Assertion failure: comp == compartment || runtime()->isAtomsCompartment(comp) || (srcKind == JS::TraceKind::Object && InCrossCompartmentMap(static_cast<JSObject*>(src), tenured, thing.kind())), at jsgc.cpp

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: gkw, Assigned: fitzgen)

Tracking

(Blocks: 2 bugs, {assertion, regression, testcase})

Trunk
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox41 unaffected, firefox42 affected)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment, 2 obsolete attachments)

(Reporter)

Description

3 years ago
// jsfunfuzz-generated
fullcompartmentchecks(1);
// Randomly chosen test: js/src/jit-test/tests/debug/Memory-tenurePromotionsLog-06.js
x = Debugger();
g = newGlobal();
x.addDebuggee(g);
x.memory.trackingAllocationSites = 1;
x.memory.trackingTenurePromotions = 1;
try {
    g();
} catch (e) {}

asserts js debug shell on m-c changeset 49683d4e9ebd with --fuzzing-safe --no-threads --no-ion at Assertion failure: comp == compartment || runtime()->isAtomsCompartment(comp) || (srcKind == JS::TraceKind::Object && InCrossCompartmentMap(static_cast<JSObject*>(src), tenured, thing.kind())), at js/src/jsgc.cpp

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 49683d4e9ebd

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/6a1ec5fa72af
user:        Nick Fitzgerald
date:        Fri Jul 10 19:14:08 2015 -0700
summary:     Bug 1169710 - Part 1: Debugger should maintain a set of debuggee zones and Zones should maintain a list of debuggers; r=sfink

Nick, is bug 1169710 a likely regressor?
Flags: needinfo?(nfitzgerald)
(Reporter)

Updated

3 years ago
Summary: Assertion failure: comp == compartment || runtime()->isAtomsCompartment(comp) || (srcKind == JS::TraceKind::Object && ... → Assertion failure: comp == compartment || runtime()->isAtomsCompartment(comp) || (srcKind == JS::TraceKind::Object && InCrossCompartmentMap(static_cast<JSObject*>(src), tenured, thing.kind())), at jsgc.cpp
(Reporter)

Comment 1

3 years ago
Created attachment 8634474 [details]
stack

(lldb) bt 5
* thread #1: tid = 0x13fb45, 0x000000010080a42d js-dbg-64-dm-nsprBuild-darwin-49683d4e9ebd`CompartmentCheckTracer::onChild(this=<unavailable>, thing=<unavailable>) + 1005 at jsgc.cpp:3729, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010080a42d js-dbg-64-dm-nsprBuild-darwin-49683d4e9ebd`CompartmentCheckTracer::onChild(this=<unavailable>, thing=<unavailable>) + 1005 at jsgc.cpp:3729
    frame #1: 0x00000001008829d4 js-dbg-64-dm-nsprBuild-darwin-49683d4e9ebd`JS::CallbackTracer::onObjectEdge(this=0x00007fff5fbfee98, objp=<unavailable>) + 52 at TracingAPI.h:95
    frame #2: 0x000000010043b98f js-dbg-64-dm-nsprBuild-darwin-49683d4e9ebd`JSObject* DoCallback<JSObject*>(JS::CallbackTracer*, JSObject**, char const*) [inlined] JS::CallbackTracer::dispatchToOnEdge(this=0x00007fff5fbfee98, objp=0x0000000103a08428) + 63 at TracingAPI.h:174
    frame #3: 0x000000010043b984 js-dbg-64-dm-nsprBuild-darwin-49683d4e9ebd`JSObject* DoCallback<JSObject*>(trc=0x00007fff5fbfee98, thingp=0x0000000103a08428, name=0x0000000101486960) + 52 at Tracer.cpp:50
    frame #4: 0x0000000100213656 js-dbg-64-dm-nsprBuild-darwin-49683d4e9ebd`js::Debugger::trace(JSTracer*) + 52 at Debugger.cpp:2365
(lldb)
(Reporter)

Updated

3 years ago
status-firefox41: --- → unaffected
Probably my fault.
Assignee: nobody → nfitzgerald
Status: NEW → ASSIGNED
Flags: needinfo?(nfitzgerald)
(Sorry it has taken me so long to get to this!)

