1899113 - Assertion failure: threadCount <= sizeof(uint32_t) * 8, at js/src/vm/InternalThreadPool.cpp:135

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Christian Holler (:decoder)]

There is a fuzzblocking crash on mozilla-central revision 20240525-277ccd163bbc (build ran with --fuzzing-safe --differential-testing --wasm-compiler=baseline --ion-pruning=on --ion-warmup-threshold=0 --ion-osr=off --scalar-replace-arguments --more-compartments --cpu-count=59 --no-cgc --gc-zeal=14,125 --baseline-warmup-threshold=0 --no-native-regexp --no-baseline):

Backtrace:

    Program terminated with signal SIGSEGV, Segmentation fault.
    #0  0x5825c489 in js::InternalThreadPool::ensureThreadCount(unsigned int, js::AutoLockHelperThreadState&) ()
    #1  0x5825bef1 in js::InternalThreadPool::Initialize(unsigned int, js::AutoLockHelperThreadState&) ()
    #2  0x58230674 in js::GlobalHelperThreadState::ensureInitialized() ()
    #3  0x58230533 in js::EnsureHelperThreadsInitialized() ()
    #4  0x583fcea2 in JSRuntime::init(JSContext*, unsigned int) ()
    #5  0x58282148 in js::NewContext(unsigned int, JSRuntime*) ()
    #6  0x58683dd9 in JS_NewContext(unsigned int, JSRuntime*) ()
    #7  0x57e53bce in main ()

This started occurring somewhere around Friday or Saturday. I cannot reproduce this but it's blowing up CI so I assume it has to do with the amount of actual CPUs available + the selection of CPUs through --cpu-count (which only jsfunfuzz does). Marking as fuzzblocker due to high volume of reports.

Comment 1

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 2

[Christian Holler (:decoder)]

Likely regressed by bug 1888429 based on hg annotate.

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1888429

Comment 4

[Christian Holler (:decoder)]

This is an automated crash issue comment:

Summary: Assertion failure: threadCount <= sizeof(uint32_t) * 8, at /js/src/vm/InternalThreadPool.cpp:135
Build version: mozilla-central revision 20240526-222d646f1319
Build type: debug
Runtime options: --fuzzing-safe --ion-offthread-compile=off test.js

Testcase:

gcparam("maxHelperThreads", 1000)
for (a = 5;; a *= 2) gcparam("helperThreadRatio", a)

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x582f6489 in js::InternalThreadPool::ensureThreadCount(unsigned int, js::AutoLockHelperThreadState&) ()
#1  0x582cf144 in js::GlobalHelperThreadState::ensureThreadCount(unsigned int, js::AutoLockHelperThreadState&) ()
#2  0x58a9426b in js::gc::GCRuntime::updateHelperThreadCount() ()
#3  0x58a97769 in js::gc::GCRuntime::setThreadParameter(JSGCParamKey, unsigned int, js::AutoLockGC&) ()
#4  0x58a97195 in js::gc::GCRuntime::setParameter(JSGCParamKey, unsigned int, js::AutoLockGC&) ()
#5  0x58a96fe8 in js::gc::GCRuntime::setParameter(JSContext*, JSGCParamKey, unsigned int) ()
#6  0x5867d380 in GCParameter(JSContext*, unsigned int, JS::Value*) ()
#7  0x580b4984 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#8  0x580b4076 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#9  0x580b572a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#10 0x580c5c44 in js::Interpret(JSContext*, js::RunState&) ()
#11 0x580b39cb in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) ()
#12 0x580b33cd in js::RunScript(JSContext*, js::RunState&) ()
#13 0x580b7014 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#14 0x580b75ba in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#15 0x5826b528 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#16 0x5826b6d8 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#17 0x57f63e13 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) ()
#18 0x57f6348f in Process(JSContext*, char const*, bool, FileKind) ()
#19 0x57ef631a in Shell(JSContext*, js::cli::OptionParser*) ()
#20 0x57eedf92 in main ()
eax	0x5673bfd1	1450426321
ebx	0x59aa2da8	1504325032
ecx	0x59aa813c	1504346428
edx	0xf7c29cc7	-138240825
esi	0xf6a08550	-157252272
edi	0x33	51
ebp	0xff9b46d8	4288366296
esp	0xff9b4690	4288366224
eip	0x582f6489 <js::InternalThreadPool::ensureThreadCount(unsigned int, js::AutoLockHelperThreadState&)+889>
=> 0x582f6489 <_ZN2js18InternalThreadPool17ensureThreadCountEjRNS_25AutoLockHelperThreadStateE+889>:	movl   $0x87,0x0
   0x582f6493 <_ZN2js18InternalThreadPool17ensureThreadCountEjRNS_25AutoLockHelperThreadStateE+899>:	call   0x57f90ea0 <abort>

This is what LangFuzz has hit, but I believe jsfunfuzz is not triggering with the same way using gcparam (judging from the stacks).

Comment 5

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 6

[Christian Holler (:decoder)]

Attachment: Testcase for comment 16

Comment 7

[Jon Coppeard (:jonco)]

This only affects the shell.

Comment 8

[Jon Coppeard (:jonco)]

Attachment: Bug 1899113 - Limit the number of helper threads created by the shell's internal thread pool r?jandem

This limits the number of threads created to 32 as it uses a uint32_t as a bit
set. The browser already limits the number of task controller threads to 8
maximum.

Comment 9

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c00bd9afc90e
Limit the number of helper threads created by the shell's internal thread pool r=jandem

Comment 10

[Serban Stanca [:SerbanS]]

https://hg.mozilla.org/mozilla-central/rev/c00bd9afc90e