1337414 - Crash [@ js::AutoClearTypeInferenceStateOnOOM::AutoClearTypeInferenceStateOnOOM] or Assertion failure: CurrentThreadCanAccessZone(zone), at vm/TypeInference.cpp:4536

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20a8536b0bfa (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var lfLogBuffer = `
gczeal(15,10);
try {
    a = []
    gczeal(2, 2)()
} catch (e) {}
a.every(function() {})
//corefuzz-dcd-endofdata
//corefuzz-dcd-selectmode 5
`;
lfLogBuffer = lfLogBuffer.split('\n');
lfPreamble = `
`;
var lfCodeBuffer = "";
var lfRunTypeLimit = 7;
var lfOffThreadGlobal = newGlobal();
try {} catch (lfVare5) {}
var lfAccumulatedCode = lfPreamble;
while (true) {
    var line = lfLogBuffer.shift();
    if (line == null) {
        break;
    } else if (line == "//corefuzz-dcd-endofdata") {
        loadFile(lfCodeBuffer);
    } else if (line.indexOf("//corefuzz-dcd-selectmode ") === 0) {
        loadFile(line);
    } else {
        lfCodeBuffer += line + "\n";
    }
}
if (lfCodeBuffer) loadFile(lfCodeBuffer);
function loadFile(lfVarx) {
    try {
        if (lfVarx.indexOf("//corefuzz-dcd-selectmode ") === 0) {
            lfRunTypeId = parseInt(lfVarx.split(" ")[1]) % lfRunTypeLimit;
        } else {
            switch (lfRunTypeId) {
                case 5:
                    evalInWorker(lfAccumulatedCode);
                    evaluate(lfVarx);
            }
        }
    } catch (lfVare) {
        lfAccumulatedCode += "try { evaluate(`\n" + lfVarx + "\n`); } catch(exc) {}\n";
    }
}


