Assertion failure: !mArena || arena == mArena, at memory/build/mozjemalloc.cpp:3960
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox66 | --- | unaffected |
| firefox67 | --- | unaffected |
| firefox68 | + | fixed |
People
(Reporter: gkw, Assigned: cmartin)
References
(Regression)
Details
(5 keywords, Whiteboard: [jsbugmon:][post-critsmash-triage])
Attachments
(1 file)
The following testcase crashes on mozilla-central revision c7a9affeb604 (build with PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig 'CC="clang -m32 -msse2 -mfpmath=sse"' AR=ar 'CXX="clang++ -m32 -msse2 -mfpmath=sse"' sh ./configure --target=i686-pc-linux --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests --disable-cranelift, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
try {
s0 = 'x';
for (let i = 0; i < 35; i++)
s0 += s0;
} catch (e) {}
(
function()
{
mathy4 = (
function(y)
{
Math.fround
x
mathy2
(
(
Math.max
)
)
| 0
===
y
>>> 0
(
2
** 53
)
x | 0
;
}
)
mathy4, []
}
)
()
uneval(this);
No backtrace is available.
Setting s-s as a start as this seems to be involving the memory allocator.
|
Reporter | |
Comment 1•5 years ago
|
||
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/e51a022e039f
user: Chris Martin
date: Wed Apr 24 13:57:07 2019 +0000
summary: Bug 1052579 - Change all found JSString allocation sites to new arena r=sfink
Chris, is bug 1052579 a likely regressor?
|
|
Reporter | |
Comment 2•5 years ago
|
||
This testcase is slightly intermittent and seems to be even more intermittent as one further reduces it.
|
Assignee | |
Comment 3•5 years ago
|
||
Hi Gary,
Yes, that commit is almost-certainly the cause of the regression. I relied on testing to try to find all the code spots that needed to be changed, and it looks like there must've been some codepaths that were not hit by my testing.
I will investigate this immediately.
|
|
Assignee | |
Updated•5 years ago
|
|
||
Comment 4•5 years ago
|
||
Here is a simpler testcase and a stack:
Summary: Assertion failure: !mArena || arena == mArena, at memory/build/mozjemalloc.cpp:3960
Build version: mozilla-central revision 0ec836eceb96
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu
Runtime options: --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off
Testcase:
var fe = "f";
for (i = 0; i < 28; i++) fe += fe;
new Function(fe, fe, fe, fe, fe, fe);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 BaseAllocator::realloc (this=0xffffb5c8, aPtr=0x84000000, aSize=2147483648) at memory/build/mozjemalloc.cpp:3960
#1 0x5676c1d4 in Allocator<MozJemallocBase>::moz_arena_realloc (arg2=2147483648, arg1=0x84000000, aArenaId=2996287479) at memory/build/malloc_decls.h:40
#2 moz_arena_realloc (arg1=2996287479, arg2=0x84000000, arg3=2147483648) at memory/build/malloc_decls.h:118
#3 0x56aa2204 in js_arena_realloc (bytes=2147483648, p=0x84000000, arena=2996287479) at dist/include/js/Utility.h:400
#4 js_realloc (bytes=2147483648, p=0x84000000) at dist/include/js/Utility.h:404
#5 JSRuntime::onOutOfMemory (this=0xf6e18000, allocFunc=js::AllocFunction::Realloc, arena=3319813561, nbytes=2147483648, reallocPtr=0x84000000, maybecx=0xf6e2a800) at js/src/vm/Runtime.cpp:712
#6 0x56d0489a in JSContext::onOutOfMemory (reallocPtr=0x84000000, nbytes=2147483648, arena=3319813561, allocFunc=js::AllocFunction::Realloc, this=0xf6e2a800) at js/src/vm/JSContext.h:215
#7 js::TempAllocPolicy::onOutOfMemory (this=0xffffb948, allocFunc=js::AllocFunction::Realloc, nbytes=2147483648, reallocPtr=0x84000000) at js/src/util/AllocPolicy.cpp:15
#8 0x5675933c in js::TempAllocPolicy::onOutOfMemoryTyped<unsigned char> (reallocPtr=0x84000000, numElems=2147483648, allocFunc=js::AllocFunction::Realloc, this=0xffffb948) at dist/include/js/AllocPolicy.h:102
#9 js::TempAllocPolicy::pod_realloc<unsigned char> (oldSize=<optimized out>, newSize=2147483648, prior=0x84000000 "function anonymous(", 'f' <repeats 181 times>..., this=0xffffb948) at dist/include/js/AllocPolicy.h:132
