Closed Bug 1877586 Opened 9 months ago Closed 9 months ago

Assertion failure: false (owner_.compareExchange(nullptr, this)), at dist/include/js/Utility.h:326

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
124 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox122 --- wontfix
firefox123 --- wontfix
firefox124 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(1 file)

Bug 1877586 - Fix OOM simulation check in maxPromiseHelperThreads. r?jonco!
48 bytes, text/x-phabricator-request
Details | Review 
for (let i = 0; i < 999; i++) {
  WebAssembly.instantiateStreaming(
    wasmTextToBinary('(module(type(;;)(func))(func;;\nend))')
  );
}
oomAtAllocation(7, 7);

(gdb) bt
#0  js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion (this=0x7ffff65fec4f)
    at /home/gen32gx500/shell-cache/js-dbg-64-linux-x86_64-1ac69623ae79/objdir-js/dist/include/js/Utility.h:326
#1  0x00005555574bbab4 in js::OffThreadPromiseRuntimeState::internalDispatchToEventLoop (closure=0x7ffff66230e8, d=0x7ffff666a000)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/OffThreadPromiseRuntimeState.cpp:174
#2  0x00005555574bb549 in js::OffThreadPromiseTask::dispatchResolveAndDestroy (this=0x7ffff666a000, lock=...)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/OffThreadPromiseRuntimeState.cpp:121
#3  0x00005555573acdf8 in js::GlobalHelperThreadState::runTaskLocked (this=this@entry=0x7ffff6609c00, task=0x7ffff666a038, locked=...)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/HelperThreads.cpp:1729
#4  0x00005555573acb90 in js::GlobalHelperThreadState::runOneTask (this=0x7ffff6609c00, lock=...) at /home/gen32gx500/trees/mozilla-central/js/src/vm/HelperThreads.cpp:1698
#5  0x00005555573d1ac2 in js::HelperThread::threadLoop (this=this@entry=0x7ffff661c300, pool=pool@entry=0x7ffff6617b80)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/InternalThreadPool.cpp:282
#6  0x00005555573d187c in js::HelperThread::ThreadMain (pool=0x7ffff6617b80, helper=0x7ffff661c300)
    at /home/gen32gx500/trees/mozilla-central/js/src/vm/InternalThreadPool.cpp:225
#7  0x00005555573fd248 in js::detail::ThreadTrampoline<void (&)(js::InternalThreadPool*, js::HelperThread*), js::InternalThreadPool*&, js::HelperThread*>::callMain<0ul, 1ul> (this=0x7ffff6619c80) at /home/gen32gx500/trees/mozilla-central/js/src/threading/Thread.h:219
#8  js::detail::ThreadTrampoline<void (&)(js::InternalThreadPool*, js::HelperThread*), js::InternalThreadPool*&, js::HelperThread*>::Start (aPack=0x7ffff6619c80)
    at /home/gen32gx500/trees/mozilla-central/js/src/threading/Thread.h:208
#9  0x00007ffff7d03049 in start_thread () from /lib64/libc.so.6
#10 0x00007ffff7d766d8 in clone3 () from /lib64/libc.so.6
(gdb)

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/2eb84bb6e481
user:        Tooru Fujisawa
date:        Fri Sep 01 03:43:21 2023 +0000
summary:     Bug 1846194 - Remove off-thread compilation and decode API. r=nbp

Run with --fuzzing-safe --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 1ac69623ae79.

Arai-san, is bug 1846194 a likely regressor, or is it just exposing the issue? Setting s-s to be safe.

Flags: sec-bounty?
Flags: needinfo?(arai.unmht)

Set release status flags based on info from the regressing bug 1846194

status-firefox122: --- → affected
status-firefox123: --- → affected
status-firefox-esr115: --- → unaffected
Group: core-security → javascript-core-security

The patch removed an item from ThreadType enum, which is the 2nd parameter of oomAtAllocation.

So, before the patch, the value 7 meant THREAD_TYPE_GCPARALLEL,
but after the patch, the value 7 means THREAD_TYPE_PROMISE_TASK, which had been 8 before the patch.

So, the equivalent testcase before the patch should be oomAtAllocation(7, 8);

https://hg.mozilla.org/mozilla-central/rev/2eb84bb6e481#l9.12

 enum ThreadType {
   THREAD_TYPE_NONE = 0,              // 0
   THREAD_TYPE_MAIN,                  // 1
   THREAD_TYPE_WASM_COMPILE_TIER1,    // 2
   THREAD_TYPE_WASM_COMPILE_TIER2,    // 3
   THREAD_TYPE_ION,                   // 4
-  THREAD_TYPE_PARSE,                 // 5
-  THREAD_TYPE_COMPRESS,              // 6
-  THREAD_TYPE_GCPARALLEL,            // 7
-  THREAD_TYPE_PROMISE_TASK,          // 8
-  THREAD_TYPE_ION_FREE,              // 9
-  THREAD_TYPE_WASM_GENERATOR_TIER2,  // 10
-  THREAD_TYPE_WORKER,                // 11
-  THREAD_TYPE_DELAZIFY,              // 12
-  THREAD_TYPE_DELAZIFY_FREE,         // 13
+  THREAD_TYPE_COMPRESS,              // 5
+  THREAD_TYPE_GCPARALLEL,            // 6
+  THREAD_TYPE_PROMISE_TASK,          // 7
+  THREAD_TYPE_ION_FREE,              // 8
+  THREAD_TYPE_WASM_GENERATOR_TIER2,  // 9
+  THREAD_TYPE_WORKER,                // 10
+  THREAD_TYPE_DELAZIFY,              // 11
+  THREAD_TYPE_DELAZIFY_FREE,         // 12
   THREAD_TYPE_MAX                    // Used to check shell function arguments
 };
Flags: needinfo?(arai.unmht)

Modified testcase for revisions prior to Arai-san's rev 2eb84bb6e481:

for (let i = 0; i < 999; i++) {
  WebAssembly.instantiateStreaming(
    wasmTextToBinary('(module(type(;;)(func))(func;;\nend))')
  );
}
oomAtAllocation(7, 8);

Thanks :arai, I confirm that with your changes, I can still reproduce using this modified testcase on m-c rev a5887514ddfb, Feb 2022, self-compiled. I downloaded the latest debug shell on FTP that is still available (2015-10-21) and it does not reproduce there (ReferenceError: WebAssembly is not defined).

I'll try to continue to look into getting a better bisection range if this is confirmed to be a s-s issue.

I'm forwarding this to Jan for triage, Jan, is this a JS issue or specifically a wasm one or something else?

Flags: needinfo?(jdemooij)

I think the bug is that in GlobalHelperThreadState::maxPromiseHelperThreads we call IsHelperThreadSimulatingOOM with the Wasm thread types instead of THREAD_TYPE_PROMISE_TASK.

We can then have OOM simulation with multiple active promise tasks and this can race.

I want to take a closer look at this though before opening it up.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED

The real regressor is probably bug 1347644 from 6 years ago.

Regressed by: 1347644
No longer regressed by: 1846194
Group: javascript-core-security
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/69f2cd0abc16 Fix OOM simulation check in maxPromiseHelperThreads. r=jonco

https://hg.mozilla.org/mozilla-central/rev/69f2cd0abc16

Status: ASSIGNED → RESOLVED
Closed: 9 months ago
status-firefox124: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 124 Branch

The patch landed in nightly and beta is affected.
:jandem, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox123 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jdemooij)

OOM simulator fix can ride the trains.

status-firefox123: affectedwontfix
Flags: needinfo?(jdemooij)
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: