0.17763 
CPU: amd64
     family 6 model 45 stepping 2
     2 CPUs

GPU: UNKNOWN

Crash reason:  EXCEPTION_BREAKPOINT
Crash address: 0x7ffe7695fe0a
Assertion: Unknown assertion type 0x00000000
Process uptime: 12 seconds

Thread 0 (crashed)
 0  xul.dll!static bool js::jit::DoTypeMonitorFallback(struct JSContext *, class js::jit::BaselineFrame *, class js::jit::ICTypeMonitor_Fallback *, class JS::Handle<JS::Value>, class JS::MutableHandle<JS::Value>) [BaselineIC.cpp:30385b68bea1a7f52c109b28a67f0ea611d88534 : 1375 + 0x2a]
    rax = 0x00007ffe77bea859   rdx = 0x00007ffeae73c750
    rcx = 0x00007ffe9ed2fae0   rbx = 0x0000028d0ec07000
    rsi = 0x0000028d110c3dc0   rdi = 0x0000000000000000
    rbp = 0x0000000000000040   rsp = 0x000000c857387440
     r8 = 0x000000c857385768    r9 = 0x000000c857386d41
    r10 = 0x0000000000000000   r11 = 0x000000c8573872e0
    r12 = 0x000000c857387510   r13 = 0x00003b4de9742040
    r14 = 0x000000c857387540   r15 = 0x0000028d1258a0c0
    rip = 0x00007ffe7695fe0a
    Found by: given as instruction pointer in context
 1  0x11db33a441
    rbx = 0x0000028d0ec07000   rbp = 0x0000000000000040
    rsp = 0x000000c8573874e0   r12 = 0x000000c857387510
    r13 = 0x00003b4de9742040   r14 = 0x000000c857387540
    r15 = 0x0000028d1258a0c0   rip = 0x00000011db33a441
    Found by: call frame info
 2  xul.dll!truncf + 0x1830db0
    rsp = 0x000000c857387520   rip = 0x00007ffe7934b3e0
    Found by: stack scanning

----
==18640==ERROR: AddressSanitizer: use-after-poison on address 0x262787aaef80 at pc 0x7fb00074999a bp 0x7ffe145a21c0 sp 0x7ffe145a21b8
READ of size 8 at 0x262787aaef80 thread T0 (Web Content)
    #0 0x7fb000749999 in JSObject::isSingleton() const /builds/worker/workspace/build/src/js/src/vm/JSObject.h:158:37
    #1 0x7fb000780cf9 in js::TypeSet::ObjectType(JSObject const*) /builds/worker/workspace/build/src/js/src/vm/TypeInference-inl.h:130:12
    #2 0x7fb0016f6b41 in js::TypeScript::Monitor(JSContext*, JSScript*, unsigned char*, js::StackTypeSet*, JS::Value const&) /builds/worker/workspace/build/src/js/src/vm/TypeInference-inl.h:721:24
    #3 0x7fb0016b887a in js::jit::DoTypeMonitorFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICTypeMonitor_Fallback*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:1415:5
    #4 0x280cc30078fe  (<unknown module>)

Address 0x262787aaef80 is a wild pointer.
SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/js/src/vm/JSObject.h:158:37 in JSObject::isSingleton() const
Shadow bytes around the buggy address:
  0x04c570f4dda0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x04c570f4ddb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x04c570f4ddc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x04c570f4ddd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x04c570f4dde0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x04c570f4ddf0:[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x04c570f4de00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x04c570f4de10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x04c570f4de20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x04c570f4de30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x04c570f4de40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==18640==ABORTING

----
Operating system: Linux
                  0.0.0 Linux 4.18.0-15-generic #16-Ubuntu SMP Thu Feb 7 10:56:39 UTC 2019 x86_64
CPU: amd64
     family 6 model 45 stepping 2
     2 CPUs

GPU: UNKNOWN

Crash reason:  SIGSEGV /0x00000080
Crash address: 0x0
Process uptime: not available

