1876404 - Assertion failure: desired && OffsetFromAligned(desired, allocGranularity) == 0, at gc/Memory.cpp:258

Status: NEW

(Core :: JavaScript Engine, defect, P2)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Correction: I have a reduced testcase, run a couple of times, unhandlable OOM MOZ_CRASHes usually show up but you'll hit this assert fairly quickly:

for (let i = 0; i < 1024; i++) {
  evalInWorker("Object.defineProperty(0, 0, ({}));");
}

(gdb) bt
#0  js::gc::MapMemoryAt<(js::gc::Commit)1, (js::gc::PageAccess)3> (desired=<optimized out>, length=<optimized out>)
    at /home/gen32gx500/trees/mozilla-central/js/src/gc/Memory.cpp:258
#1  js::gc::TryToAlignChunk<true> (aRegion=aRegion@entry=0xf5fcc74, aRetainedRegion=0xf5fcc88, length=1048576, alignment=1048576)
    at /home/gen32gx500/trees/mozilla-central/js/src/gc/Memory.cpp:739
#2  0x58a87967 in js::gc::MapAlignedPagesLastDitch (length=<optimized out>, alignment=<optimized out>, alignment@entry=1048576)
    at /home/gen32gx500/trees/mozilla-central/js/src/gc/Memory.cpp:644
#3  0x58a87d51 in js::gc::MapAlignedPages (length=1048576, alignment=<optimized out>) at /home/gen32gx500/trees/mozilla-central/js/src/gc/Memory.cpp:494
#4  0x58a163b1 in js::gc::TenuredChunk::allocate (gc=0x10d68448) at /home/gen32gx500/trees/mozilla-central/js/src/gc/Allocator.cpp:625
#5  js::gc::GCRuntime::getOrAllocChunk (this=0x10d68448, lock=...) at /home/gen32gx500/trees/mozilla-central/js/src/gc/Allocator.cpp:547
#6  0x58a15557 in js::gc::GCRuntime::pickChunk (this=0x10d68448, lock=...) at /home/gen32gx500/trees/mozilla-central/js/src/gc/Allocator.cpp:581
#7  0x58a1524a in js::gc::ArenaLists::refillFreeListAndAllocate (this=0xfedee180, thingKind=js::gc::AllocKind::BASE_SHAPE, 
    checkThresholds=js::gc::ShouldCheckThresholds::CheckThresholds) at /home/gen32gx500/trees/mozilla-central/js/src/gc/Allocator.cpp:368
#8  0x58a140af in js::gc::GCRuntime::refillFreeList (cx=0x12b5fd00, thingKind=js::gc::AllocKind::BASE_SHAPE)
    at /home/gen32gx500/trees/mozilla-central/js/src/gc/Allocator.cpp:326
#9  0x58a49144 in js::gc::CellAllocator::TryNewTenuredCell<(js::AllowGC)1> (cx=0x12b5fd00, kind=js::gc::AllocKind::BASE_SHAPE, thingSize=16)
    at /home/gen32gx500/trees/mozilla-central/js/src/gc/Allocator.cpp:164
#10 0x584766ed in js::gc::CellAllocator::NewTenuredCell<js::BaseShape, (js::AllowGC)1, JSClass const*&, JS::Realm*&, JS::Handle<js::TaggedProto>&> (cx=0x568b4984, 
    args=<optimized out>, args=<optimized out>, args=<optimized out>) at /home/gen32gx500/trees/mozilla-central/js/src/gc/Allocator-inl.h:152
#11 js::gc::CellAllocator::NewCell<js::BaseShape, (js::AllowGC)1, JSClass const*&, JS::Realm*&, JS::Handle<js::TaggedProto>&> (cx=0x568b4984, args=<optimized out>, 
    args=<optimized out>, args=<optimized out>) at /home/gen32gx500/trees/mozilla-central/js/src/gc/Allocator-inl.h:57
#12 JSContext::newCell<js::BaseShape, (js::AllowGC)1, JSClass const*&, JS::Realm*&, JS::Handle<js::TaggedProto>&> (this=0x568b4984, args=<optimized out>, 
    args=<optimized out>, args=<optimized out>) at /home/gen32gx500/trees/mozilla-central/js/src/vm/JSContext-inl.h:405
#13 js::BaseShape::get (cx=0x12b5fd00, clasp=0x599b5390 <global_class>, realm=0xfeba1000, proto=...) at /home/gen32gx500/trees/mozilla-central/js/src/vm/Shape.cpp:1092
#14 0x58468658 in js::SharedShape::getInitialShape (cx=0x12b5fd00, clasp=0x599b5390 <global_class>, realm=0xfeba1000, proto=..., nfixed=8, objectFlags=...)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/Shape.cpp:1256