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  js::AutoClearTypeInferenceStateOnOOM::AutoClearTypeInferenceStateOnOOM (zone=0x7fb26f91d000, this=0x7fb2692fc428) at js/src/vm/TypeInference.cpp:4576
#1  mozilla::Maybe<js::AutoClearTypeInferenceStateOnOOM>::emplace<JS::Zone*&> (this=0x7fb2692fc420) at dist/include/mozilla/Maybe.h:461
#2  EnsureHasAutoClearTypeInferenceStateOnOOM (oom=@0x7fb2692fc408: 0x0, zone=0x7fb26f91d000, fallback=...) at js/src/vm/TypeInference.cpp:4285
#3  0x00000000009cae2a in js::ObjectGroup::sweep (this=this@entry=0x7fb269629250, oom=oom@entry=0x0) at js/src/vm/TypeInference.cpp:4308
#4  0x0000000000b1411d in js::ObjectGroup::maybeSweep (this=this@entry=0x7fb269629250, oom=0x0) at js/src/vm/ObjectGroup-inl.h:26
#5  0x0000000000b1c37b in js::ObjectGroup::flags (this=0x7fb269629250) at js/src/vm/ObjectGroup-inl.h:32
#6  js::ObjectGroup::basePropertyCount (this=0x7fb269629250) at js/src/vm/TypeInference-inl.h:1058
#7  js::ObjectGroup::getPropertyCount (this=0x7fb269629250) at js/src/vm/TypeInference-inl.h:1134
#8  js::ObjectGroup::traceChildren (this=0x7fb269629250, trc=0x7fb2692fc5b8) at js/src/gc/Marking.cpp:1402
#9  0x0000000000b3a288 in js::TraceChildren (kind=<optimized out>, thing=0x7fb269629250, trc=0x7fb2692fc5b8) at js/src/gc/Tracer.cpp:126
#10 JS::TraceChildren (trc=trc@entry=0x7fb2692fc5b8, thing=...) at js/src/gc/Tracer.cpp:111
#11 0x0000000000b3a33f in CheckHeapTracer::check (this=this@entry=0x7fb2692fc5b0, lock=...) at js/src/gc/Verifier.cpp:549
#12 0x0000000000b3a4e0 in js::gc::CheckHeapAfterGC (rt=<optimized out>) at js/src/gc/Verifier.cpp:570
#13 0x00000000008362fc in js::gc::GCRuntime::collect (this=this@entry=0x7fb2694ed3c0, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=<optimized out>, reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6396
#14 0x00000000008363cb in js::gc::GCRuntime::gc (this=0x7fb2694ed3c0, gckind=<optimized out>, reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6426
#15 0x0000000000836837 in js::gc::GCRuntime::runDebugGC (this=this@entry=0x7fb2694ed3c0) at js/src/jsgc.cpp:6843
#16 0x0000000000aad920 in js::gc::GCRuntime::gcIfNeededPerAllocation (cx=0x7fb26f93a800, this=0x7fb2694ed3c0) at js/src/gc/Allocator.cpp:230
#17 js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=0x7fb2694ed3c0, cx=0x7fb26f93a800, kind=<optimized out>) at js/src/gc/Allocator.cpp:191
#18 0x0000000000aae336 in js::Allocate<JSObject, (js::AllowGC)1> (cx=cx@entry=0x7fb26f93a800, kind=js::gc::AllocKind::FUNCTION_EXTENDED, nDynamicSlots=0, heap=heap@entry=js::gc::TenuredHeap, clasp=clasp@entry=0x1b752a0 <JSFunction::class_>) at js/src/gc/Allocator.cpp:51
#19 0x000000000083eb17 in JSObject::create (cx=cx@entry=0x7fb26f93a800, kind=kind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, heap=heap@entry=js::gc::TenuredHeap, shape=..., shape@entry=..., group=..., group@entry=...) at js/src/jsobjinlines.h:376
#20 0x000000000082080b in NewObject (cx=cx@entry=0x7fb26f93a800, group=..., group@entry=..., kind=kind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, newKind=newKind@entry=js::SingletonObject, initialShapeFlags=initialShapeFlags@entry=0) at js/src/jsobj.cpp:650
#21 0x000000000082138d in js::NewObjectWithClassProtoCommon (cx=0x7fb26f93a800, clasp=0x1b752a0 <JSFunction::class_>, allocKind=allocKind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, newKind=js::SingletonObject, protoArg=...) at js/src/jsobj.cpp:767
#22 0x00000000008214fa in js::NewObjectWithClassProtoCommon (cx=cx@entry=0x7fb26f93a800, clasp=clasp@entry=0x1b752a0 <JSFunction::class_>, protoArg=..., protoArg@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, newKind=<optimized out>) at js/src/jsobj.cpp:780
#23 0x00000000007ef8fe in js::NewObjectWithClassProto (newKind=<optimized out>, allocKind=js::gc::AllocKind::FUNCTION_EXTENDED, proto=..., clasp=0x1b752a0 <JSFunction::class_>, cx=0x7fb26f93a800) at js/src/jsobjinlines.h:708
#24 NewFunctionClone (cx=cx@entry=0x7fb26f93a800, fun=..., fun@entry=..., newKind=newKind@entry=js::SingletonObject, allocKind=allocKind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, proto=...) at js/src/jsfun.cpp:1974
#25 0x00000000007f326e in js::CloneFunctionAndScript (cx=cx@entry=0x7fb26f93a800, fun=fun@entry=..., enclosingEnv=..., enclosingEnv@entry=..., newScope=..., newScope@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, proto=..., proto@entry=...) at js/src/jsfun.cpp:2049
#26 0x00000000009953e0 in CloneObject (cx=cx@entry=0x7fb26f93a800, selfHostedObject=..., selfHostedObject@entry=...) at js/src/vm/SelfHosting.cpp:3096
#27 0x0000000000995b72 in CloneValue (cx=cx@entry=0x7fb26f93a800, selfHostedValue=..., selfHostedValue@entry=..., vp=..., vp@entry=...) at js/src/vm/SelfHosting.cpp:3144
#28 0x0000000000995cf4 in JSRuntime::cloneSelfHostedValue (this=0x7fb2694ed000, cx=0x7fb26f93a800, name=..., vp=...) at js/src/vm/SelfHosting.cpp:3272
#29 0x00000000004d7ae2 in js::GlobalObject::getIntrinsicValue (value=..., name=..., global=..., cx=<optimized out>) at js/src/vm/GlobalObject.h:713
#30 js::GetIntrinsicOperation (vp=..., pc=<optimized out>, cx=<optimized out>) at js/src/vm/Interpreter-inl.h:236
#31 Interpret (cx=0x7fb26f93a800, state=...) at js/src/vm/Interpreter.cpp:3123
#32 0x00000000004d9e86 in js::RunScript (cx=cx@entry=0x7fb26f93a800, state=...) at js/src/vm/Interpreter.cpp:406
#33 0x00000000004da420 in js::InternalCallOrConstruct (cx=0x7fb26f93a800, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:478
#34 0x00000000004cc291 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:511
#35 Interpret (cx=0x7fb26f93a800, state=...) at js/src/vm/Interpreter.cpp:2957
#36 0x00000000004d9e86 in js::RunScript (cx=cx@entry=0x7fb26f93a800, state=...) at js/src/vm/Interpreter.cpp:406
#37 0x00000000004dc56d in js::ExecuteKernel (result=0x7fb269393098, evalInFrame=..., newTargetValue=..., envChainArg=..., script=..., cx=0x7fb26f93a800) at js/src/vm/Interpreter.cpp:687
#38 js::Execute (cx=cx@entry=0x7fb26f93a800, script=script@entry=..., envChainArg=..., rval=rval@entry=0x7fb269393098) at js/src/vm/Interpreter.cpp:720
#39 0x00000000007ac515 in ExecuteScript (cx=cx@entry=0x7fb26f93a800, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x7fb269393098) at js/src/jsapi.cpp:4440
#40 0x00000000007b3cd0 in JS_ExecuteScript (cx=cx@entry=0x7fb26f93a800, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4466
#41 0x000000000044ba1f in Evaluate (cx=0x7fb26f93a800, argc=<optimized out>, vp=0x7fb269393098) at js/src/shell/js.cpp:1812
#42 0x00000000004da376 in js::CallJSNative (args=..., native=<optimized out>, cx=0x7fb26f93a800) at js/src/jscntxtinlines.h:281
[...]
#50 0x00000000007b3cd0 in JS_ExecuteScript (cx=cx@entry=0x7fb26f93a800, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4466
#51 0x00000000004518cc in WorkerMain (arg=0x7fb2693f5400) at js/src/shell/js.cpp:3443
[...]
#55 0x00007fb26fcaab5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0x1ba43e0	28984288
rbx	0x7fb2692fc408	140404245644296
rcx	0xdf4a80	14633600
rdx	0x7fb26f926800	140404352772096
rsi	0x7fb26f91d000	140404352733184
rdi	0x7fb26f946000	140404352901120
rbp	0x7fb2692fc3b0	140404245644208
rsp	0x7fb2692fc380	140404245644160
r8	0x7fb2692fc508	140404245644552
r9	0x7d2c516e	2100056430
r10	0x602	1538
r11	0x7d2c516e	2100056430
r12	0x7fb2692fc428	140404245644328
r13	0x7fb2692fc420	140404245644320
r14	0x7fb269629250	140404248973904
r15	0x7fb269629250	140404248973904
rip	0x9be2f8 <EnsureHasAutoClearTypeInferenceStateOnOOM(js::AutoClearTypeInferenceStateOnOOM*&, JS::Zone*, mozilla::Maybe<js::AutoClearTypeInferenceStateOnOOM>&)+184>
=> 0x9be2f8 <EnsureHasAutoClearTypeInferenceStateOnOOM(js::AutoClearTypeInferenceStateOnOOM*&, JS::Zone*, mozilla::Maybe<js::AutoClearTypeInferenceStateOnOOM>&)+184>:	movl   $0x0,0x0
   0x9be303 <EnsureHasAutoClearTypeInferenceStateOnOOM(js::AutoClearTypeInferenceStateOnOOM*&, JS::Zone*, mozilla::Maybe<js::AutoClearTypeInferenceStateOnOOM>&)+195>:	ud2    


