Assertion failure: zone->gcZoneGroupEdges().empty(), at js/src/jsgc.cpp:4547 with enableShellAllocationMetadataBuilder

RESOLVED DUPLICATE of bug 1338383

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 1338383
9 months ago
8 months ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Linux
assertion, jsbugmon, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox51 unaffected, firefox52 unaffected, firefox53 unaffected, firefox54 fixed)

Details

(Whiteboard: [jsbugmon:update,bisect])

(Reporter)

Description

9 months ago
The following testcase crashes on mozilla-central revision 47391e531350 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --no-threads --disable-oom-functions --baseline-eager):

x = [];
Object.defineProperty(this, "y", {});
enableShellAllocationMetadataBuilder();
var g = newGlobal();
g.eval(`var it = [3, 2][Symbol.iterator]();`);
gczeal(8, 1)
function recurse(target) {
    recurse(x + 1);
};
recurse(0)


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x085b844a in js::gc::GCRuntime::findZoneGroups (this=0xf7131380, lock=...) at js/src/jsgc.cpp:4547
#1  0x085cd851 in js::gc::GCRuntime::beginSweepPhase (this=0xf7131380, destroyingRuntime=false, lock=...) at js/src/jsgc.cpp:5275
#2  0x085d3eb4 in js::gc::GCRuntime::incrementalCollectSlice (this=0xf7131380, budget=..., reason=JS::gcreason::DEBUG_GC, lock=...) at js/src/jsgc.cpp:6004
#3  0x085d549e in js::gc::GCRuntime::gcCycle (this=0xf7131380, nonincrementalByAPI=false, budget=..., reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6303
#4  0x085d5c2d in js::gc::GCRuntime::collect (this=0xf7131380, nonincrementalByAPI=false, budget=..., reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6447
#5  0x085d77b4 in js::gc::GCRuntime::runDebugGC (this=0xf7131380) at js/src/jsgc.cpp:6982
#6  0x08919c9c in js::gc::GCRuntime::gcIfNeededPerAllocation (this=0xf7131380, cx=0xf7146800) at js/src/gc/Allocator.cpp:230
#7  0x089248e0 in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=0xf7131380, cx=0xf7146800, kind=js::gc::AllocKind::STRING) at js/src/gc/Allocator.cpp:191
#8  0x08927972 in js::Allocate<JSString, (js::AllowGC)1> (cx=0xf7146800) at js/src/gc/Allocator.cpp:142
#9  0x088087ed in JSFlatString::new_<(js::AllowGC)1, unsigned char> (cx=0xf7146800, chars=0xf5f0f0c0 "driver.js line 74 > Function", length=28) at js/src/vm/String-inl.h:228
#10 0x08808ac1 in js::NewStringCopyNDontDeflate<(js::AllowGC)1, unsigned char> (cx=0xf7146800, s=0xf5f74a40 "driver.js line 74 > Function", n=28) at js/src/vm/String.cpp:1323
#11 0x0852ece9 in js::NewStringCopyN<(js::AllowGC)1> (n=<optimized out>, s=0xf5f74a40 "driver.js line 74 > Function", cx=0xf7146800) at js/src/vm/String.h:1273
#12 js::NewStringCopyZ<(js::AllowGC)1> (s=0xf5f74a40 "driver.js line 74 > Function", cx=0xf7146800) at js/src/vm/String.h:1293
#13 JS_NewStringCopyZ (cx=0xf7146800, s=0xf5f74a40 "driver.js line 74 > Function") at js/src/jsapi.cpp:5063
#14 0x0856942c in js::ErrorToException (cx=0xf7146800, reportp=0xffac3e44, callback=<optimized out>, userRef=0x0) at js/src/jsexn.cpp:613
