Assertion failure: arenaHeader()->allocated(), at js/src/gc/Heap.h:1276 or Crash [@ js::CurrentThreadCanAccessZone]

RESOLVED DUPLICATE of bug 1136597

Status

()

--
critical
RESOLVED DUPLICATE of bug 1136597
4 years ago
4 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Linux
assertion, crash, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox39 affected)

Details

(Whiteboard: [jsbugmon:update,bisect], crash signature)

(Reporter)

Description

4 years ago
The following testcase crashes on mozilla-central revision dd6353d61993 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-debug, run with --fuzzing-safe --thread-count=2):

var evalInFrame = (function (global) {
  var dbgGlobal = newGlobal();
  var dbg = new dbgGlobal.Debugger();
  return function evalInFrame(upCount, code) {
    dbg.addDebuggee(global);
  };
})(this);
var gTestcases = new Array();
var gTc = gTestcases.length;
function TestCase()
  gTestcases[gTc++] = this;
function checkCollation(extensionCoValue, usageValue) {
    var collator = new Intl.Collator(["de-DE"]);
    collator.resolvedOptions().collation;
}
checkCollation(undefined, "sort");
checkCollation();
for ( addpow = 0; addpow < 33; addpow++ ) {
    new TestCase();
}
evalInFrame(0, "i(true)", true);
gc(3, 'shrinking')
eval("gc(); h = g1");



