IonMonkey: Crash [@ js::gc::ArenaHeader::allocated]




JavaScript Engine
5 years ago
5 years ago


(Reporter: decoder, Assigned: jandem)


(Blocks: 2 bugs, {crash, testcase})

Other Branch
crash, testcase
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [jsbugmon:ignore], crash signature)


(1 attachment)



5 years ago
The following testcase crashes on ionmonkey revision 14735b4dbccc (run with --ion -n):

try {
function complex(aReal, aImag) {
  let Z = new complex(0.0, 0.0);
function f(trace) {
  const width = 60;
  const height = 60;
  for (let img_x = 0; img_x < width; ((function() {}).abstract)) {
    for (let img_y = 0; img_y < height; img_y++) {
      let C = new complex(-2 + (img_x / width) * 3, -1.5 + (img_y / height) * 3);
var timenonjit = f(false);
} catch(exc1) {}

Comment 1

5 years ago
Please note that this test requires multiple runs to reproduce.

Crash backtrace:

#0  0x0000000000405396 in js::gc::ArenaHeader::allocated (this=0x0) at ../../gc/Heap.h:468
#1  0x00000000004053e8 in js::gc::ArenaHeader::getAllocKind (this=0x0) at ../../gc/Heap.h:498
#2  0x0000000000424902 in js::gc::Cell::getAllocKind (this=0x1c0) at ../gc/Heap.h:942
#3  0x00000000004af809 in js::gc::GetGCThingTraceKind (thing=0x1c0) at ionmonkey/js/src/jsgcinlines.h:63
#4  0x00000000006f05cf in js::gc::MarkGCThingRoot (trc=0x7ffff7fb4228, thingp=0x7ffffff84ea0, name=0x997c3c "ion-gc-spill") at ionmonkey/js/src/gc/Marking.cpp:270
#5  0x00000000006f1388 in js::gc::MarkThingOrValueRoot (trc=0x7ffff7fb4228, word=0x7ffffff84ea0, name=0x997c3c "ion-gc-spill") at ionmonkey/js/src/gc/Marking.cpp:541
#6  0x0000000000809b97 in MarkIonJSFrame (trc=0x7ffff7fb4228, frame=...) at ionmonkey/js/src/ion/IonFrames.cpp:498
#7  0x0000000000809e74 in MarkIonActivation (trc=0x7ffff7fb4228, top=0x7ffffff84e98 "\315+\364\367\377\177", activation=0x7fffffffc5c0) at ionmonkey/js/src/ion/IonFrames.cpp:573
#8  0x0000000000809f41 in js::ion::MarkIonActivations (rt=0x7ffff7fb4010, trc=0x7ffff7fb4228) at ionmonkey/js/src/ion/IonFrames.cpp:594
#9  0x00000000004c49e6 in js::MarkRuntime (trc=0x7ffff7fb4228, useSavedRoots=false) at ionmonkey/js/src/jsgc.cpp:2378
#10 0x00000000004c5cf8 in BeginMarkPhase (rt=0x7ffff7fb4010) at ionmonkey/js/src/jsgc.cpp:3033
#11 0x00000000004c72b8 in NonIncrementalMark (rt=0x7ffff7fb4010, gckind=js::GC_NORMAL) at ionmonkey/js/src/jsgc.cpp:3335
#12 0x00000000004c82e9 in GCCycle (rt=0x7ffff7fb4010, incremental=false, budget=0, gckind=js::GC_NORMAL) at ionmonkey/js/src/jsgc.cpp:3682
#13 0x00000000004c8885 in Collect (rt=0x7ffff7fb4010, incremental=false, budget=0, gckind=js::GC_NORMAL, reason=js::gcreason::DEBUG_GC) at ionmonkey/js/src/jsgc.cpp:3783
#14 0x00000000004c8a73 in js::GC (rt=0x7ffff7fb4010, gckind=js::GC_NORMAL, reason=js::gcreason::DEBUG_GC) at ionmonkey/js/src/jsgc.cpp:3807
#15 0x00000000004c264e in js::gc::RunLastDitchGC (cx=0xd9a5a0, reason=js::gcreason::DEBUG_GC) at ionmonkey/js/src/jsgc.cpp:1701
#16 0x00000000004c9842 in js::gc::RunDebugGC (cx=0xd9a5a0) at ionmonkey/js/src/jsgc.cpp:4026
#17 0x000000000046a862 in js::gc::NewGCThing<JSObject> (cx=0xd9a5a0, kind=js::gc::FINALIZE_OBJECT2, thingSize=48) at ../jsgcinlines.h:446
#18 0x0000000000459173 in js_NewGCObject (cx=0xd9a5a0, kind=js::gc::FINALIZE_OBJECT2) at ../jsgcinlines.h:492
#19 0x0000000000527ed8 in JSObject::create (cx=0xd9a5a0, kind=js::gc::FINALIZE_OBJECT2, shape=..., type=..., slots=0x0) at ../jsobjinlines.h:849
#20 0x0000000000548751 in NewObject (cx=0xd9a5a0, clasp=0xd4ccc0, type=0x7ffff0900280, parent=0x7ffff0903060, kind=js::gc::FINALIZE_OBJECT2) at ionmonkey/js/src/jsobj.cpp:2763
#21 0x0000000000548a6b in js::NewObjectWithGivenProto (cx=0xd9a5a0, clasp=0xd4ccc0, proto=0x7ffff0904190, parent=0x7ffff0903060, kind=js::gc::FINALIZE_OBJECT2)
    at ionmonkey/js/src/jsobj.cpp:2807
#22 0x000000000042af8e in js::NewObjectWithGivenProto (cx=0xd9a5a0, clasp=0xd4ccc0, proto=0x7ffff0904190, parent=0x7ffff0903060) at ../jsobjinlines.h:1375
#23 0x000000000066a1e9 in js::CreateBlankProto (cx=0xd9a5a0, clasp=0xd4ccc0, proto=..., global=...) at ionmonkey/js/src/vm/GlobalObject.cpp:409
#24 0x000000000066a2c0 in js::GlobalObject::createBlankPrototypeInheriting (this=0x7ffff0903060, cx=0xd9a5a0, clasp=0xd4ccc0, proto=...) at ionmonkey/js/src/vm/GlobalObject.cpp:429
#25 0x00000000004ab5af in InitErrorClass (cx=0xd9a5a0, global=..., type=1, proto=...) at ionmonkey/js/src/jsexn.cpp:869
#26 0x00000000004abe75 in js_InitExceptionClasses (cx=0xd9a5a0, obj=0x7ffff0903060) at ionmonkey/js/src/jsexn.cpp:933
#27 0x000000000054e087 in js_GetClassObject (cx=0xd9a5a0, obj=0x7ffff0903060, key=JSProto_InternalError, objp=0x7ffffff84968) at ionmonkey/js/src/jsobj.cpp:4244
#28 0x000000000054e29f in js_FindClassObject (cx=0xd9a5a0, start=0x0, protoKey=JSProto_InternalError, vp=0x7ffffff849d0, clasp=0x0) at ionmonkey/js/src/jsobj.cpp:4278
#29 0x0000000000554195 in js::FindClassPrototype (cx=0xd9a5a0, scopeobj=0x0, protoKey=JSProto_InternalError, protop=0x7ffffff84b68, clasp=0x0) at ionmonkey/js/src/jsobj.cpp:5797
#30 0x0000000000554353 in js_GetClassPrototype (cx=0xd9a5a0, scopeobj=0x0, protoKey=JSProto_InternalError, protop=0x7ffffff84b68, clasp=0x0) at ionmonkey/js/src/jsobj.cpp:5839
#31 0x00000000004ac2aa in js_ErrorToException (cx=0xd9a5a0, message=0xda4960 "too much recursion", reportp=0x7ffffff84c80, callback=0x4865cb <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0)
    at ionmonkey/js/src/jsexn.cpp:1058
#32 0x0000000000484e46 in ReportError (cx=0xd9a5a0, message=0xda4960 "too much recursion", reportp=0x7ffffff84c80, callback=0x4865cb <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0)
    at ionmonkey/js/src/jscntxt.cpp:356
#33 0x0000000000485fe4 in js_ReportErrorNumberVA(JSContext *, unsigned int, JSErrorCallback, void *, unsigned int, JSBool, typedef __va_list_tag __va_list_tag *) (cx=0xd9a5a0, flags=0, 
    callback=0x4865cb <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0, errorNumber=26, charArgs=1, ap=0x7ffffff84d30) at ionmonkey/js/src/jscntxt.cpp:740
#34 0x000000000044b6fc in JS_ReportErrorNumber (cx=0xd9a5a0, errorCallback=0x4865cb <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0, errorNumber=26)
    at ionmonkey/js/src/jsapi.cpp:6200
#35 0x00000000004851ce in js_ReportOverRecursed (maybecx=0xd9a5a0) at ionmonkey/js/src/jscntxt.cpp:447
#36 0x000000000085f975 in js::ion::ReportOverRecursed (cx=0xd9a5a0) at ionmonkey/js/src/ion/VMFunctions.cpp:90
#37 0x00007ffff7f42526 in ?? ()
This one does not crash for me on either the given cset or tip, debug linux 64 and 32. Can anyone else reproduce it?

Comment 3

5 years ago
(In reply to David Anderson [:dvander] from comment #2)
> This one does not crash for me on either the given cset or tip, debug linux
> 64 and 32. Can anyone else reproduce it?

I can't reproduce it on OS X either.

Comment 4

5 years ago
Putting this on ignore first since the bug does not reproduce in a stable way. Will check reproduction again manually now.
Whiteboard: [jsbugmon:update] → [jsbugmon:ignore]

Comment 5

5 years ago
I just reproduced this again on tip (8c54899dae82), but I had to run it twice. This is x86-64 Linux and the build configure is with:

--enable-debug --disable-optimize --enable-valgrind --enable-oom-backtrace

If you still cannot reproduce this, then I can provide dvander/jandem a login to one of the fuzz servers so they can reproduce and debug it there.

Comment 6

5 years ago
I can reproduce it on Linux.
Assignee: general → jdemooij

Comment 7

5 years ago
Created attachment 625098 [details] [diff] [review]

LFunctionEnvironment can appear before LCheckOverRecursed, so if the recursion check fails we need to save all live registers or a GC triggered by ReportOverRecursed could crash.
Attachment #625098 - Flags: review?(sstangl)
Comment on attachment 625098 [details] [diff] [review]

Review of attachment 625098 [details] [diff] [review]:

::: js/src/ion/CodeGenerator.cpp
@@ +805,5 @@
>      typedef bool (*pf)(JSContext *);
>      static const VMFunction ReportOverRecursedInfo =
>          FunctionInfo<pf>(ReportOverRecursed);
> +    saveLive(ool->lir());

This is strongly deserving of an explanatory comment. The description given in Comment 7 is likely fine.
Attachment #625098 - Flags: review?(sstangl) → review+

Comment 9

5 years ago
Pushed with nit fixed:
Group: core-security
Last Resolved: 5 years ago
Resolution: --- → FIXED
Duplicate of this bug: 756776

Comment 11

5 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug756235.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.