Gary, I'm not able to reproduce the failure on mozilla-central tip, are the fuzzers still encountering this assertion failure? The debugger's tracing code has seen a little bit of churn, and the GC itself much more so. I wouldn't be surprised if this was incidentally fixed along the way.

If the fuzzers no longer encounter this assertion failure, how should we move forward? Do you think it is worth checking the test case in?
Flags: needinfo?(gary)
(Reporter)

Comment 4

3 years ago
Created attachment 8672234 [details]
stack for m-c rev c00e93135684

(In reply to Nick Fitzgerald [:fitzgen][:nf] from comment #3)
> Gary, I'm not able to reproduce the failure on mozilla-central tip, are the
> fuzzers still encountering this assertion failure?

Unfortunately I can still reproduce on m-c rev c00e93135684.
Attachment #8634474 - Attachment is obsolete: true
Flags: needinfo?(gary) → needinfo?(nfitzgerald)
Duplicate of this bug: 1216158
(Reporter)

Comment 6

2 years ago
Created attachment 8706756 [details]
stack for m-c rev 6020a4cb41a7

Still able to reproduce on m-c rev 6020a4cb41a7.

Compiled on Mac using:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 6020a4cb41a7


Jim, are you able to also try and see if you can reproduce?
Attachment #8672234 - Attachment is obsolete: true
Flags: needinfo?(jimb)

Comment 7

2 years ago
I checked out 6020a4cb41a7, and I wasn't able to reproduce on my Fedora machine.

Nick, you're running OSX; perhaps Gary can tar up a build tree and send it to you to debug?
Flags: needinfo?(jimb)
Nick, what's the status of this one? The fuzzers are hitting this a lot, maybe they can give you another testcase.
Here's another test case that fails reliably for me on OS X, 32-bit, with/without --no-threads:

fullcompartmentchecks(3);
root = newGlobal();
dbg1 = Debugger(root);
function setTracking(dbg, bool) {
    dbg.memory.trackingAllocationSites = dbg.memory.trackingTenurePromotions = bool;
    root.eval("  [ ]");
}
setTracking(dbg1, true);
Thanks for the additional test case, jandem. I will see if I can reproduce now.
Flags: needinfo?(nfitzgerald)
I can reproduce now. Thanks again, jandem!
Ok so the compartment checker wants to assert that when we trace cross compartment edges, they had better be in the cross compartment wrapper map. Makes sense on the face of it. However, these edges are not in that map, but are still safe for compartmental GCs because they are instead marked via Debugger::markCrossCompartmentEdges.

This isn't an issue for the other things marked in Debugger::markCrossCompartmentEdges because they *do* exist in the CCW map. These edges can't because when we insert the references into the promotion log, we don't have a cx and can't create a wrapper (so wrapping is instead postponed until the log is flushed to the API consumer).

Possible solutions:

* Add TraceUnsafeCrossCompartmentEdge and use it here. That is what we are doing now, but without the scary warning and with tripping the fuzzers...

* Figure out how to make CCWs with just a rt and not a cx. This way we could eagerly wrap these entries and they would be in the CCW map. However, this would also allocate wrapper objects during (the end of) a nursery collection. That might be a no-go, as there are lots of places that do sane things like assert the nursery is empty after a nursery collection.

* Something else that I haven't thought of?

sfink, you're familiar with both the GC and the Debugger: any opinions?
Flags: needinfo?(sphink)
This will be fixed if we land the patch in bug 1247126.
We removed the tenure promotions log in bug 1247126.
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(sphink)
Resolution: --- → WORKSFORME
(Reporter)

Comment 15

2 years ago
Resolving FIXED by bug 1247126 since the fix is known. Thanks!
Resolution: WORKSFORME → FIXED
You need to log in before you can comment on or make changes to this bug.