#15 0x085696e5 in ReportError (cx=<optimized out>, reportp=<optimized out>, callback=<optimized out>, userRef=0x0) at js/src/jscntxt.cpp:248
#16 0x08570450 in js::ReportErrorNumberVA (cx=0xf7146800, flags=0, callback=0x855c730 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0, errorNumber=112, argumentsType=js::ArgumentsAreASCII, ap=0xffac3f00 "\364_\316\b\310@\254\377(?\254\377n\r\a\b") at js/src/jscntxt.cpp:758
#17 0x085313c6 in JS_ReportErrorNumberASCIIVA (cx=0xf7146800, errorCallback=0x855c730 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0, errorNumber=112, ap=0xffac3f00 "\364_\316\b\310@\254\377(?\254\377n\r\a\b") at js/src/jsapi.cpp:5717
#18 0x08531407 in JS_ReportErrorNumberASCII (cx=0xf7146800, errorCallback=0x855c730 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0, errorNumber=112) at js/src/jsapi.cpp:5706
#19 0x08561d87 in js::ReportOverRecursed (maybecx=0xf7146800, errorNumber=112) at js/src/jscntxt.cpp:336
#20 0x08070d6e in js::ReportOverRecursed (maybecx=0xf7146800) at js/src/jscntxt.cpp:347
#21 0x0812285e in js::array_join (cx=0xf7146800, argc=0, vp=0xffac40c8) at js/src/jsarray.cpp:1164
#22 0x47b766a8 in ?? ()
#23 0x082e5a1d in EnterIon (data=..., cx=0x1444) at js/src/jit/Ion.cpp:2890
#24 js::jit::IonCannon (cx=0xf7146800, state=...) at js/src/jit/Ion.cpp:2987
#25 0x08166c84 in js::RunScript (cx=0xf7146800, state=...) at js/src/vm/Interpreter.cpp:389
#26 0x08166f47 in js::InternalCallOrConstruct (cx=0xf7146800, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:481
#27 0x0816719d in InternalCall (cx=cx@entry=0xf7146800, args=...) at js/src/vm/Interpreter.cpp:508
#28 0x0816732b in js::Call (cx=0xf7146800, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:527
#29 0x085edbbb in js::Call (cx=0xf7146800, fval=..., thisObj=0xf64d21f0, rval=...) at js/src/vm/Interpreter.h:96
#30 0x085b14b7 in MaybeCallMethod (cx=cx@entry=0xf7146800, obj=obj@entry=..., id=..., id@entry=..., vp=...) at js/src/jsobj.cpp:2975
#31 0x085b165b in JS::OrdinaryToPrimitive (cx=0xf7146800, obj=..., hint=JSTYPE_UNDEFINED, vp=...) at js/src/jsobj.cpp:3058
#32 0x085b1b12 in js::ToPrimitiveSlow (cx=0xf7146800, preferredType=JSTYPE_UNDEFINED, vp=...) at js/src/jsobj.cpp:3106
#33 0x0815613f in js::ToPrimitive (vp=..., cx=0xf7146800) at js/src/jsobj.h:1054
#34 AddOperation (cx=0xf7146800, lhs=lhs@entry=..., rhs=..., rhs@entry=..., res=...) at js/src/vm/Interpreter.cpp:1414
#35 0x08156368 in js::AddValues (cx=<optimized out>, lhs=..., rhs=..., res=...) at js/src/vm/Interpreter.cpp:4602
#36 0x08420f84 in js::jit::DoBinaryArithFallback (cx=0xf7146800, payload=0x0, stub_=0xf618c028, lhs=..., rhs=..., ret=...) at js/src/jit/SharedIC.cpp:711
[...]
#44 0x082064fc in EnterBaseline (cx=0x47b77734, cx@entry=0xf7146800, data=...) at js/src/jit/BaselineJIT.cpp:160
#45 0x0822380d in js::jit::EnterBaselineMethod (cx=0xf7146800, state=...) at js/src/jit/BaselineJIT.cpp:198
#46 0x08166c28 in js::RunScript (cx=0xf7146800, state=...) at js/src/vm/Interpreter.cpp:399
#47 0x08166f47 in js::InternalCallOrConstruct (cx=0xf7146800, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:481