#15 0x582f2e6c in NewObject (cx=0x12b5fd00, clasp=0x599b5390 <global_class>, proto=..., kind=js::gc::AllocKind::OBJECT8_BACKGROUND, newKind=js::TenuredObject, objFlags=...)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/JSObject.cpp:756
#16 0x582f2d4a in js::NewObjectWithGivenTaggedProto (cx=0x12b5fd00, clasp=0x599b5390 <global_class>, proto=..., allocKind=js::gc::AllocKind::OBJECT8, 
    newKind=js::TenuredObject, objFlags=...) at /home/gen32gx500/trees/mozilla-central/js/src/vm/JSObject.cpp:775
#17 0x5827919d in js::NewObjectWithGivenTaggedProto<(js::NewObjectKind)1> (cx=0x12b5fd00, clasp=0x568b4984, objFlags=..., proto=...)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/JSObject-inl.h:369
#18 js::NewTenuredObjectWithGivenProto (cx=0x12b5fd00, clasp=0x568b4984, objFlags=..., proto=...) at /home/gen32gx500/trees/mozilla-central/js/src/vm/JSObject-inl.h:402
#19 js::GlobalObject::createInternal (cx=0x12b5fd00, clasp=0x599b5390 <global_class>) at /home/gen32gx500/trees/mozilla-central/js/src/vm/GlobalObject.cpp:572
#20 0x58279e83 in js::GlobalObject::new_ (cx=0x12b5fd00, clasp=0x599b5390 <global_class>, principals=0x0, hookOption=JS::DontFireOnNewGlobalHook, options=...)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/GlobalObject.cpp:648
#21 0x57f8dbfe in NewGlobalObject (cx=0x12b5fd00, options=..., principals=0x0, kind=ShellGlobalKind::WindowProxy, immutablePrototype=<optimized out>)
    at /home/gen32gx500/trees/mozilla-central/js/src/shell/js.cpp:10559
#22 0x57fb26ba in WorkerMain (input=...) at /home/gen32gx500/trees/mozilla-central/js/src/shell/js.cpp:4371
#23 0x57fd831b in js::detail::ThreadTrampoline<void (&)(mozilla::UniquePtr<WorkerInput, JS::DeletePolicy<WorkerInput> >), mozilla::UniquePtr<WorkerInput, JS::DeletePolicy<WorkerInput> > >::callMain<0u> (this=<optimized out>) at /home/gen32gx500/trees/mozilla-central/js/src/threading/Thread.h:219
#24 js::detail::ThreadTrampoline<void (&)(mozilla::UniquePtr<WorkerInput, JS::DeletePolicy<WorkerInput> >), mozilla::UniquePtr<WorkerInput, JS::DeletePolicy<WorkerInput> > >::Start (aPack=0xc20a8840) at /home/gen32gx500/trees/mozilla-central/js/src/threading/Thread.h:208
#25 0xf7688dad in start_thread () from /lib/libc.so.6
#26 0xf7728668 in clone3 () from /lib/libc.so.6
(gdb)

Run with --fuzzing-safe --no-jit-backend --ion-pruning=off --ion-offthread-compile=off --gc-zeal=10, compile with 'CC="clang -msse2 -mfpmath=sse"' PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig 'CXX="clang++ -msse2 -mfpmath=sse"' AR=ar sh ../configure --host=x86_64-pc-linux-gnu --target=i686-pc-linux --enable-debug --enable-debug-symbols --with-ccache --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 7079db6b8da9.

Steve/Jon, are any of these useful? Setting s-s just in case. Also, Lukas may have an analysis in bug 1820839 that this may be a dupe of, but I'd thought to run this by our GC folks first.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

I have a coredump if this is desired (pun intended, see assertion failure name).

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: backup-correct-core.tar.xz

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

I have a coredump if this is desired (pun intended, see assertion failure name).

I also have the binary with symbols for accessing this coredump, but it's too large (even if compressed) to upload here. Let me know how we can figure this out.

Comment 4

[Jon Coppeard (:jonco)]

This doesn't seem super serious given the analysis in bug 1820839. Sadly this allocator code is rather complex. I do wonder how important this is and whether we could simplify this area.