If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Crash [@ markIfUnmarked] or Assertion failure: entry.isJs(), at vm/SPSProfiler.cpp:371

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
3 years ago
9 months ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, 5 keywords)

Trunk
x86_64
Linux
assertion, crash, regression, sec-moderate, testcase
Points:
---

Firefox Tracking Flags

(firefox39 affected, firefox45 wontfix, firefox46 verified, firefox-esr45 wontfix)

Details

(Whiteboard: [jsbugmon:update][adv-main46+], crash signature)

(Reporter)

Description

3 years ago
The following testcase crashes on mozilla-central revision eab4a81e4457 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --fuzzing-safe --no-threads):

setJitCompilerOption("baseline.warmup.trigger", 045133);
enableSPSProfilingWithSlowAssertions();
DoWhile(new DoWhileObject());
function DoWhileObject() {}    
function DoWhile(object) {
  do {
    throw DoWhile(1)
  } while(object.value);
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
markIfUnmarked (cell=<optimized out>, this=<optimized out>, color=0) at js/src/gc/Heap.h:857
857	        if (*word & mask)
#0  markIfUnmarked (cell=<optimized out>, this=<optimized out>, color=0) at js/src/gc/Heap.h:857
#1  markIfUnmarked (color=0, this=<optimized out>) at js/src/gc/Heap.h:1285
#2  js::gc::MarkPermanentAtom (trc=trc@entry=0x16b21d8, atom=<optimized out>, name=name@entry=0xaa2ecf "length2-static-string") at js/src/gc/Marking.cpp:338
#3  0x00000000005cc7e7 in js::StaticStrings::trace (this=0x16c8b90, trc=trc@entry=0x16b21d8) at js/src/vm/String.cpp:718
#4  0x0000000000446424 in js::MarkPermanentAtoms (trc=trc@entry=0x16b21d8) at js/src/jsatom.cpp:223
#5  0x0000000000628fcf in js::gc::GCRuntime::markRuntime (this=this@entry=0x16aa550, trc=trc@entry=0x16b21d8, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::MarkRuntime, rootsSource=rootsSource@entry=js::gc::GCRuntime::TraceRoots) at js/src/gc/RootMarking.cpp:472
#6  0x00000000008727bc in js::gc::GCRuntime::beginMarkPhase (this=this@entry=0x16aa550, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:4017
#7  0x00000000008982b9 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x16aa550, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:5889
#8  0x0000000000898ebe in js::gc::GCRuntime::gcCycle (this=this@entry=0x16aa550, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6126
#9  0x0000000000899183 in js::gc::GCRuntime::collect (this=this@entry=0x16aa550, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6238
#10 0x0000000000899767 in js::gc::GCRuntime::gc (this=this@entry=0x16aa550, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6299
#11 0x0000000000819b43 in js::DestroyContext (cx=0x16c7fe0, mode=js::DCM_FORCE_GC) at js/src/jscntxt.cpp:185
#12 0x0000000000819c4a in JS_DestroyContext (cx=<optimized out>) at js/src/jsapi.cpp:675
#13 0x0000000000416ab9 in DestroyContext (withGC=true, cx=0x16c7fe0) at js/src/shell/js.cpp:5639
#14 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6394
rax	0x80000	524288
rbx	0x16b21d8	23798232
rcx	0x13	19
rdx	0x7ff7f7efc618	140702993335832
rsi	0x7ff7f7efc0a0	140702993334432
rdi	0x16b21d8	23798232
rbp	0x16b21d8	23798232
rsp	0x7fffffffd380	140737488343936
r8	0x6e	110
r9	0x1	1
r10	0x1	1
r11	0x1738b10	24349456
r12	0x16c8b90	23890832
r13	0x16b21d8	23798232
r14	0x1	1
r15	0x16bcd40	23842112
rip	0x4d6056 <js::gc::MarkPermanentAtom(JSTracer*, JSAtom*, char const*)+134>
=> 0x4d6056 <js::gc::MarkPermanentAtom(JSTracer*, JSAtom*, char const*)+134>:	mov    (%rdx),%rcx
   0x4d6059 <js::gc::MarkPermanentAtom(JSTracer*, JSAtom*, char const*)+137>:	test   %rax,%rcx


Marking s-s because the crash looks bad and involves GC.
See also bug 1134515.
See Also: → bug 1134515
(Reporter)

Updated

3 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 2

3 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/70a8168c7d24
user:        Kannan Vijayan
date:        Thu Jan 15 20:11:21 2015 -0500
summary:     Bug 1057082 - 3/7 - Modify jits to use lastProfilingFrame and lastProfilingCallSite fields. r=jandem

This iteration took 154.722 seconds to run.
Keywords: sec-moderate
(Reporter)

Updated

3 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
(Reporter)

Comment 3

3 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 42afc7ef5ccb).

Updated

2 years ago
Group: core-security → javascript-core-security
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]

Updated

2 years ago
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]

Comment 4

2 years ago
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/2d5eaa85e9da
user:        Kannan Vijayan
date:        Thu Mar 12 12:13:16 2015 -0400
summary:     Bug 1134515 - Ensure SPSBaselineOSRMarker checks pseudostack size properly. r=shu

This iteration took 164.591 seconds to run.
Assuming FIXED by bug 1134515.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Whiteboard: [jsbugmon:] → [jsbugmon:update]

Updated

2 years ago
Status: RESOLVED → VERIFIED
status-firefox46: --- → verified

Comment 6

2 years ago
JSBugMon: This bug has been automatically verified fixed.
Group: javascript-core-security → core-security-release
status-firefox45: --- → wontfix
status-firefox-esr45: --- → wontfix
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main45+]
Whiteboard: [jsbugmon:update][adv-main45+] → [jsbugmon:update][adv-main46+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.