1546881 - Assertion failure: !mArena || arena == mArena, at memory/build/mozjemalloc.cpp:3960

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision c7a9affeb604 (build with PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig 'CC="clang -m32 -msse2 -mfpmath=sse"' AR=ar 'CXX="clang++ -m32 -msse2 -mfpmath=sse"' sh ./configure --target=i686-pc-linux --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests --disable-cranelift, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

try {
    s0 = 'x';
    for (let i = 0; i < 35; i++)
        s0 += s0;
} catch (e) {}
(
function()
 {
         mathy4 = (
function(y)
 {
Math.fround
x
mathy2
(
(
Math.max
)
)
 | 0
=== 
y
>>> 0
(
2
** 53
)
x | 0
;
         }
)
mathy4, []
     }
)
()
uneval(this);

No backtrace is available.

Setting s-s as a start as this seems to be involving the memory allocator.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/e51a022e039f
user: Chris Martin
date: Wed Apr 24 13:57:07 2019 +0000
summary: Bug 1052579 - Change all found JSString allocation sites to new arena r=sfink

Chris, is bug 1052579 a likely regressor?

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This testcase is slightly intermittent and seems to be even more intermittent as one further reduces it.

Comment 3

[Chris Martin [:cmartin]]

Hi Gary,

Yes, that commit is almost-certainly the cause of the regression. I relied on testing to try to find all the code spots that needed to be changed, and it looks like there must've been some codepaths that were not hit by my testing.

I will investigate this immediately.

Comment 4

[Christian Holler (:decoder)]

Here is a simpler testcase and a stack:

Summary: Assertion failure: !mArena || arena == mArena, at memory/build/mozjemalloc.cpp:3960
Build version: mozilla-central revision 0ec836eceb96
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu
Runtime options: --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off

Testcase:

    var fe = "f";
    for (i = 0; i < 28; i++) fe += fe;
    new Function(fe, fe, fe, fe, fe, fe);

Backtrace:

    received signal SIGSEGV, Segmentation fault.
    #0  BaseAllocator::realloc (this=0xffffb5c8, aPtr=0x84000000, aSize=2147483648) at memory/build/mozjemalloc.cpp:3960
    #1  0x5676c1d4 in Allocator<MozJemallocBase>::moz_arena_realloc (arg2=2147483648, arg1=0x84000000, aArenaId=2996287479) at memory/build/malloc_decls.h:40
    #2  moz_arena_realloc (arg1=2996287479, arg2=0x84000000, arg3=2147483648) at memory/build/malloc_decls.h:118
    #3  0x56aa2204 in js_arena_realloc (bytes=2147483648, p=0x84000000, arena=2996287479) at dist/include/js/Utility.h:400
    #4  js_realloc (bytes=2147483648, p=0x84000000) at dist/include/js/Utility.h:404
    #5  JSRuntime::onOutOfMemory (this=0xf6e18000, allocFunc=js::AllocFunction::Realloc, arena=3319813561, nbytes=2147483648, reallocPtr=0x84000000, maybecx=0xf6e2a800) at js/src/vm/Runtime.cpp:712
    #6  0x56d0489a in JSContext::onOutOfMemory (reallocPtr=0x84000000, nbytes=2147483648, arena=3319813561, allocFunc=js::AllocFunction::Realloc, this=0xf6e2a800) at js/src/vm/JSContext.h:215
    #7  js::TempAllocPolicy::onOutOfMemory (this=0xffffb948, allocFunc=js::AllocFunction::Realloc, nbytes=2147483648, reallocPtr=0x84000000) at js/src/util/AllocPolicy.cpp:15
    #8  0x5675933c in js::TempAllocPolicy::onOutOfMemoryTyped<unsigned char> (reallocPtr=0x84000000, numElems=2147483648, allocFunc=js::AllocFunction::Realloc, this=0xffffb948) at dist/include/js/AllocPolicy.h:102
    #9  js::TempAllocPolicy::pod_realloc<unsigned char> (oldSize=<optimized out>, newSize=2147483648, prior=0x84000000 "function anonymous(", 'f' <repeats 181 times>..., this=0xffffb948) at dist/include/js/AllocPolicy.h:132
    #10 mozilla::detail::VectorImpl<unsigned char, 64u, js::TempAllocPolicy, true>::growTo (aNewCap=2147483648, aV=...) at dist/include/mozilla/Vector.h:212
    #11 mozilla::Vector<unsigned char, 64u, js::TempAllocPolicy>::growStorageBy (this=0xffffb948, aIncr=268435456) at dist/include/mozilla/Vector.h:1028
    #12 0x5675978d in mozilla::Vector<unsigned char, 64u, js::TempAllocPolicy>::append<unsigned char> (this=0xffffb948, aInsBegin=0xe4200000 'f' <repeats 200 times>..., aInsEnd=0xf4200000 "") at dist/include/mozilla/Vector.h:1329
    #13 0x5681caaa in mozilla::Vector<unsigned char, 64u, js::TempAllocPolicy>::append<unsigned char> (aInsLength=<optimized out>, aInsBegin=<optimized out>, this=<optimized out>) at dist/include/mozilla/Vector.h:1385
    #14 js::StringBuffer::append (this=0xffffb940, str=0xf6900838) at js/src/util/StringBuffer.h:320
    #15 0x56a03e05 in CreateDynamicFunction (cx=<optimized out>, cx@entry=0xf6e2a800, args=..., generatorKind=generatorKind@entry=js::GeneratorKind::NotGenerator, asyncKind=js::FunctionAsyncKind::SyncFunction) at js/src/vm/JSFunction.cpp:1838
    #16 0x56a047c2 in js::Function (cx=0xf6e2a800, argc=6, vp=0xffffbe78) at js/src/vm/JSFunction.cpp:1991
    #17 0x567d9a70 in CallJSNative (cx=0xf6e2a800, native=0x56a04790 <js::Function(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:443
    #18 0x567d9c69 in CallJSNativeConstructor (cx=<optimized out>, native=0x56a04790 <js::Function(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:459
    #19 0x567ce09d in InternalConstruct (cx=<optimized out>, cx@entry=0xf6e2a800, args=...) at js/src/vm/Interpreter.cpp:633
    #20 0x567ce27e in js::ConstructFromStack (cx=0xf6e2a800, args=...) at js/src/vm/Interpreter.cpp:679
    #21 0x56f282dd in js::jit::DoCallFallback (cx=<optimized out>, frame=0xffffbf18, stub=0xf66a3490, argc=6, vp=0xffffbe78, res=...) at js/src/jit/BaselineIC.cpp:3860
    #22 0x3583248a in ?? ()
    #23 0xf66a3490 in ?? ()
    #24 0x3582db7c in ?? ()
    #25 0x5700e5a9 in EnterBaseline (data=..., cx=0x3583cc46) at js/src/jit/BaselineJIT.cpp:113
   [...]
    #37 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11373
    eax	0x57c64a74	1472612980
    ebx	0x57c63ff4	1472610292
    ecx	0xf7d90864	-136771484
    edx	0x57730f84	1467158404
    esi	0x84000000	-2080374784
    edi	0x80000000	-2147483648
    ebp	0xffffb5a8	4294948264
    esp	0xffffb540	4294948160
    eip	0x5677392c <BaseAllocator::realloc(void*, unsigned int)+700>
    => 0x5677392c <BaseAllocator::realloc(void*, unsigned int)+700>:	movl   $0x0,0x0
       0x56773936 <BaseAllocator::realloc(void*, unsigned int)+710>:	ud2


The issue seems to be exclusively happening on 32-bit and it looks like some kind of OOM.

Comment 5

[Christian Holler (:decoder)]

.

Comment 6

[Chris Martin [:cmartin]]

Thanks! I think I can understand the issue well-enough just from that stack trace. Looks like the OOM handler is re-allocating memory without considering the arena of the memory it's reallocing, and so mozjemalloc is throwing an assertion.

I should be able to patch this up fairly quickly.

Comment 7

[Chris Martin [:cmartin]]

Attachment: Bug 1546881 - Fix OOM causing realloc to wrong arena

Bug 1052579 introduced a new mozjemalloc arena for JSString char buffers.
Unfortunately, my testing missed the case where JSStringBuilder causes an OOM
condition, causing the OOM handler to realloc to the default arena, regardless
of what arena is actually indicated by the AllocPolicy for the char vector.

The realloc now passes the arena from the AllocPolicy to mozjemalloc.

Comment 8

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

I verify that the patch in comment 7 fixes the testcases in comment 0 and comment 4 for me.

Comment 9

[Chris Martin [:cmartin]]

Please check-in D29092 :)

Comment 10

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/integration/autoland/rev/b08155896113

Can we land an automated test for this?

Comment 11

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/b08155896113

Comment 13

[Ryan VanderMeulen [:RyanVM]]

(In reply to Ryan VanderMeulen [:RyanVM] from comment #10)

Can we land an automated test for this?

Comment 14

[Ryan VanderMeulen [:RyanVM]]

Guess not.