#48 0x0816719d in InternalCall (cx=cx@entry=0xf7146800, args=...) at js/src/vm/Interpreter.cpp:508
#49 0x081672ef in js::CallFromStack (cx=0xf7146800, args=...) at js/src/vm/Interpreter.cpp:514
#50 0x0822a33b in js::jit::DoCallFallback (cx=0xf7146800, frame=0xffbc1f98, stub_=0xf5f35140, argc=1, vp=0xffbc1f58, res=...) at js/src/jit/BaselineIC.cpp:2500
[...]
#54 0x082064fc in EnterBaseline (cx=0x47b7257e, cx@entry=0xf7146800, data=...) at js/src/jit/BaselineJIT.cpp:160
#55 0x0822380d in js::jit::EnterBaselineMethod (cx=0xf7146800, state=...) at js/src/jit/BaselineJIT.cpp:198
#56 0x08166c28 in js::RunScript (cx=0xf7146800, state=...) at js/src/vm/Interpreter.cpp:399
#57 0x08166f47 in js::InternalCallOrConstruct (cx=0xf7146800, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:481
#58 0x0816719d in InternalCall (cx=cx@entry=0xf7146800, args=...) at js/src/vm/Interpreter.cpp:508
#59 0x081672ef in js::CallFromStack (cx=0xf7146800, args=...) at js/src/vm/Interpreter.cpp:514
#60 0x0822a33b in js::jit::DoCallFallback (cx=0xf7146800, frame=0xffbc2688, stub_=0xf5f73150, argc=1, vp=0xffbc2640, res=...) at js/src/jit/BaselineIC.cpp:2500
[...]
#64 0x082064fc in EnterBaseline (cx=0x47c4484a, cx@entry=0xf7146800, data=...) at js/src/jit/BaselineJIT.cpp:160
#65 0x0822380d in js::jit::EnterBaselineMethod (cx=0xf7146800, state=...) at js/src/jit/BaselineJIT.cpp:198
#66 0x08166c28 in js::RunScript (cx=0xf7146800, state=...) at js/src/vm/Interpreter.cpp:399
#67 0x08166f47 in js::InternalCallOrConstruct (cx=0xf7146800, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:481
#68 0x0816719d in InternalCall (cx=cx@entry=0xf7146800, args=...) at js/src/vm/Interpreter.cpp:508
#69 0x081672ef in js::CallFromStack (cx=0xf7146800, args=...) at js/src/vm/Interpreter.cpp:514
#70 0x0822a33b in js::jit::DoCallFallback (cx=0xf7146800, frame=0xffbc2d48, stub_=0xf60583d0, argc=0, vp=0xffbc2d18, res=...) at js/src/jit/BaselineIC.cpp:2500
[...]
#75 0x47ae2c66 in ?? ()
eax	0x0	0
ebx	0x8ce5ff4	147742708
ecx	0xf750e864	-145692572
edx	0x0	0
esi	0xffac37ec	-5490708
edi	0x1	1
ebp	0xffac3828	4289476648
esp	0xffac37a0	4289476512
eip	0x85b844a <js::gc::GCRuntime::findZoneGroups(js::AutoLockForExclusiveAccess&)+1402>
=> 0x85b844a <js::gc::GCRuntime::findZoneGroups(js::AutoLockForExclusiveAccess&)+1402>:	movl   $0x0,0x0
   0x85b8454 <js::gc::GCRuntime::findZoneGroups(js::AutoLockForExclusiveAccess&)+1412>:	ud2  


This bug seems to be very sensitive to allocations. It also only reproduced well for me on the  SCL3 servers which have more CPU cores than the EC2 instances we use. Try using the exact revision if you cannot reproduce the bug.

Updated

9 months ago
status-firefox51: --- → unaffected
status-firefox52: --- → unaffected
status-firefox53: --- → unaffected

Updated

9 months ago
Status: NEW → RESOLVED
Last Resolved: 9 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1338383

Comment 2

8 months ago
FF54 was verified in bug bug 1338383. Mark 54 fixed here.
status-firefox54: affected → fixed
You need to log in before you can comment on or make changes to this bug.