1252103 - Assertion failure: isTenured(), at js/src/gc/Heap.h:1411 or Crash [@ js::GCMarker::markAndScan<JSString>]

Status: RESOLVED DUPLICATE of bug 1252154

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 4972f77869de (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

function foo() {
    enableTrackAllocations();
    gczeal(2, 10);
    TO = TypedObject;
    PointType = new TO.StructType({
        y: TO.float64,
        name: TO.string
    })
    LineType = new TO.StructType({
        PointType
    })
    function testBasic() new LineType;
    testBasic();
}
evaluate("foo()");



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000042a4d0 in js::gc::TenuredCell::arenaHeader (this=<optimized out>) at js/src/gc/Heap.h:1411
#0  0x000000000042a4d0 in js::gc::TenuredCell::arenaHeader (this=<optimized out>) at js/src/gc/Heap.h:1411
#1  0x00000000004dc9d8 in js::gc::TenuredCell::arenaHeader (this=<optimized out>) at js/src/gc/Heap.h:1319
#2  0x0000000000c32286 in zone (this=0xf7ca90 <JSID_EMPTY>) at js/src/gc/Heap.h:1432
#3  js::GCMarker::traverseEdge<JSObject*, JSString> (this=0x7ffff695f438, source=0x7ffff7e6c480, target=0xf7ca90 <JSID_EMPTY>) at js/src/gc/Marking.cpp:901
#4  0x0000000000c26c3d in operator()<JSString*> (this=<optimized out>, thing=<optimized out>, src=<optimized out>, gcmarker=<optimized out>) at js/src/gc/Marking.cpp:1235
#5  VisitTraceList<TraverseObjectFunctor, js::GCMarker* const, JSObject*&>(const int32_t *, uint8_t *, <unknown type in /home/decoder/LangFuzz/work/remote/builds/debug64/dist/bin/js, CU 0x4b36d61, DIE 0x4c3eecb>) (traceList=0x7ffff69044f0, memory=memory@entry=0x7ffff7e6c490 "", f=...) at js/src/gc/Marking.cpp:1295
#6  0x0000000000c38fe3 in CallTraceHook<TraverseObjectFunctor, js::GCMarker* const, JSObject*&> (check=DoChecks, obj=0x7ffff7e6c480, trc=0x7ffff695f438, f=...) at js/src/gc/Marking.cpp:1259
#7  js::GCMarker::processMarkStackTop (this=this@entry=0x7ffff695f438, budget=...) at js/src/gc/Marking.cpp:1496
#8  0x0000000000c2794d in js::GCMarker::drainMarkStack (this=this@entry=0x7ffff695f438, budget=...) at js/src/gc/Marking.cpp:1329
#9  0x00000000008e4222 in js::gc::GCRuntime::drainMarkStack (this=this@entry=0x7ffff695d430, sliceBudget=..., phase=phase@entry=js::gcstats::PHASE_MARK) at js/src/jsgc.cpp:5456
#10 0x00000000009083c0 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff695d430, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6154
#11 0x0000000000909200 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff695d430, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6415
#12 0x0000000000909741 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff695d430, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6521
#13 0x0000000000909973 in js::gc::GCRuntime::gc (this=0x7ffff695d430, gckind=<optimized out>, reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6579
#14 0x000000000090b02f in js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff695d430) at js/src/jsgc.cpp:7066
#15 0x0000000000c0a1ba in js::gc::GCRuntime::gcIfNeededPerAllocation (this=this@entry=0x7ffff695d430, cx=cx@entry=0x7ffff6907800) at js/src/gc/Allocator.cpp:28
