1324512 - Assertion failure: CurrentThreadCanAccessZone(zone), at js/src/gc/Heap.h:1268 with Worker

Status: RESOLVED DUPLICATE of bug 1328251

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 863c2b61bd27 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe):

evalInWorker(`
    try {
      gczeal(2,1);
      throw new Error();
    } catch (e) {
      assertEq("" + e, "Error");
    }
`);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
#0  js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Heap.h:1268
#1  0x0000000000df5cb4 in MustSkipMarking<JSObject*> (obj=0x7ffff063f790) at js/src/gc/Marking.cpp:763
#2  DoMarking<JSObject> (gcmarker=0x7ffff031ce50, thing=0x7ffff063f790) at js/src/gc/Marking.cpp:793
#3  0x0000000000e30984 in TraceExactStackRootList<JSObject*, js::TraceNullableRoot<JSObject*> > (name=0x117c2ac "exact-Object", rooter=0x7ffff01fdd80, trc=0x7ffff031ce50) at js/src/gc/RootMarking.cpp:63
#4  TraceStackRoots (trc=trc@entry=0x7ffff031ce50, stackRoots=...) at js/src/gc/RootMarking.cpp:73
#5  0x0000000000e36c58 in TraceExactStackRoots (trc=0x7ffff031ce50, rt=0x7ffff031a208) at js/src/gc/RootMarking.cpp:92
#6  js::gc::GCRuntime::traceRuntimeCommon (this=this@entry=0x7ffff031aaa8, trc=trc@entry=0x7ffff031ce50, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::MarkRuntime, lock=...) at js/src/gc/RootMarking.cpp:343
#7  0x0000000000e3720a in js::gc::GCRuntime::traceRuntimeForMajorGC (this=0x7ffff031aaa8, trc=0x7ffff031ce50, lock=...) at js/src/gc/RootMarking.cpp:268
#8  0x00000000009798e3 in js::gc::GCRuntime::beginMarkPhase (this=this@entry=0x7ffff031aaa8, reason=reason@entry=JS::gcreason::DEBUG_GC, lock=...) at js/src/jsgc.cpp:3915
#9  0x000000000098dab9 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff031aaa8, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC, lock=...) at js/src/jsgc.cpp:5838
#10 0x000000000098f238 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff031aaa8, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6184
#11 0x000000000098fabf in js::gc::GCRuntime::collect (this=0x7ffff031aaa8, nonincrementalByAPI=<optimized out>, budget=..., reason=<optimized out>) at js/src/jsgc.cpp:6338
#12 0x0000000000990ba4 in js::gc::GCRuntime::gc (reason=<optimized out>, gckind=<optimized out>, this=<optimized out>) at js/src/jsgc.cpp:6399
#13 js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff031aaa8) at js/src/jsgc.cpp:6810
#14 0x0000000000dd2e58 in js::gc::GCRuntime::gcIfNeededPerAllocation (this=this@entry=0x7ffff031aaa8, cx=cx@entry=0x7ffff031a000) at js/src/gc/Allocator.cpp:227
#15 0x0000000000de8319 in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=0x7ffff031aaa8, cx=0x7ffff031a000, kind=js::gc::AllocKind::OBJECT4) at js/src/gc/Allocator.cpp:188
#16 0x0000000000df4c73 in js::Allocate<JSObject, (js::AllowGC)1> (cx=cx@entry=0x7ffff031a000, kind=kind@entry=js::gc::AllocKind::OBJECT4, nDynamicSlots=0, heap=heap@entry=js::gc::TenuredHeap, clasp=clasp@entry=0x20070a0 <js::ScriptSourceObject::class_>) at js/src/gc/Allocator.cpp:47
#17 0x0000000000998e27 in JSObject::create (cx=0x7ffff031a000, kind=js::gc::AllocKind::OBJECT4, heap=js::gc::TenuredHeap, shape=..., group=...) at js/src/jsobjinlines.h:378
#18 0x00000000009c2da8 in NewObject (cx=0x7ffff031a000, group=..., kind=js::gc::AllocKind::OBJECT4, newKind=js::GenericObject, initialShapeFlags=<optimized out>) at js/src/jsobj.cpp:650
#19 0x00000000009c34d9 in js::NewObjectWithGivenTaggedProto (cxArg=cxArg@entry=0x7ffff031a000, clasp=clasp@entry=0x20070a0 <js::ScriptSourceObject::class_>, proto=proto@entry=..., allocKind=js::gc::AllocKind::OBJECT4, newKind=newKind@entry=js::GenericObject, initialShapeFlags=initialShapeFlags@entry=0) at js/src/jsobj.cpp:708