Thread 0 (crashed)
 0  libxul.so!js::TypeScript::Monitor(JSContext*, JSScript*, unsigned char*, js::StackTypeSet*, JS::Value const&) [ObjectGroup.h:67424fa758d40134fdca363ec9a7a992aa92403f : 218 + 0x0]
    rax = 0x2b2b2b2b2b2b2b2b   rdx = 0x00007fe383a13810
    rcx = 0xfff8000100000000   rbx = 0x0000303d6a1e1c81
    rsi = 0x000015de6b5c6700   rdi = 0x00007fe387e23000
    rbp = 0x00007ffc6769e630   rsp = 0x00007ffc6769e620
     r8 = 0x00007ffc6769e6f0    r9 = 0x00007ffc6769e6f0
    r10 = 0x00007fe383d567f0   r11 = 0xfff9800000000000
    r12 = 0x00007fe383d567f0   r13 = 0x000015de6b5c6700
    r14 = 0x00007fe383a13810   r15 = 0x00007ffc6769e6f0
    rip = 0x00007fe39125f417
    Found by: given as instruction pointer in context
 1  libxul.so!js::jit::DoTypeMonitorFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICTypeMonitor_Fallback*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) [BaselineIC.cpp:67424fa758d40134fdca363ec9a7a992aa92403f : 1415 + 0x14]
    rbx = 0x00007fe387e23000   rbp = 0x00007ffc6769e6a0
    rsp = 0x00007ffc6769e640   r12 = 0x00007fe383d567f0
    r13 = 0x000015de6b5c6700   r14 = 0x00007fe383a13810
    r15 = 0x00007ffc6769e6f0   rip = 0x00007fe391242278
    Found by: call frame info
 2  0x2b8208f37b34
    rbx = 0x2b2b2b2b2b2b2b2b   rbp = 0x00007ffc6769e728
    rsp = 0x00007ffc6769e6b0   r12 = 0x0000000000000008
    r13 = 0x00007ffc67b69140   r14 = 0x0000303d6a1e1c80
    r15 = 0x00007ffc67b687a0   rip = 0x00002b8208f37b34
    Found by: call frame info

(In reply to Calixte Denizet (:calixte) from comment #0)

So patches for bug 1532946 seem to be the culprits.

I think it's more likely from bug 1532376. Why did we back out only bug 1532946?

Flags: needinfo?(pascalc)
Flags: needinfo?(jdemooij)
Flags: needinfo?(jcoppeard)

(In reply to Jan de Mooij [:jandem] from comment #3)

(In reply to Calixte Denizet (:calixte) from comment #0)

So patches for bug 1532946 seem to be the culprits.

I think it's more likely from bug 1532376. Why did we back out only bug 1532946?

Oh, indeed, the regression range actually showed 2 bugs, while we put only one bug as blocking. That explains the confusion I had between yesterday backout of bug 1532376 and today's backout of the one blocking this bug (bug 1532946). Sorry about the confusion. Jan do you think that both should be backed out or only bug 1532376? Currently only 1532946 is backed out.

Flags: needinfo?(pascalc) → needinfo?(jdemooij)

(In reply to Pascal Chevrel:pascalc from comment #4)

Oh, indeed, the regression range actually showed 2 bugs, while we put only one bug as blocking. That explains the confusion I had between yesterday backout of bug 1532376 and today's backout of the one blocking this bug (bug 1532946). Sorry about the confusion. Jan do you think that both should be backed out or only bug 1532376? Currently only 1532946 is backed out.

I think bug 1532376 is most likely to cause these crashes and there's no need to back out bug 1532946 then.

Flags: needinfo?(jdemooij)
Blocks: 1532376
No longer blocks: 1532946

Comment 6

3 months ago

Jonco is away but I'll leave his NI so he can find the test case in comment 0.

Looks like crashes might be going down since the backout, if they're still going down at the end of the week we can close this and let jon work on Bug 1532376 when he's back.

Updated

3 months ago
Priority: -- → P1

Updated

3 months ago
Flags: needinfo?(jcoppeard)

Adding ni for Jonco to look into this. The crash volume is pretty high here.

Flags: needinfo?(jcoppeard)

Comment 8

3 months ago

Unhiding comment 2 since I could not reproduce after the backout of bug 1532376. I had originally reproduced the same regression range as in comment 0.

Comment 2 is private: false

This crash is no longer present on nightly since the backout of bug 1532376.

Status: NEW → RESOLVED
Closed: 3 months ago
Flags: needinfo?(jcoppeard)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.