#16 0x0000000000c1765f in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=0x7ffff695d430, cx=0x7ffff6907800, kind=js::gc::OBJECT8) at js/src/gc/Allocator.cpp:55
#17 0x0000000000c1cc51 in js::Allocate<JSObject, (js::AllowGC)1> (cx=cx@entry=0x7ffff6907800, kind=kind@entry=js::gc::OBJECT8, nDynamicSlots=0, heap=heap@entry=js::gc::TenuredHeap, clasp=clasp@entry=0x1c31520 <js::SavedFrame::class_>) at js/src/gc/Allocator.cpp:121
#18 0x0000000000927863 in JSObject::create (cx=0x7ffff6907800, kind=js::gc::OBJECT8, heap=js::gc::TenuredHeap, shape=..., group=...) at js/src/jsobjinlines.h:343
#19 0x0000000000946d9f in NewObject (cx=0x7ffff6907800, group=..., kind=js::gc::OBJECT8, newKind=js::TenuredObject, initialShapeFlags=<optimized out>) at js/src/jsobj.cpp:668
#20 0x000000000094710a in js::NewObjectWithGivenTaggedProto (cxArg=cxArg@entry=0x7ffff6907800, clasp=clasp@entry=0x1c31520 <js::SavedFrame::class_>, proto=..., allocKind=js::gc::OBJECT8, newKind=newKind@entry=js::TenuredObject, initialShapeFlags=initialShapeFlags@entry=0) at js/src/jsobj.cpp:729
#21 0x0000000000aecfb5 in NewObjectWithGivenTaggedProto (initialShapeFlags=0, newKind=js::TenuredObject, proto=..., clasp=0x1c31520 <js::SavedFrame::class_>, cx=0x7ffff6907800) at js/src/jsobjinlines.h:628
#22 NewObjectWithGivenProto (newKind=js::TenuredObject, proto=..., clasp=0x1c31520 <js::SavedFrame::class_>, cx=0x7ffff6907800) at js/src/jsobjinlines.h:663
#23 js::SavedFrame::create (cx=cx@entry=0x7ffff6907800) at js/src/vm/SavedStacks.cpp:499
#24 0x0000000000af85cf in js::SavedStacks::createFrameFromLookup (this=this@entry=0x7ffff694b8b8, cx=cx@entry=0x7ffff6907800, lookup=..., lookup@entry=...) at js/src/vm/SavedStacks.cpp:1300
#25 0x0000000000af87ce in js::SavedStacks::getOrCreateSavedFrame (this=this@entry=0x7ffff694b8b8, cx=cx@entry=0x7ffff6907800, lookup=lookup@entry=...) at js/src/vm/SavedStacks.cpp:1287
#26 0x0000000000af98a8 in js::SavedStacks::insertFrames (this=this@entry=0x7ffff694b8b8, cx=cx@entry=0x7ffff6907800, iter=..., frame=..., frame@entry=..., maxFrameCount=maxFrameCount@entry=0) at js/src/vm/SavedStacks.cpp:1195
#27 0x0000000000af9c8d in js::SavedStacks::saveCurrentStack (this=this@entry=0x7ffff694b8b8, cx=cx@entry=0x7ffff6907800, frame=frame@entry=..., maxFrameCount=maxFrameCount@entry=0) at js/src/vm/SavedStacks.cpp:1022
#28 0x0000000000af9f74 in js::SavedStacksMetadataCallback (cx=0x7ffff6907800, target=...) at js/src/vm/SavedStacks.cpp:1426
#29 0x00000000008b13b3 in JSCompartment::setNewObjectMetadata (this=0x7ffff694b800, cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=...) at js/src/jscompartment.cpp:893
#30 0x0000000000927dd1 in SetNewObjectMetadata (obj=<optimized out>, cxArg=0x7ffff6907800) at js/src/jsobjinlines.h:303
#31 JSObject::create (cx=0x7ffff6907800, kind=js::gc::OBJECT0_BACKGROUND, heap=<optimized out>, shape=..., group=...) at js/src/jsobjinlines.h:377
#32 0x0000000000946d9f in NewObject (cx=0x7ffff6907800, group=..., kind=js::gc::OBJECT0_BACKGROUND, newKind=js::TenuredObject, initialShapeFlags=<optimized out>) at js/src/jsobj.cpp:668
