Closed Bug 1357070 Opened 8 years ago Closed 8 years ago

Assertion failure: ThingIsPermanentAtomOrWellKnownSymbol(thing) || thing->zoneFromAnyThread()->isSelfHostingZone(), at js/src/gc/Marking.cpp:185 with Profiler

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox55 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:])

The following testcase crashes on mozilla-central revision ce69b6e1773e (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off): lfLogBuffer = ` function loop(f) f(); Function.prototype.toString = function () loop(this); function f() getBacktrace({ thisprops: true }) f() `; lfPreamble = ` readline = {} stackDump = function() {} decompileThis = function() {} help = function() {} disassemble = function() {} dis = function() {} dumpHeap = function() {} dumpGCArenaInfo = function() {} ` lfAccumulatedCode = lfPreamble; while (true) { line = lfLogBuffer; lfCodeBuffer = line; loadFile(lfCodeBuffer); function loadFile(lfVarx) { evalInWorker(lfAccumulatedCode) lfAccumulatedCode += "try { evaluate(`\n" + lfVarx + "\n`) } catch(exc) {}\n" } } Backtrace: received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff40ff700 (LWP 19935)] 0x000000000043698d in IsOwnedByOtherRuntime<js::ObjectGroup*> (thing=<optimized out>, rt=<optimized out>) at js/src/gc/Marking.cpp:183 #0 0x000000000043698d in IsOwnedByOtherRuntime<js::ObjectGroup*> (thing=<optimized out>, rt=<optimized out>) at js/src/gc/Marking.cpp:183 #1 0x0000000000ded8cd in IsOwnedByOtherRuntime<js::RegExpShared*> (rt=0x7ffff69b8000, thing=thing@entry=0x7fffbc90a9c0) at js/src/gc/Marking.cpp:187 #2 0x0000000000e03de4 in js::CheckTracedThing<JSScript> (trc=trc@entry=0x7ffff40feae8, thing=0x7fffbc90a9c0) at js/src/gc/Marking.cpp:213 #3 0x0000000000e2fc7f in DoCallback<JSScript*> (trc=0x7ffff40feae0, thingp=thingp@entry=0x7ffff40fe990, name=name@entry=0x1111452 "ProfileEntry script") at js/src/gc/Tracer.cpp:49 #4 0x0000000000e0e0c6 in DispatchToTracer<JSScript*> (trc=trc@entry=0x7ffff40feae8, thingp=thingp@entry=0x7ffff40fe990, name=name@entry=0x1111452 "ProfileEntry script") at js/src/gc/Marking.cpp:693 #5 0x0000000000e0e23a in js::TraceNullableRoot<JSScript*> (trc=trc@entry=0x7ffff40feae8, thingp=thingp@entry=0x7ffff40fe990, name=name@entry=0x1111452 "ProfileEntry script") at js/src/gc/Marking.cpp:522 #6 0x0000000000b42367 in js::ProfileEntry::trace (trc=0x7ffff40feae8, this=0x7ffff4522228) at js/src/vm/GeckoProfiler.cpp:422 #7 js::GeckoProfiler::trace (this=0x7ffff69b8258, trc=trc@entry=0x7ffff40feae8) at js/src/vm/GeckoProfiler.cpp:380 #8 0x0000000000e2277b in js::gc::GCRuntime::traceRuntimeCommon (this=this@entry=0x7ffff69b86f8, trc=trc@entry=0x7ffff40feae8, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::TraceRuntime, lock=...) at js/src/gc/RootMarking.cpp:367 #9 0x0000000000e22c54 in js::gc::GCRuntime::traceRuntime (this=0x7ffff69b86f8, trc=0x7ffff40feae8, lock=...) at js/src/gc/RootMarking.cpp:306 #10 0x0000000000e22fd5 in js::gc::GCRuntime::finishRoots (this=this@entry=0x7ffff69b86f8) at js/src/gc/RootMarking.cpp:436 #11 0x0000000000bbdb20 in JSRuntime::destroyRuntime (this=this@entry=0x7ffff69b8000) at js/src/vm/Runtime.cpp:308 #12 0x000000000095141c in js::DestroyContext (cx=0x7ffff4343000) at js/src/jscntxt.cpp:229 #13 0x00000000004635dd in <lambda()>::operator() (__closure=0x7ffff40fecf0) at js/src/shell/js.cpp:3563 #14 mozilla::ScopeExit<WorkerMain(void*)::<lambda()> >::~ScopeExit (this=<optimized out>, __in_chrg=<optimized out>) at mozilla/ScopeExit.h:112 #15 WorkerMain (arg=<optimized out>) at js/src/shell/js.cpp:3575 #16 0x0000000000465a62 in js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::callMain<0ul> (this=0x7ffff691e1f0) at js/src/threading/Thread.h:234 #17 js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::Start (aPack=0x7ffff691e1f0) at js/src/threading/Thread.h:227 #18 0x00007ffff7bc16fa in start_thread (arg=0x7ffff40ff700) at pthread_create.c:333 #19 0x00007ffff6c38b5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109 rax 0x0 0 rbx 0x7ffff69b8000 140737330774016 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7ffff40fe8c0 140737288071360 rsp 0x7ffff40fe8c0 140737288071360 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff40ff700 140737288075008 r10 0x0 0 r11 0x0 0 r12 0x7fffbc90a9c0 140736356985280 r13 0x1111401 17896449 r14 0x3e8 1000 r15 0x7ffff69b8258 140737330774616 rip 0x43698d <IsOwnedByOtherRuntime<js::ObjectGroup*>(js::ObjectGroup*, JSRuntime*)+28> => 0x43698d <IsOwnedByOtherRuntime<js::ObjectGroup*>(js::ObjectGroup*, JSRuntime*)+28>: movl $0x0,0x0 0x436998 <IsOwnedByOtherRuntime<js::ObjectGroup*>(js::ObjectGroup*, JSRuntime*)+39>: ud2 This is very likely shell-only and the testcase is probably calling enableGeckoProfiling. Produced several hard to reproduce crashes through with different signatures, so marking as fuzzblocker.
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151218124430" and the hash "dd319db81bb855825d851b344fd2da070f1a7e74". The "bad" changeset has the timestamp "20151218131930" and the hash "c7a3d4a1a2f817865caeb0004f918d77c728f91e". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=dd319db81bb855825d851b344fd2da070f1a7e74&tochange=c7a3d4a1a2f817865caeb0004f918d77c728f91e
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/001519eae1c8 user: Shu-yu Guo date: Fri Dec 18 13:18:19 2015 -0800 summary: Bug 1071646 - Make functions block-scoped in JS and implement Annex B semantics for compatibility. (r=jorendorff) Shu-yu, is bug 1071646 a likely regressor?
Flags: needinfo?(shu)
I don't know what this is, will look next week.
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Shu, any ideas?
Flags: needinfo?(shu)
(oops)
Flags: needinfo?(shu)
I can't reproduce this on my machine. I let it run for a bit and it seems to keep printing "Mutator: ..." lines. :decoder, is this intermittent? How long does it take on the fuzzing machines to crash?
Flags: needinfo?(shu)
(In reply to Shu-yu Guo [:shu] from comment #7) > I can't reproduce this on my machine. I let it run for a bit and it seems to > keep printing "Mutator: ..." lines. > > :decoder, is this intermittent? How long does it take on the fuzzing > machines to crash? I tried reproducing this on tip and it seems is gone. I can't tell how frequent it was on the fuzzing machines because we had more than one signature, but I tried the ones that match this particular signature and they are all from May. I assume it was fixed by another bug that we fixed around that time (we had multiple bugs open related to evalInWorker), so marking as fixed.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Resolution: FIXED → WORKSFORME
You need to log in before you can comment on or make changes to this bug.