Closed Bug 756235 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ js::gc::ArenaHeader::allocated]

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:ignore])

Crash Data

Attachments

(1 file)

The following testcase crashes on ionmonkey revision 14735b4dbccc (run with --ion -n):


gczeal(2);
try {
function complex(aReal, aImag) {
  let Z = new complex(0.0, 0.0);
}
function f(trace) {
  const width = 60;
  const height = 60;
  for (let img_x = 0; img_x < width; ((function() {}).abstract)) {
    for (let img_y = 0; img_y < height; img_y++) {
      let C = new complex(-2 + (img_x / width) * 3, -1.5 + (img_y / height) * 3);
    }
  }
}
var timenonjit = f(false);
} catch(exc1) {}
Please note that this test requires multiple runs to reproduce.

Crash backtrace:

#0  0x0000000000405396 in js::gc::ArenaHeader::allocated (this=0x0) at ../../gc/Heap.h:468
#1  0x00000000004053e8 in js::gc::ArenaHeader::getAllocKind (this=0x0) at ../../gc/Heap.h:498
#2  0x0000000000424902 in js::gc::Cell::getAllocKind (this=0x1c0) at ../gc/Heap.h:942
#3  0x00000000004af809 in js::gc::GetGCThingTraceKind (thing=0x1c0) at ionmonkey/js/src/jsgcinlines.h:63
#4  0x00000000006f05cf in js::gc::MarkGCThingRoot (trc=0x7ffff7fb4228, thingp=0x7ffffff84ea0, name=0x997c3c "ion-gc-spill") at ionmonkey/js/src/gc/Marking.cpp:270
#5  0x00000000006f1388 in js::gc::MarkThingOrValueRoot (trc=0x7ffff7fb4228, word=0x7ffffff84ea0, name=0x997c3c "ion-gc-spill") at ionmonkey/js/src/gc/Marking.cpp:541
#6  0x0000000000809b97 in MarkIonJSFrame (trc=0x7ffff7fb4228, frame=...) at ionmonkey/js/src/ion/IonFrames.cpp:498
#7  0x0000000000809e74 in MarkIonActivation (trc=0x7ffff7fb4228, top=0x7ffffff84e98 "\315+\364\367\377\177", activation=0x7fffffffc5c0) at ionmonkey/js/src/ion/IonFrames.cpp:573
#8  0x0000000000809f41 in js::ion::MarkIonActivations (rt=0x7ffff7fb4010, trc=0x7ffff7fb4228) at ionmonkey/js/src/ion/IonFrames.cpp:594
#9  0x00000000004c49e6 in js::MarkRuntime (trc=0x7ffff7fb4228, useSavedRoots=false) at ionmonkey/js/src/jsgc.cpp:2378
#10 0x00000000004c5cf8 in BeginMarkPhase (rt=0x7ffff7fb4010) at ionmonkey/js/src/jsgc.cpp:3033
#11 0x00000000004c72b8 in NonIncrementalMark (rt=0x7ffff7fb4010, gckind=js::GC_NORMAL) at ionmonkey/js/src/jsgc.cpp:3335
#12 0x00000000004c82e9 in GCCycle (rt=0x7ffff7fb4010, incremental=false, budget=0, gckind=js::GC_NORMAL) at ionmonkey/js/src/jsgc.cpp:3682
#13 0x00000000004c8885 in Collect (rt=0x7ffff7fb4010, incremental=false, budget=0, gckind=js::GC_NORMAL, reason=js::gcreason::DEBUG_GC) at ionmonkey/js/src/jsgc.cpp:3783
#14 0x00000000004c8a73 in js::GC (rt=0x7ffff7fb4010, gckind=js::GC_NORMAL, reason=js::gcreason::DEBUG_GC) at ionmonkey/js/src/jsgc.cpp:3807
#15 0x00000000004c264e in js::gc::RunLastDitchGC (cx=0xd9a5a0, reason=js::gcreason::DEBUG_GC) at ionmonkey/js/src/jsgc.cpp:1701
#16 0x00000000004c9842 in js::gc::RunDebugGC (cx=0xd9a5a0) at ionmonkey/js/src/jsgc.cpp:4026
#17 0x000000000046a862 in js::gc::NewGCThing<JSObject> (cx=0xd9a5a0, kind=js::gc::FINALIZE_OBJECT2, thingSize=48) at ../jsgcinlines.h:446
#18 0x0000000000459173 in js_NewGCObject (cx=0xd9a5a0, kind=js::gc::FINALIZE_OBJECT2) at ../jsgcinlines.h:492
#19 0x0000000000527ed8 in JSObject::create (cx=0xd9a5a0, kind=js::gc::FINALIZE_OBJECT2, shape=..., type=..., slots=0x0) at ../jsobjinlines.h:849
#20 0x0000000000548751 in NewObject (cx=0xd9a5a0, clasp=0xd4ccc0, type=0x7ffff0900280, parent=0x7ffff0903060, kind=js::gc::FINALIZE_OBJECT2) at ionmonkey/js/src/jsobj.cpp:2763
#21 0x0000000000548a6b in js::NewObjectWithGivenProto (cx=0xd9a5a0, clasp=0xd4ccc0, proto=0x7ffff0904190, parent=0x7ffff0903060, kind=js::gc::FINALIZE_OBJECT2)
    at ionmonkey/js/src/jsobj.cpp:2807
#22 0x000000000042af8e in js::NewObjectWithGivenProto (cx=0xd9a5a0, clasp=0xd4ccc0, proto=0x7ffff0904190, parent=0x7ffff0903060) at ../jsobjinlines.h:1375
#23 0x000000000066a1e9 in js::CreateBlankProto (cx=0xd9a5a0, clasp=0xd4ccc0, proto=..., global=...) at ionmonkey/js/src/vm/GlobalObject.cpp:409
#24 0x000000000066a2c0 in js::GlobalObject::createBlankPrototypeInheriting (this=0x7ffff0903060, cx=0xd9a5a0, clasp=0xd4ccc0, proto=...) at ionmonkey/js/src/vm/GlobalObject.cpp:429
#25 0x00000000004ab5af in InitErrorClass (cx=0xd9a5a0, global=..., type=1, proto=...) at ionmonkey/js/src/jsexn.cpp:869
#26 0x00000000004abe75 in js_InitExceptionClasses (cx=0xd9a5a0, obj=0x7ffff0903060) at ionmonkey/js/src/jsexn.cpp:933
#27 0x000000000054e087 in js_GetClassObject (cx=0xd9a5a0, obj=0x7ffff0903060, key=JSProto_InternalError, objp=0x7ffffff84968) at ionmonkey/js/src/jsobj.cpp:4244
#28 0x000000000054e29f in js_FindClassObject (cx=0xd9a5a0, start=0x0, protoKey=JSProto_InternalError, vp=0x7ffffff849d0, clasp=0x0) at ionmonkey/js/src/jsobj.cpp:4278
#29 0x0000000000554195 in js::FindClassPrototype (cx=0xd9a5a0, scopeobj=0x0, protoKey=JSProto_InternalError, protop=0x7ffffff84b68, clasp=0x0) at ionmonkey/js/src/jsobj.cpp:5797
#30 0x0000000000554353 in js_GetClassPrototype (cx=0xd9a5a0, scopeobj=0x0, protoKey=JSProto_InternalError, protop=0x7ffffff84b68, clasp=0x0) at ionmonkey/js/src/jsobj.cpp:5839
#31 0x00000000004ac2aa in js_ErrorToException (cx=0xd9a5a0, message=0xda4960 "too much recursion", reportp=0x7ffffff84c80, callback=0x4865cb <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0)
    at ionmonkey/js/src/jsexn.cpp:1058
#32 0x0000000000484e46 in ReportError (cx=0xd9a5a0, message=0xda4960 "too much recursion", reportp=0x7ffffff84c80, callback=0x4865cb <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0)
    at ionmonkey/js/src/jscntxt.cpp:356
#33 0x0000000000485fe4 in js_ReportErrorNumberVA(JSContext *, unsigned int, JSErrorCallback, void *, unsigned int, JSBool, typedef __va_list_tag __va_list_tag *) (cx=0xd9a5a0, flags=0, 
    callback=0x4865cb <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0, errorNumber=26, charArgs=1, ap=0x7ffffff84d30) at ionmonkey/js/src/jscntxt.cpp:740
#34 0x000000000044b6fc in JS_ReportErrorNumber (cx=0xd9a5a0, errorCallback=0x4865cb <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0, errorNumber=26)
    at ionmonkey/js/src/jsapi.cpp:6200
#35 0x00000000004851ce in js_ReportOverRecursed (maybecx=0xd9a5a0) at ionmonkey/js/src/jscntxt.cpp:447
#36 0x000000000085f975 in js::ion::ReportOverRecursed (cx=0xd9a5a0) at ionmonkey/js/src/ion/VMFunctions.cpp:90
#37 0x00007ffff7f42526 in ?? ()
This one does not crash for me on either the given cset or tip, debug linux 64 and 32. Can anyone else reproduce it?
(In reply to David Anderson [:dvander] from comment #2)
> This one does not crash for me on either the given cset or tip, debug linux
> 64 and 32. Can anyone else reproduce it?

