Closed Bug 1764720 Opened 2 years ago Closed 2 years ago

Assertion failure: visited.put(cell) && stack.append(thing) (OOM), at vm/SelfHosting.cpp:2575

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
101 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox99 --- unaffected
firefox100 --- unaffected
firefox101 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect][fuzzblocker])

Attachments

(2 files)

Detailed Crash Information
1.69 KB, text/plain
Details
Bug 1764720 - Ignore OOM during debug-only check that self-hosting data is tenured r?jandem
48 bytes, text/x-phabricator-request
Details | Review

The following crash is currently blocking fuzzing on mozilla-central revision 20220413-bc9d2af4c01e (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --scalar-replace-arguments --ion-pruning=on --enable-class-static-blocks --disable-oom-functions --disable-oom-functions --ion-gvn=off --ion-inlining=off --spectre-mitigations=off --warp-async --nursery-strings=on --wasm-compiler=optimizing --nursery-bigints=on --warp-generator --wasm-extended-const --ion-optimization-levels=on --wasm-compiler=baseline --blinterp-warmup-threshold=10 --no-sse42 --ion-full-warmup-threshold=10 --ion-warmup-threshold=0 --blinterp-eager --nursery-bigints=off --ion-full-warmup-threshold=0 --spectre-mitigations=on --test-wasm-await-tier2 --blinterp-warmup-threshold=1 --no-sse3 --wasm-exceptions --baseline-eager --no-native-regexp --no-sse41 --ion-optimization-levels=off --ion-extra-checks --blinterp --wasm-function-references --more-compartments --ion-instruction-reordering=on --execute=gcstress=1 --fast-warmup --ion-regalloc=testbed --enable-watchtower --ion-warmup-threshold=10 --wasm-compiler=baseline+optimizing):

Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x58044a44 in CheckTenuredTracer::onChild(JS::GCCellPtr) ()
#1  0x57fdda02 in js::GenericTracerImpl<JS::CallbackTracer>::onStringEdge(JSString*) ()
#2  0x5853b562 in bool DoCallback<JSString>(js::GenericTracer*, JSString**, char const*) ()
#3  0x58547906 in void js::TraceNullableRoot<JSString*>(JSTracer*, JSString**, char const*) ()
#4  0x5843be3d in js::frontend::CompilationInput::trace(JSTracer*) ()
#5  0x58018ffd in JSRuntime::initSelfHostingFromStencil(JSContext*) ()
#6  0x57e5dda5 in JS::InitSelfHostedCode(JSContext*, mozilla::Span<unsigned char const, 4294967295u>, bool (*)(JSContext*, mozilla::Span<unsigned char const, 4294967295u>)) ()
#7  0x57b6b8de in WorkerMain(mozilla::UniquePtr<WorkerInput, JS::DeletePolicy<WorkerInput> >) ()
#8  0x57b6c3cb in js::detail::ThreadTrampoline<void (&)(mozilla::UniquePtr<WorkerInput, JS::DeletePolicy<WorkerInput> >), mozilla::UniquePtr<WorkerInput, JS::DeletePolicy<WorkerInput> > >::Start(void*) ()
#9  0xf7f36635 in start_thread (arg=0x21577b40) at pthread_create.c:477
#10 0xf7adf87a in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:108
eax	0x56727839	1450342457
ebx	0x591c84c4	1495041220
ecx	0x591c9f9c	1495048092
edx	0xf7bc6cc7	-138646329
esi	0x215770b0	559378608
edi	0xb5243b80	-1255916672
ebp	0x21576fb8	559378360
esp	0x21576f60	559378272
eip	0x58044a44 <CheckTenuredTracer::onChild(JS::GCCellPtr)+484>
=> 0x58044a44 <_ZN18CheckTenuredTracer7onChildEN2JS9GCCellPtrE+484>:	movl   $0xa0f,0x0
   0x58044a4e <_ZN18CheckTenuredTracer7onChildEN2JS9GCCellPtrE+494>:	call   0x57bae7cf <abort>

This crash is highly frequent but we were not able to isolate a testcase for it so far. It mostly occurs in 32-bit but we have also seen 64-bit instances of it. It primarily blocks jsfunfuzz from running properly.

Bugmon Analysis
Unable to reproduce bug 1764720 using build mozilla-central 20220413094328-bc9d2af4c01e. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Assignee: nobody → jcoppeard
Regressed by: 1764122

Set release status flags based on info from the regressing bug 1764122

status-firefox100: --- → unaffected
status-firefox99: --- → unaffected
status-firefox-esr91: --- → unaffected
Has Regression Range: --- → yes
Severity: -- → S2
Priority: -- → P1
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/76b44f3ecd79
Ignore OOM during debug-only check that self-hosting data is tenured r=jandem

https://hg.mozilla.org/mozilla-central/rev/76b44f3ecd79

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox101: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 101 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: