Closed Bug 815652 Opened 7 years ago Closed 7 years ago

IonMonkey: Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:818

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla20
Tracking Status
firefox19 --- unaffected
firefox20 --- fixed
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Assigned: billm)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][adv-main20-])

Crash Data

Attachments

(1 file)

The following testcase asserts on mozilla-central revision 1489b6c2d1d2 (run with --ion-eager):


gczeal(9, 2)
function testScatterConflict() {
  var p = new ParallelArray([1,2,3,4,5]);
  var r = p.scatter([0,1,0,3,(0)], 9, function (a,b) { return a+b; });
  function assertEqParallelArray(a, b)
    assertEq(a instanceof ParallelArray, true);
  assertEqParallelArray(r, new ParallelArray([4,2,(false),4,5]));
}
testScatterConflict();
Marking s-s due to GC involved. The opt build crashed with a less reduced version, but now it only shows some unconditional jumps in valgrind:

==3037== Conditional jump or move depends on uninitialised value(s)
==3037==    at 0x8283E8D: js::gc::MarkGCThingRoot(JSTracer*, void**, char const*) (Marking.cpp:334)
==3037==    by 0x83806D2: js::ion::AutoTempAllocatorRooter::trace(JSTracer*) (IonFrames.cpp:666)
==3037==    by 0x80C57B3: JS::AutoGCRooter::traceAll(JSTracer*) (jsgc.cpp:2382)
==3037==    by 0x80C586A: _ZL11MarkRuntimeP8JSTracerb.isra.312 (jsgc.cpp:2470)
==3037==    by 0x80CEA50: IncrementalCollectSlice(JSRuntime*, long long, js::gcreason::Reason, js::JSGCInvocationKind) (jsgc.cpp:3395)
==3037==    by 0x80CF503: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4558)
==3037==    by 0x80CF952: _ZL7CollectP9JSRuntimebxN2js18JSGCInvocationKindENS1_8gcreason6ReasonE.part.355 (jsgc.cpp:4673)
==3037==    by 0x80D0559: js::gc::RunDebugGC(JSContext*) (jsgc.cpp:4596)
==3037==    by 0x8348EE9: js::ion::IonCode::New(JSContext*, unsigned char*, unsigned int, JSC::ExecutablePool*) (jsgcinlines.h:479)
==3037==    by 0x847BCBA: js::ion::CodeGenerator::link() (IonLinker.h:55)
==3037==    by 0x834C20C: js::ion::SequentialCompileContext::compile(js::ion::IonBuilder*, js::ion::MIRGraph*, js::ion::AutoDestroyAllocator&) (Ion.cpp:1192)
==3037==    by 0x834CB62: _ZN2js3ionL10IonCompileINS0_24SequentialCompileContextEEEbP9JSContextP8JSScriptP10JSFunctionPhbRT_.constprop.387 (Ion.cpp:1142)
==3037== 
==3037== Conditional jump or move depends on uninitialised value(s)
==3037==    at 0x83806D7: js::ion::AutoTempAllocatorRooter::trace(JSTracer*) (IonFrames.cpp:665)
==3037==    by 0x80C57B3: JS::AutoGCRooter::traceAll(JSTracer*) (jsgc.cpp:2382)
==3037==    by 0x80C586A: _ZL11MarkRuntimeP8JSTracerb.isra.312 (jsgc.cpp:2470)
==3037==    by 0x80CEA50: IncrementalCollectSlice(JSRuntime*, long long, js::gcreason::Reason, js::JSGCInvocationKind) (jsgc.cpp:3395)
==3037==    by 0x80CF503: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4558)
==3037==    by 0x80CF952: _ZL7CollectP9JSRuntimebxN2js18JSGCInvocationKindENS1_8gcreason6ReasonE.part.355 (jsgc.cpp:4673)
==3037==    by 0x80D0559: js::gc::RunDebugGC(JSContext*) (jsgc.cpp:4596)
==3037==    by 0x8348EE9: js::ion::IonCode::New(JSContext*, unsigned char*, unsigned int, JSC::ExecutablePool*) (jsgcinlines.h:479)
==3037==    by 0x847BCBA: js::ion::CodeGenerator::link() (IonLinker.h:55)
==3037==    by 0x834C20C: js::ion::SequentialCompileContext::compile(js::ion::IonBuilder*, js::ion::MIRGraph*, js::ion::AutoDestroyAllocator&) (Ion.cpp:1192)
==3037==    by 0x834CB62: _ZN2js3ionL10IonCompileINS0_24SequentialCompileContextEEEbP9JSContextP8JSScriptP10JSFunctionPhbRT_.constprop.387 (Ion.cpp:1142)
==3037==    by 0x834D029: _ZN2js3ionL7CompileEP9JSContextP8JSScriptP10JSFunctionPhb.part.380 (Ion.cpp:1325)


One thing I'm wondering about if the gczeal level here. I cannot decrease it to 4, but this is also not a root analysis build and to my knowledge, higher gczeal levels should only work in those builds?
Blocks: IonFuzz
Crash Signature: [@ getAllocKind]
Whiteboard: [jsbugmon:update,bisect]
(In reply to Christian Holler (:decoder) from comment #1)
> One thing I'm wondering about if the gczeal level here. I cannot decrease it
> to 4, but this is also not a root analysis build and to my knowledge, higher
> gczeal levels should only work in those builds?

Only 6 and 7 require a root analysis build.  According to JS_GC_ZEAL=help, zeal mode 9 is "Incremental GC in two slices: 1) mark all 2) new marking and finish", which I think was added by Jon awhile back.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, failed due to error (try manually).
This crashes while marking CompilerRoots. I have had no success in trying to determine how ParallelArray comes into play here.
Attached patch fixSplinter Review
We were constructing a temporary CompilerRoot object in MInstanceOf and then invoking operator= to copy it to the real one.

This is sort of a dangerous pattern. If we ever accidentally use one of these as a temporary, we'll crash. Hopefully the private stuff will make this less likely.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #685779 - Flags: review?(bhackett1024)
Comment on attachment 685779 [details] [diff] [review]
fix

Review of attachment 685779 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/CompilerRoot.h
@@ +45,5 @@
> +
> +  private:
> +    CompilerRoot();
> +    CompilerRoot(const CompilerRoot<T> &);
> +    CompilerRoot<T> &operator =(const CompilerRoot<T> &);

Can these be MOZ_DELETE?
Attachment #685779 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/59281806d3a6
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
What's the rating on this bug? Do we think that B2G is impacted?
What is the severity of this bug -- do we need to take it on branches (particularly the Fx18-based B2g branch)? It should not have landed without a sec-approval request unless it was rated less than sec-high or sec-critical (and unrated counts as "possibly critical in worst case").
Was 19 affected by this? Did we ship this problem?
This regressed in bug 814861, which landed for 20. It was backported to 18 and 19, but the backports had the fix for this bug.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main20-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.