#10 mozilla::detail::VectorImpl<unsigned char, 64u, js::TempAllocPolicy, true>::growTo (aNewCap=2147483648, aV=...) at dist/include/mozilla/Vector.h:212
#11 mozilla::Vector<unsigned char, 64u, js::TempAllocPolicy>::growStorageBy (this=0xffffb948, aIncr=268435456) at dist/include/mozilla/Vector.h:1028
#12 0x5675978d in mozilla::Vector<unsigned char, 64u, js::TempAllocPolicy>::append<unsigned char> (this=0xffffb948, aInsBegin=0xe4200000 'f' <repeats 200 times>..., aInsEnd=0xf4200000 "") at dist/include/mozilla/Vector.h:1329
#13 0x5681caaa in mozilla::Vector<unsigned char, 64u, js::TempAllocPolicy>::append<unsigned char> (aInsLength=<optimized out>, aInsBegin=<optimized out>, this=<optimized out>) at dist/include/mozilla/Vector.h:1385
#14 js::StringBuffer::append (this=0xffffb940, str=0xf6900838) at js/src/util/StringBuffer.h:320
#15 0x56a03e05 in CreateDynamicFunction (cx=<optimized out>, cx@entry=0xf6e2a800, args=..., generatorKind=generatorKind@entry=js::GeneratorKind::NotGenerator, asyncKind=js::FunctionAsyncKind::SyncFunction) at js/src/vm/JSFunction.cpp:1838
#16 0x56a047c2 in js::Function (cx=0xf6e2a800, argc=6, vp=0xffffbe78) at js/src/vm/JSFunction.cpp:1991
#17 0x567d9a70 in CallJSNative (cx=0xf6e2a800, native=0x56a04790 <js::Function(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:443
#18 0x567d9c69 in CallJSNativeConstructor (cx=<optimized out>, native=0x56a04790 <js::Function(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:459
#19 0x567ce09d in InternalConstruct (cx=<optimized out>, cx@entry=0xf6e2a800, args=...) at js/src/vm/Interpreter.cpp:633
#20 0x567ce27e in js::ConstructFromStack (cx=0xf6e2a800, args=...) at js/src/vm/Interpreter.cpp:679
#21 0x56f282dd in js::jit::DoCallFallback (cx=<optimized out>, frame=0xffffbf18, stub=0xf66a3490, argc=6, vp=0xffffbe78, res=...) at js/src/jit/BaselineIC.cpp:3860
#22 0x3583248a in ?? ()
#23 0xf66a3490 in ?? ()
#24 0x3582db7c in ?? ()
#25 0x5700e5a9 in EnterBaseline (data=..., cx=0x3583cc46) at js/src/jit/BaselineJIT.cpp:113
[...]
#37 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11373
eax 0x57c64a74 1472612980
ebx 0x57c63ff4 1472610292
ecx 0xf7d90864 -136771484
edx 0x57730f84 1467158404
esi 0x84000000 -2080374784
edi 0x80000000 -2147483648
ebp 0xffffb5a8 4294948264
esp 0xffffb540 4294948160
eip 0x5677392c <BaseAllocator::realloc(void*, unsigned int)+700>
=> 0x5677392c <BaseAllocator::realloc(void*, unsigned int)+700>: movl $0x0,0x0
0x56773936 <BaseAllocator::realloc(void*, unsigned int)+710>: ud2
The issue seems to be exclusively happening on 32-bit and it looks like some kind of OOM.|
|
||
Comment 5•5 years ago
•
|
||
.
|
|
Assignee | |
Comment 6•5 years ago
|
||
Thanks! I think I can understand the issue well-enough just from that stack trace. Looks like the OOM handler is re-allocating memory without considering the arena of the memory it's reallocing, and so mozjemalloc is throwing an assertion.
I should be able to patch this up fairly quickly.
|
|
Assignee | |
Comment 7•5 years ago
|
||
Bug 1052579 introduced a new mozjemalloc arena for JSString char buffers.
Unfortunately, my testing missed the case where JSStringBuilder causes an OOM
condition, causing the OOM handler to realloc to the default arena, regardless
of what arena is actually indicated by the AllocPolicy for the char vector.
The realloc now passes the arena from the AllocPolicy to mozjemalloc.
|
|
Reporter | |
Comment 8•5 years ago
|
||
|
||
Comment 10•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/b08155896113
Can we land an automated test for this?
|
|
||
Comment 11•5 years ago
|
||
|
|
||
Comment 13•5 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #10)
Can we land an automated test for this?
|
||
Updated•5 years ago
|
|
|
||
Comment 14•4 years ago
|
||
Guess not.
Description
•