Closed Bug 1665583 Opened 4 years ago Closed 4 years ago

Assertion failure: false (Expected script), at vm/HelperThreads.cpp:2011 with OOM and off-thread module parsing

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
82 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox81 --- wontfix
firefox82 --- verified

People

(Reporter: decoder, Assigned: jonco)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

Testcase
579 bytes, text/plain
Details
testcase2.js
596 bytes, application/x-javascript
Details
Bug 1665583 - Report OOM for off-thread buffer allocations r?tcampbell
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200916-d281ed9906a8 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

function parseModule(source) {
  offThreadCompileModule(source);
  return finishOffThreadModule();
}
function loadFile(lfVarx) {
  oomTest(function() {
      parseModule(lfVarx);
  });
}
loadFile(`
const numberingSystems = {
  "adlm": {},
  "ahom": {},
  "arab": {},
  "arabext": {},
  "armn": {},
  "armnlow": {},
  "bali": {},
  "beng": {},
  "bhks": {},
  "brah": {},
  "cakm": {},
  "cham": {},
  "cyrl": {},
  "hmnp": {},
  "java": {},
  "jpan": {},
  "jpanfin": {},
  "jpanyear": {},
  "knda": {},
  "lana": {},
  "latn": {},
  "lepc": {},
  "limb": {},
  "wcho": {}
};
`);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::GlobalHelperThreadState::finishSingleParseTask (this=<optimized out>, cx=<optimized out>, kind=<optimized out>, kind@entry=js::ParseTaskKind::Module, token=<optimized out>, startEncoding=startEncoding@entry=js::StartEncoding::No) at js/src/vm/HelperThreads.cpp:2011
#1  0x0000555556f97480 in js::GlobalHelperThreadState::finishModuleParseTask (this=0x7ffff7104540 <_IO_2_1_stderr_>, cx=0x7ffff6027000, token=0x5555584efb38 <gMozCrashReason>) at js/src/vm/HelperThreads.cpp:2103
#2  0x0000555556b8dec8 in FinishOffThreadModule (cx=0x7ffff6027000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:5738
#3  0x000009fa3c83e44f in ?? ()
#4  0x0000000000000000 in ?? ()
rax	0x5555558b8ba9	93824995789737
rbx	0x7ffff6027000	140737320742912
rcx	0x5555584efb38	93825042152248
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffadd0	140737488334288
rsp	0x7fffffffad60	140737488334176
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99e00	140737353719296
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7fffffffad80	140737488334208
r13	0x555558432430	93825041376304
r14	0x7fffffffad68	140737488334184
r15	0x0	0
rip	0x555556f96c2c <js::GlobalHelperThreadState::finishSingleParseTask(JSContext*, js::ParseTaskKind, JS::OffThreadToken*, js::StartEncoding)+892>
=> 0x555556f96c2c <js::GlobalHelperThreadState::finishSingleParseTask(JSContext*, js::ParseTaskKind, JS::OffThreadToken*, js::StartEncoding)+892>:	movl   $0x7db,0x0
   0x555556f96c37 <js::GlobalHelperThreadState::finishSingleParseTask(JSContext*, js::ParseTaskKind, JS::OffThreadToken*, js::StartEncoding)+903>:	callq  0x555556beee32 <abort()>
Attached file Testcase

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200917142508-084477976b2d.
The bug appears to have been introduced in the following build range:

Start: cfe5daf07a9992ec2d3136aad3dba01d5f7439f7 (20200827150928)
End: 1f3b9d75281c7ca8695da8844962a17b6655879f (20200827152722)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=cfe5daf07a9992ec2d3136aad3dba01d5f7439f7&tochange=1f3b9d75281c7ca8695da8844962a17b6655879f

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

Jon, could you look at this as it seems to have possibly bisected to change you landed recently (see comment 2)

Flags: needinfo?(jcoppeard)
Assignee: nobody → jcoppeard
Severity: -- → S4
Flags: needinfo?(jcoppeard)
Priority: -- → P1
Attached file testcase2.js

This was not introduced by bug 1635185 (from the pushlog), although that makes the bug reproduce with a smaller number of properties in the object literal. This is because it results in fewer available slots in a block allocated for dynamic slots since it adds a header at the beginning.

The attached testcase reproduces before bug 1635185 landed.

I don't know why we never did this before. And I guess it won't be needed when
we stop allocating GC things off-thread.

Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7a94e26c6387 Report OOM for off-thread buffer allocations r=tcampbell

https://hg.mozilla.org/mozilla-central/rev/7a94e26c6387

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox82: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200918211411-ab7d302fd318.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox82: fixedverified
Keywords: bugmon
status-firefox81: --- → wontfix
status-firefox-esr78: --- → wontfix
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: