732087 - Assertion failure: addr % Cell::CellSize == 0, at ../../jsgc.h:861 or Crash [@ js::gc::ChunkBitmap::markIfUnmarked]

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following test crashes on mozilla-central revision 1c3b291d0830+ (options -m -n -a):


gczeal(2,1);
var count = 0;
var a = {__noSuchMethod__: function() { count++; } }
for (var i = 0; i < 10; 0) {
  a.b();
}


Stepping through crashes:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004b8320 in js::gc::ChunkBitmap::markIfUnmarked (this=0xdadadadadadfc0b8, cell=0xdadadadadadadada, color=0) at /srv/repos/mozilla-central/js/src/jsgc.h:674
674             if (*word & mask)
(gdb) bt
#0  0x00000000004b8320 in js::gc::ChunkBitmap::markIfUnmarked (this=0xdadadadadadfc0b8, cell=0xdadadadadadadada, color=0) at /srv/repos/mozilla-central/js/src/jsgc.h:674
#1  0x00000000004b869d in js::gc::Cell::markIfUnmarked (this=0xdadadadadadadada, color=0) at /srv/repos/mozilla-central/js/src/jsgc.h:972
#2  0x00000000004cbd22 in js::gc::PushMarkStack (gcmarker=0x7ffff7fae220, thing=0xdadadadadadadada) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:457
#3  0x00000000004d2439 in js::GCMarker::processMarkStackTop (this=0x7ffff7fae220, budget=...) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:1112
#4  0x00000000004cd882 in js::GCMarker::drainMarkStack (this=0x7ffff7fae220, budget=...) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:1172
#5  0x00000000004b3eb7 in MarkAndSweep (cx=0xb64b40, gckind=js::GC_NORMAL) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3300
#6  0x00000000004b4d6f in GCCycle (cx=0xb64b40, comp=0x0, budget=0, gckind=js::GC_NORMAL) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3642
#7  0x00000000004b503e in Collect (cx=0xb64b40, comp=0x0, budget=0, gckind=js::GC_NORMAL, reason=js::gcreason::LAST_DITCH) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3707
#8  0x00000000004b5174 in js::GC (cx=0xb64b40, comp=0x0, gckind=js::GC_NORMAL, reason=js::gcreason::LAST_DITCH) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3727
#9  0x00000000004b02ce in js::gc::RunLastDitchGC (cx=0xb64b40) at /srv/repos/mozilla-central/js/src/jsgc.cpp:1722
#10 0x00000000004b5dc1 in js::gc::RunDebugGC (cx=0xb64b40) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3967
#11 0x0000000000463874 in js::gc::NewGCThing<JSObject> (cx=0xb64b40, kind=js::gc::FINALIZE_OBJECT8, thingSize=96) at ../jsgcinlines.h:408
#12 0x000000000045f2b4 in js_NewGCObject (cx=0xb64b40, kind=js::gc::FINALIZE_OBJECT8) at ../jsgcinlines.h:454
#13 0x00000000004615dd in JSObject::createDenseArray (cx=0xb64b40, kind=js::gc::FINALIZE_OBJECT8, shape=..., type=..., length=0) at ../jsobjinlines.h:1088
#14 0x000000000045c95d in js::NewArray<true> (cx=0xb64b40, length=0, proto=0x7ffff6105060) at /srv/repos/mozilla-central/js/src/jsarray.cpp:3804
#15 0x00000000004591a5 in js::NewDenseCopiedArray (cx=0xb64b40, length=0, vp=0x7ffff63fb0b0, proto=0x0) at /srv/repos/mozilla-central/js/src/jsarray.cpp:3859
#16 0x00000000004f9c84 in NoSuchMethod (cx=0xb64b40, argc=0, vp=0x7ffff63fb0a0) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:414
#17 0x00000000004f9fb3 in js::InvokeKernel (cx=0xb64b40, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:485
#18 0x0000000000506213 in js::Interpret (cx=0xb64b40, entryFrame=0x7ffff63fb030, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:2699
#19 0x0000000000692b45 in js::mjit::EnterMethodJIT (cx=0xb64b40, fp=0x7ffff63fb030, code=0x7ffff7f3c078, stackLimit=0x7ffff67db000, partial=false)
    at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1079
#20 0x0000000000692cf6 in CheckStackAndEnterMethodJIT (cx=0xb64b40, fp=0x7ffff63fb030, code=0x7ffff7f3c078, partial=false)
    at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1111


S-s and sg:critical due to GC related crash with dangerous address pattern.

Comment 1

[Christian Holler (:decoder)]

Not sure how reliable this bisect is but it looks realistic:

The first bad revision is:
changeset:   86695:fbef6a165cf8
user:        Bill McCloskey
date:        Fri Feb 10 18:32:08 2012 -0800
summary:     Bug 723313 - Stop using conservative stack scanner for VM stack marking (r=luke,bhackett)

Comment 2

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Attachment: patch

Sometimes I do stuff like this just so that if I ever do something smart it seems really impressive.

Comment 3

[Luke Wagner [:luke]]

Comment on attachment 602046 [details] [diff] [review]
patch

Ouch

Comment 4

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/ecd394385340

Comment 5

[Daniel Veditz [:dveditz]]

The bisect in comment 1 may not line up with the patch, which changes a single line added in bug 728086 a couple of weeks later.

https://hg.mozilla.org/integration/mozilla-inbound/rev/0fe3483946f9

So is there a different bug that decoder was seeing in mid February, possibly not fixed by this patch?

Comment 6

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Comment 1 is correct. This is a regression from bug 723313. Then a bug was discovered in bug 728086, which I fixed in an incorrect way. (I needed to initialize some bytes, but I didn't initialize enough.) This patch corrects the problem.

All of this only affects Firefox 13.

Comment 7

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

https://hg.mozilla.org/mozilla-central/rev/ecd394385340

Comment 8

[Christian Holler (:decoder)]

Fix includes test, marking verified based on that.

Comment 9

[David Bolter [:davidb] (NeedInfo me for attention)]

Marking status 13 fixed since I believe trunk was 13 for comment 7.

Comment 10

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug732087.js.