#33 0x0000000000a3d810 in NewObjectWithGroup<js::InlineTypedObject> (newKind=<optimized out>, allocKind=js::gc::OBJECT0, group=..., cx=0x7ffff6907800) at js/src/jsobjinlines.h:770
#34 js::InlineTypedObject::create (cx=cx@entry=0x7ffff6907800, descr=descr@entry=..., heap=heap@entry=js::gc::TenuredHeap) at js/src/builtin/TypedObject.cpp:2130
#35 0x0000000000a66e26 in js::TypedObject::createZeroed (cx=cx@entry=0x7ffff6907800, descr=descr@entry=..., length=length@entry=1, heap=heap@entry=js::gc::TenuredHeap) at js/src/builtin/TypedObject.cpp:1592
#36 0x00000000006139e0 in GetTemplateObjectForClassHook (templateObject=..., args=<synthetic pointer>, hook=<optimized out>, cx=0x7ffff6907800) at js/src/jit/BaselineIC.cpp:5701
#37 js::jit::TryAttachCallStub (cx=cx@entry=0x7ffff6907800, stub=0x7ffff31b70c8, script=..., script@entry=..., pc=pc@entry=0x7ffff3196f56 "R", op=op@entry=JSOP_NEW, argc=argc@entry=0, vp=vp@entry=0x7fffffff9f58, constructing=constructing@entry=true, isSpread=isSpread@entry=false, createSingleton=createSingleton@entry=false, handled=handled@entry=0x7fffffff9c00) at js/src/jit/BaselineIC.cpp:5774
#38 0x00000000006148bd in js::jit::DoCallFallback (cx=0x7ffff6907800, frame=0x7fffffff9fa8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffff9f58, res=...) at js/src/jit/BaselineIC.cpp:6088
#39 0x00007ffff7ff1abf in ?? ()
#40 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0xf7ca90	16239248
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffff8100	140737488322816
rsp	0x7fffffff8100	140737488322816
r8	0x7ffff7fdf7c0	140737354004416
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffff7ec0	140737488322240
r11	0x7ffff6c27ee0	140737333329632
r12	0x7fffffff81d0	140737488323024
r13	0x7ffff695f438	140737330410552
r14	0x7ffff7e6c480	140737352483968
r15	0x7fffffff85e0	140737488324064
rip	0x42a4d0 <js::gc::TenuredCell::arenaHeader() const+28>
=> 0x42a4d0 <js::gc::TenuredCell::arenaHeader() const+28>:	movl   $0x583,0x0
   0x42a4db <js::gc::TenuredCell::arenaHeader() const+39>:	callq  0x4a6780 <abort()>


Marking s-s because this is a GC crash. Not sure if it requires the allocation tracking to be enabled. If it requires TypedObject then it might be nighly-only.

Comment 1

[Christian Holler (:decoder)]

This bug causes hard to triage GC crashes, can we fix this quickly please?

Comment 2

[Benjamin Bouvier [:bbouvier] (inactive)]

cc'ing our gc folks.

Comment 3

[Fuzzing Team]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160222150752" and the hash "2bf13f9218ad117b54636a2a878ad9464d33f7e3".
The "bad" changeset has the timestamp "20160222151850" and the hash "e6abb35f9fb9339241aca3a8ec255b16636d80d7".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=2bf13f9218ad117b54636a2a878ad9464d33f7e3&tochange=e6abb35f9fb9339241aca3a8ec255b16636d80d7

Comment 4

[Andrew McCreight [:mccr8]]

Patches in comment 3 are by jimb.

Comment 5

[Jim Blandy :jimb]

Possible dup of bug 1252154? I'll analyze.

Comment 6

[Jim Blandy :jimb]

The patch in bug 1252154 also fixes this bug. I'm including comment 0's test case in that bug's patch.