I can't reproduce it on OS X either.
Putting this on ignore first since the bug does not reproduce in a stable way. Will check reproduction again manually now.
Whiteboard: [jsbugmon:update] → [jsbugmon:ignore]
I just reproduced this again on tip (8c54899dae82), but I had to run it twice. This is x86-64 Linux and the build configure is with:

--enable-debug --disable-optimize --enable-valgrind --enable-oom-backtrace

If you still cannot reproduce this, then I can provide dvander/jandem a login to one of the fuzz servers so they can reproduce and debug it there.
I can reproduce it on Linux.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attached patch PatchSplinter Review
LFunctionEnvironment can appear before LCheckOverRecursed, so if the recursion check fails we need to save all live registers or a GC triggered by ReportOverRecursed could crash.
Attachment #625098 - Flags: review?(sstangl)
Comment on attachment 625098 [details] [diff] [review]
Patch

Review of attachment 625098 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/CodeGenerator.cpp
@@ +805,5 @@
>      typedef bool (*pf)(JSContext *);
>      static const VMFunction ReportOverRecursedInfo =
>          FunctionInfo<pf>(ReportOverRecursed);
>  
> +    saveLive(ool->lir());

This is strongly deserving of an explanatory comment. The description given in Comment 7 is likely fine.
Attachment #625098 - Flags: review?(sstangl) → review+
Pushed with nit fixed:

https://hg.mozilla.org/projects/ionmonkey/rev/9791b2e62b00
Group: core-security
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug756235.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.