893263 - Assertion failure: (ptrBits & 0x7) == 0, at dist/include/js/Value.h or Assertion failure: p.found(), at dist/include/js/HashTable.h, sometimes crashing with js::gc::MarkValueRootRange or FindReferences on the stack

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

function x() {}
evaluate("findReferences({})", {
    newContext: x
})

asserts js debug shell on m-c changeset 3433a021847b with --baseline-eager at Assertion failure: (ptrBits & 0x7) == 0, at dist/include/js/Value.h

I've got more testcases (reduced from the same large original testcase) coming up that assert differently and crash differently too.

Locking s-s because js::gc::MarkValueRootRange is on the stack.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: second assert

Run also with --baseline-eager:

Assertion failure: p.found(), at dist/include/js/HashTable.h

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack for second testcase

I couldn't get the stack for this from gdb directly, I had to dump a corefile then inspect it for the stack.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: 3rd crash

$ ./js-dbg-64-darwin-3433a021847b --baseline-eager testcase.js
js-dbg-64-darwin-3433a021847b(28540) malloc: *** error for object 0x101629c60: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
Abort trap: 6

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack of 3rd testcase

Also had to dump a corefile for this.

Comment 5

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/b674f0e40c8e
user:        Brian Hackett
date:        Wed Jul 10 09:29:52 2013 -0600
summary:     Bug 885758 - Add ExclusiveContext for use by threads with exclusive access to their compartment, r=billm.

This iteration took 340.644 seconds to run.

Comment 6

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Brian, is bug 885758 a likely regressor?

Comment 7

[Brian Hackett [Laid off!]]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #6)
> Brian, is bug 885758 a likely regressor?

No, it isn't.  I looked at this and findReferences() has an AutoArrayRooter whose contents change while it is in the process of being traced, causing all sorts of corruption.  findReferences() bugs are not s-s.

Comment 8

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Hoping Terrence might be able to look at this, as per IRC.

Comment 9

[Terrence Cole [:terrence]]

I'm fixing the rooting for findReferences in bug 890048. We should wait until that lands and see if this still reproducess then.

Comment 10

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 52f9e8ffe111).

Comment 11

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Highly likely fixed by bug 890048. Let's double check.

Comment 12

[Christian Holler (:decoder)]

JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/411082e7dc9c
user:        Terrence Cole
date:        Wed Jul 24 16:32:21 2013 -0700
summary:     Bug 890048 - Fix rooting of the findReferences shell command; r=jimb,billm

This iteration took 346.581 seconds to run.