Closed
Bug 1517158
Opened 5 years ago
Closed 5 years ago
Assertion failure: !JS::RuntimeHeapIsCollecting(), at js/src/gc/Cell.h:356
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla66
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox64 | --- | unaffected |
firefox65 | --- | unaffected |
firefox66 | --- | verified |
People
(Reporter: gkw, Assigned: allstars.chh)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files, 1 obsolete file)
12.27 KB,
text/plain
|
Details | |
7.86 KB,
patch
|
allstars.chh
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 0def5ac36b5b (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): // Adapted from randomly chosen test: js/src/jit-test/tests/debug/onExceptionUnwind-03.js (function() { var g = newGlobal(); g.debuggeeGlobal = this; g.eval("(" + function() { dbg = new Debugger(debuggeeGlobal); dbg.onExceptionUnwind = function(frame, exc) { var s = '!'; for (var f = frame; f; f = f.older) if (f.type === "call") s += f.callee.name; }; } + ")();"); try { h(); } catch (e) {} g.dbg.enabled = false; })(); // jsfunfuzz-generated startgc(114496726); Backtrace: #0 js::gc::TenuredCell::readBarrier (thing=0x7fefa178b060) at js/src/gc/Cell.h:355 #1 0x000055f31a05de67 in JSObject::readBarrier (obj=0x7fefa178b060) at js/src/vm/JSObject.h:676 #2 js::InternalBarrierMethods<js::GlobalObject*>::readBarrier (v=0x7fefa178b060) at js/src/gc/Barrier.h:268 #3 js::ReadBarrieredBase<js::GlobalObject*>::read (this=0x7fefa1977048) at js/src/gc/Barrier.h:602 #4 js::ReadBarriered<js::GlobalObject*>::get (this=<optimized out>) at js/src/gc/Barrier.h:653 #5 js::ReadBarriered<js::GlobalObject*>::operator-> (this=<optimized out>) at js/src/gc/Barrier.h:664 #6 JS::Realm::maybeGlobal (this=0x7fefa1977000) at js/src/vm/Realm-inl.h:26 /snip For detailed crash information, see attachment. I don't think this is s-s since it's related to debugger but GC is also involved so setting it to be safe.
Reporter | ||
Comment 1•5 years ago
|
||
Reporter | ||
Comment 2•5 years ago
|
||
Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/3d706269aea5 parent: 32810619d6b3 user: Yoshi Cheng-Hao Huang date: Thu Dec 20 15:34:25 2018 +0100 summary: Bug 1515648 - Part 1: Assert read barriers won't fire during collection. r=jonco changeset: https://hg.mozilla.org/mozilla-central/rev/8fe391c74c65 user: Yoshi Cheng-Hao Huang date: Thu Dec 20 15:43:56 2018 +0100 summary: Bug 1515648 - Part 2: fix in Shape.cpp. r=jonco changeset: https://hg.mozilla.org/mozilla-central/rev/c4c07de1d4f4 user: Yoshi Cheng-Hao Huang date: Fri Dec 14 15:11:10 2018 +0100 summary: Bug 1515648 - Part 3: use unbarrieredGet() for Debugger. r=jonco changeset: https://hg.mozilla.org/mozilla-central/rev/64e9482f70bc user: Yoshi Cheng-Hao Huang date: Wed Dec 19 17:30:10 2018 +0100 summary: Bug 1515648 - Part 4: fix in SavedStacks.cpp. r=jonco Yoshi, is bug 1515648 a likely regressor?
Blocks: 1515648
Flags: needinfo?(allstars.chh)
Assignee | ||
Updated•5 years ago
|
Assignee: nobody → allstars.chh
Status: NEW → ASSIGNED
Flags: needinfo?(allstars.chh)
Updated•5 years ago
|
Keywords: sec-moderate
Assignee | ||
Comment 3•5 years ago
|
||
Attachment #9034440 -
Flags: review?(jcoppeard)
Comment 4•5 years ago
|
||
Comment on attachment 9034440 [details] [diff] [review] Patch Review of attachment 9034440 [details] [diff] [review]: ----------------------------------------------------------------- Nice! ::: js/src/jit-test/tests/debug/onExceptionUnwind-16.js @@ +1,1 @@ > +(function() { Generally test cases like this should be named after the bug (e.g. bug-123456.js) otherwise it looks like this is a feature test. This should probably go in jit-test/tests/gc too.
Attachment #9034440 -
Flags: review?(jcoppeard) → review+
Updated•5 years ago
|
status-firefox64:
--- → unaffected
status-firefox65:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Assignee | ||
Comment 5•5 years ago
|
||
Attachment #9034440 -
Attachment is obsolete: true
Attachment #9034748 -
Flags: review+
Comment 6•5 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/501ffb16f40b1912877c2448117fdefd76e0b836
https://hg.mozilla.org/mozilla-central/rev/501ffb16f40b
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
Updated•5 years ago
|
Status: RESOLVED → VERIFIED
Comment 7•5 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•