I didn't try to reduce this testcase further. It is already intermittent in its current form and gets more intermittent the smaller I try to make it.

Comment 1

[Christian Holler (:decoder)]

Needinfo from jonco. Jon, can you also check why it is so hard to get a testcase for this? The fuzzer hits this issue really often but reproducing and reducing seem to be very difficult.

Comment 2

[Jan de Mooij [:jandem]]

This looks like the "cross-runtime edges while cloning self-hosted code" issue but with CheckHeapTracer this time.

Comment 3

[Randell Jesup [:jesup] (needinfo me)]

also: sec-rating?

Comment 4

[Andrew McCreight [:mccr8]]

(In reply to Randell Jesup [:jesup] from comment #3)
> also: sec-rating?

From comment 2, this sounds like a bug in the verifier, so it can probably be unhidden.

Comment 5

[Jon Coppeard (:jonco)]

Attachment: bug1337414-check-heap-crash

Yes, we just need to stop CheckHeapTracer from tracing into things owned by another runtime.

Comment 6

[Jan de Mooij [:jandem]]

Comment on attachment 8840054 [details] [diff] [review]
bug1337414-check-heap-crash

Review of attachment 8840054 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/gc/Verifier.cpp
@@ +302,5 @@
>  
>  void
>  js::gc::AssertSafeToSkipBarrier(TenuredCell* thing)
>  {
> +    mozilla::DebugOnly<Zone*> zone = thing->zoneFromAnyThread();

I was going to say wrap this in #ifdef DEBUG to be completely sure compilers don't emit any code for zoneFromAnyThread in opt builds, but this is gczeal-only so it doesn't matter.

Comment 7

[Jon Coppeard (:jonco)]

Unhiding as it's a bug in code that is not present in release builds.

Comment 8

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f8c367bec5de
Don't trace into GC things owned by other runtimes in CheckHeapTracer r=jandem

Comment 9

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/f8c367bec5de

Comment 10

[Jon Coppeard (:jonco)]

This was caused by bug 1272604.