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x081e7bb4 in js::gc::TenuredCell::isMarked (color=<optimized out>, this=<optimized out>) at js/src/gc/Heap.h:1276
1276	    MOZ_ASSERT(arenaHeader()->allocated());
#0  0x081e7bb4 in js::gc::TenuredCell::isMarked (color=<optimized out>, this=<optimized out>) at js/src/gc/Heap.h:1276
#1  0x081949ef in js::gc::TenuredCell::isMarked (this=this@entry=0xf6044040, color=1) at js/src/gc/Heap.h:1279
#2  0x0819661b in ShouldMarkCrossCompartment (trc=0x9674a28, src=<optimized out>, cell=0xf6044040) at js/src/gc/Marking.cpp:959
#3  0x081ad8ad in MarkObjectUnbarriered (name=<optimized out>, thingp=<optimized out>, trc=<optimized out>) at js/src/gc/Marking.cpp:599
#4  js::gc::MarkCrossCompartmentObjectUnbarriered (trc=0x9674a28, src=(JSObject *) 0xf6066c00 [object Object], dst=0xffffabbc, name=0x8989c25 "Debugger.Object referent") at js/src/gc/Marking.cpp:983
#5  0x082070f6 in DebuggerObject_trace (trc=trc@entry=0x9674a28, obj=obj@entry=(JSObject *) 0xf6066c00 [object Object]) at js/src/vm/Debugger.cpp:6234
#6  0x081f1ac2 in js::GCMarker::processMarkStackTop (this=this@entry=0x9674a28, budget=...) at js/src/gc/Marking.cpp:1836
#7  0x081b14b4 in js::GCMarker::drainMarkStack (this=0x9674a28, budget=...) at js/src/gc/Marking.cpp:1899
#8  0x0878008a in js::gc::GCRuntime::markWeakReferences<js::CompartmentsIterT<js::gc::GCZoneGroupIter> > (this=this@entry=0x966cd40, phase=phase@entry=js::gcstats::PHASE_SWEEP_MARK_WEAK) at js/src/jsgc.cpp:4113
#9  0x0870904f in markWeakReferencesInCurrentGroup (phase=js::gcstats::PHASE_SWEEP_MARK_WEAK, this=0x966cd40) at js/src/jsgc.cpp:4121
#10 js::gc::GCRuntime::endMarkingZoneGroup (this=this@entry=0x966cd40) at js/src/jsgc.cpp:4825
#11 0x08716239 in js::gc::GCRuntime::beginSweepPhase (this=this@entry=0x966cd40, lastGC=lastGC@entry=false) at js/src/jsgc.cpp:5182
#12 0x0871b7c7 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x966cd40, budget=..., reason=reason@entry=JS::gcreason::API) at js/src/jsgc.cpp:5915
#13 0x0871c23d in js::gc::GCRuntime::gcCycle (this=this@entry=0x966cd40, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::API) at js/src/jsgc.cpp:6104
#14 0x0871c51d in js::gc::GCRuntime::collect (this=this@entry=0x966cd40, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::API) at js/src/jsgc.cpp:6216
#15 0x08745275 in gc (reason=JS::gcreason::API, gckind=GC_NORMAL, this=0x966cd40) at js/src/jsgc.cpp:6277
#16 JS::GCForReason (rt=0x966cba0, gckind=GC_NORMAL, reason=JS::gcreason::API) at js/src/jsgc.cpp:7077
#17 0x080dcac9 in GC (cx=0x9685ab0, argc=0, vp=0x97167e0) at js/src/builtin/TestingFunctions.cpp:244
#18 0x0826f136 in js::CallJSNative (cx=0x9685ab0, native=0x80dca30 <GC(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:226
#19 0x0824a494 in js::Invoke (cx=0x9685ab0, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#20 0x08240259 in Interpret (cx=0x9685ab0, state=...) at js/src/vm/Interpreter.cpp:2601
#21 0x08249c06 in js::RunScript (cx=cx@entry=0x9685ab0, state=...) at js/src/vm/Interpreter.cpp:448
#22 0x08249d7f in js::ExecuteKernel (cx=0x9685ab0, script=0xf6078a60, scopeChainArg=(JSObject &) @0xf60818b0 [object global] delegate, thisv=..., type=js::EXECUTE_DIRECT_EVAL, evalInFrame=..., result=0xffffc0d0) at js/src/vm/Interpreter.cpp:654
#23 0x081339ce in EvalKernel (cx=cx@entry=0x9685ab0, args=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., scopeobj=(JSObject * const) 0xf60818b0 [object global] delegate, pc=0x97285e6 "{") at js/src/builtin/Eval.cpp:348
#24 0x081341b6 in js::DirectEval (cx=0x9685ab0, args=...) at js/src/builtin/Eval.cpp:489
#25 0x08457d98 in js::jit::DoCallFallback (cx=0x9685ab0, frame=0xffffc110, stub_=0x977c640, argc=1, vp=0xffffc0d0, res=$jsval(-nan(0xfff8200000000))) at js/src/jit/BaselineIC.cpp:9562
#26 0xf7607adc in ?? ()
#27 0x0977c640 in ?? ()
#28 0xf7603c25 in ?? ()
#29 0x083eec4d in EnterBaseline (cx=0xf766de6e, cx@entry=0x9685ab0, data=...) at js/src/jit/BaselineJIT.cpp:123
#30 0x083ef07e in js::jit::EnterBaselineAtBranch (cx=0x9685ab0, fp=0x9716728, pc=0x97285aa "ず") at js/src/jit/BaselineJIT.cpp:210
#31 0x08249957 in Interpret (cx=0x9685ab0, state=...) at js/src/vm/Interpreter.cpp:1737
#32 0x08249c06 in js::RunScript (cx=cx@entry=0x9685ab0, state=...) at js/src/vm/Interpreter.cpp:448
#33 0x08249d7f in js::ExecuteKernel (cx=cx@entry=0x9685ab0, script=0xf60480d0, scopeChainArg=(JSObject &) @0xf6044040 Cannot access memory at address 0x49494949, thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:654
#34 0x0824a1e9 in js::Execute (cx=0x9685ab0, script=0xf60480d0, scopeChainArg=(JSObject &) @0xf6044040 Cannot access memory at address 0x49494949, rval=0x0) at js/src/vm/Interpreter.cpp:691
#35 0x086a0a5a in ExecuteScript (cx=0x9685ab0, obj=..., scriptArg=0xf60480d0, rval=0x0) at js/src/jsapi.cpp:3994
#36 0x0805f5d5 in RunFile (compileOnly=false, file=0x9727018, filename=0xffffd098 "min.js", obj=..., cx=0x9685ab0) at js/src/shell/js.cpp:466
#37 Process (cx=cx@entry=0x9685ab0, obj_=<optimized out>, filename=0xffffd098 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:599
#38 0x0806cfa0 in ProcessArgs (op=0xffffcce8, obj_=<optimized out>, cx=0x9685ab0) at js/src/shell/js.cpp:5792
#39 Shell (op=0xffffcce8, cx=0x9685ab0, envp=<optimized out>) at js/src/shell/js.cpp:6055
#40 main (argc=4, argv=0xffffceb4, envp=0xffffcec8) at js/src/shell/js.cpp:6397
eax	0x0	0
ebx	0x9659ff4	157655028
ecx	0xf7e608ac	-135919444
edx	0x0	0
esi	0xf6044040	-167493568
edi	0x0	0
ebp	0xffffaae8	4294945512
esp	0xffffaad0	4294945488
eip	0x81e7bb4 <js::gc::TenuredCell::isMarked(unsigned int) const+42>
=> 0x81e7bb4 <js::gc::TenuredCell::isMarked(unsigned int) const+42>:	movl   $0x4fc,0x0
   0x81e7bbe <js::gc::TenuredCell::isMarked(unsigned int) const+52>:	call   0x804aa70 <abort@plt>
Component: JavaScript Engine → JavaScript: GC
(Reporter)

Updated

4 years ago
status-firefox38: affected → ---
status-firefox39: --- → affected
I verified that this is the same issue as bug 1136597.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1136597
You need to log in before you can comment on or make changes to this bug.