Last Comment Bug 684619 - Assertion failure: addr % Cell::CellSize == 0, at jsgc.h:665
: Assertion failure: addr % Cell::CellSize == 0, at jsgc.h:665
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: mozilla11
Assigned To: general
:
Mentors:
: 700189 (view as bug list)
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2011-09-04 13:57 PDT by Christian Holler (:decoder)
Modified: 2011-12-15 13:55 PST (History)
9 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-


Attachments
Test case for shell (see README file inside). (2.22 KB, application/x-compressed-tar)
2011-09-04 13:57 PDT, Christian Holler (:decoder)
no flags Details
Make HeapReverser itself root all nodes referred to by roots. (4.05 KB, patch)
2011-11-08 15:20 PST, Jim Blandy :jimb
bhackett1024: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2011-09-04 13:57:07 PDT
Created attachment 558192 [details]
Test case for shell (see README file inside).

The attached test asserts on mozilla-central revision a351ae35f2c4 (with shell build fix from mozilla-inbound rev fff3dc9478ce). See README for options and running instructions. This test only works on 32 bit debug builds.

Stepping through the assert will crash:

Program received signal SIGSEGV, Segmentation fault.
0x0805a65b in js::gc::ArenaHeader::allocated (this=0xdadad000) at ../../jsgc.h:391
391             JS_ASSERT(allocKind <= FINALIZE_LIMIT);
Comment 1 Brian Hackett (:bhackett) 2011-09-04 16:01:03 PDT
A GC gets triggered in the middle of the FindReferences shell-only debugging function, when a call to JS_SetElement allocates some shapes.  FindReferences uses a GC tracer to walk the heap, and after the GC it winds up with a garbage value in its worklist (don't know why, but one possibility is a shifting set of conservative roots caused previously reachable things to become unreachable and get collected).

Can someone with the right bits remove the s-s?
Comment 2 Christian Holler (:decoder) 2011-09-05 02:46:29 PDT
I didn't see that FindReferences is involved here. My question would be if FindReferences is generally harmful (and should be deleted in fuzz driver before testing) or if this is a real bug and FindReferences is generally safe.
Comment 3 Brian Hackett (:bhackett) 2011-11-07 13:20:02 PST
(In reply to Christian Holler (:decoder) from comment #2)
> I didn't see that FindReferences is involved here. My question would be if
> FindReferences is generally harmful (and should be deleted in fuzz driver
> before testing) or if this is a real bug and FindReferences is generally
> safe.

This is a real bug, FindReferences should not be crashing here or anywhere.  However, until this gets fixed you might want to blacklist FindReferences from the fuzzer, as even if a GC crashing testcase uses FindReferences there isn't a simple way to tell it is crashing *because* of the FindReferences.
Comment 4 Jim Blandy :jimb 2011-11-08 15:20:49 PST
Created attachment 573028 [details] [diff] [review]
Make HeapReverser itself root all nodes referred to by roots.

I can't reproduce this bug myself, but if bhackett's analysis is correct, I'd expect this to fix the problem. Explanation in the comments.
Comment 5 Jim Blandy :jimb 2011-11-08 15:22:24 PST
(That is, I started with a351ae35f2c4, applied the patch in fff3dc9478ce, build as a 32-bit executable, and then ran the test case according to the README, and didn't get an assertion. Not too surprising, if it indeed is a conservative scanning issue.)
Comment 7 Marco Bonardo [::mak] 2011-11-11 02:21:23 PST
https://hg.mozilla.org/mozilla-central/rev/d88e2c0f2732
Comment 8 Christian Holler (:decoder) 2011-11-17 12:33:53 PST
*** Bug 700189 has been marked as a duplicate of this bug. ***
Comment 9 christian 2011-12-15 13:52:45 PST
Do we care about this for Fx9 (with TI) or could we ship as-is?
Comment 10 David Mandelin [:dmandelin] 2011-12-15 13:55:43 PST
(In reply to Christian Legnitto [:LegNeato] from comment #9)
> Do we care about this for Fx9 (with TI) or could we ship as-is?

The bug and fix are both in a shell-only debugging function so it doesn't affect Fx9.

Note You need to log in before you can comment on or make changes to this bug.