#20 0x0000000000a1657d in js::NewObjectWithGivenTaggedProto (initialShapeFlags=0, newKind=js::GenericObject, proto=..., clasp=0x20070a0 <js::ScriptSourceObject::class_>, cx=0x7ffff031a000) at js/src/jsobjinlines.h:661
#21 js::NewObjectWithGivenProto (newKind=js::GenericObject, proto=..., clasp=0x20070a0 <js::ScriptSourceObject::class_>, cx=0x7ffff031a000) at js/src/jsobjinlines.h:696
#22 js::ScriptSourceObject::create (cx=cx@entry=0x7ffff031a000, source=source@entry=0x7ffff03e1f20) at js/src/jsscript.cpp:1341
#23 0x0000000000af196f in js::frontend::CreateScriptSourceObject (cx=0x7ffff031a000, options=..., parameterListEnd=...) at js/src/frontend/BytecodeCompiler.cpp:500
#24 0x0000000000a10eec in CreateEmptyScriptForClone (cx=0x7ffff031a000, src=src@entry=...) at js/src/jsscript.cpp:3360
#25 0x0000000000a12ee8 in js::CloneScriptIntoFunction (cx=cx@entry=0x7ffff031a000, enclosingScope=..., enclosingScope@entry=..., fun=..., fun@entry=..., src=src@entry=...) at js/src/jsscript.cpp:3410
#26 0x0000000000bd70f1 in JSRuntime::cloneSelfHostedFunctionScript (this=<optimized out>, cx=0x7ffff031a000, name=..., name@entry=..., targetFun=targetFun@entry=...) at js/src/vm/SelfHosting.cpp:3062
#27 0x000000000096efda in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x7ffff031a000, fun=fun@entry=...) at js/src/jsfun.cpp:1481
#28 0x0000000000463358 in JSFunction::getOrCreateScript (cx=<optimized out>, fun=...) at js/src/jsfun.h:419
#29 0x0000000000b64f16 in js::InternalCallOrConstruct (cx=0x7ffff031a000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:460
#30 0x0000000000b65256 in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:502
#31 0x0000000000b653ce in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:521
#32 0x00000000009b5d33 in js::Call (rval=..., thisObj=<optimized out>, fval=..., cx=0x7ffff031a000) at js/src/vm/Interpreter.h:96
#33 MaybeCallMethod (cx=<optimized out>, obj=..., obj@entry=..., id=..., id@entry=..., vp=vp@entry=...) at js/src/jsobj.cpp:2979
#34 0x00000000009b95f5 in JS::OrdinaryToPrimitive (cx=0x7ffff031a000, obj=obj@entry=..., hint=hint@entry=JSTYPE_VOID, vp=vp@entry=...) at js/src/jsobj.cpp:3062
#35 0x00000000009b9a21 in js::ToPrimitiveSlow (cx=cx@entry=0x7ffff031a000, preferredType=preferredType@entry=JSTYPE_VOID, vp=..., vp@entry=...) at js/src/jsobj.cpp:3110
#36 0x0000000000b4be0d in js::ToPrimitive (vp=..., cx=0x7ffff031a000) at js/src/jsobj.h:1054
#37 AddOperation (cx=0x7ffff031a000, lhs=..., rhs=..., res=...) at js/src/vm/Interpreter.cpp:1379
#38 0x0000000000b5aa00 in Interpret (cx=0x7ffff031a000, state=...) at js/src/vm/Interpreter.cpp:2399
[...]
#44 0x000000000046000b in WorkerMain (arg=0x7ffff0237d60) at js/src/shell/js.cpp:3342
[...]
rax	0x2030520	33752352
rbx	0x7ffff6996000	140737330634752
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x119a448	18457672
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7ffff01fd0d0	140737222004944
rsp	0x7ffff01fd0c0	140737222004928
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff01ff700	140737222014720
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7ffff031ce50	140737223183952
r13	0x7ffff0336010	140737223286800
r14	0x7ffff031aaa8	140737223174824
r15	0x7ffff031a208	140737223172616
rip	0x5016d9 <js::gc::TenuredCell::zone() const+457>
=> 0x5016d9 <js::gc::TenuredCell::zone() const+457>:	movl   $0x0,0x0
   0x5016e4 <js::gc::TenuredCell::zone() const+468>:	ud2    


This looks a bit like bug 1311060 but I'm not entirely sure. Marking s-s for that reason and because the assertion looks potentially dangerous.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This seems to go back past m-c rev dc4b163f7db7 in Nov 2014, so since this seems to involve GC, setting needinfo? from :jonco as a start.

Comment 2

[Jon Coppeard (:jonco)]

This is the same issue as bug 1328251.

Comment 3

[Liz Henry (:lizzard) (relman/hg->git project)]

Fixed in the duplicate (all the way up to 51)