Closed
Bug 1357070
Opened 8 years ago
Closed 8 years ago
Assertion failure: ThingIsPermanentAtomOrWellKnownSymbol(thing) || thing->zoneFromAnyThread()->isSelfHostingZone(), at js/src/gc/Marking.cpp:185 with Profiler
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox55 | --- | affected |
People
(Reporter: decoder, Unassigned)
References
Details
(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:])
The following testcase crashes on mozilla-central revision ce69b6e1773e (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):
lfLogBuffer = `
function loop(f) f();
Function.prototype.toString = function () loop(this);
function f()
getBacktrace({ thisprops: true })
f()
`;
lfPreamble = `
readline = {}
stackDump = function() {}
decompileThis = function() {}
help = function() {}
disassemble = function() {}
dis = function() {}
dumpHeap = function() {}
dumpGCArenaInfo = function() {}
`
lfAccumulatedCode = lfPreamble;
while (true) {
line = lfLogBuffer;
lfCodeBuffer = line;
loadFile(lfCodeBuffer);
function loadFile(lfVarx) {
evalInWorker(lfAccumulatedCode)
lfAccumulatedCode += "try { evaluate(`\n" + lfVarx + "\n`) } catch(exc) {}\n"
}
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff40ff700 (LWP 19935)]
0x000000000043698d in IsOwnedByOtherRuntime<js::ObjectGroup*> (thing=<optimized out>, rt=<optimized out>) at js/src/gc/Marking.cpp:183
#0 0x000000000043698d in IsOwnedByOtherRuntime<js::ObjectGroup*> (thing=<optimized out>, rt=<optimized out>) at js/src/gc/Marking.cpp:183
#1 0x0000000000ded8cd in IsOwnedByOtherRuntime<js::RegExpShared*> (rt=0x7ffff69b8000, thing=thing@entry=0x7fffbc90a9c0) at js/src/gc/Marking.cpp:187
#2 0x0000000000e03de4 in js::CheckTracedThing<JSScript> (trc=trc@entry=0x7ffff40feae8, thing=0x7fffbc90a9c0) at js/src/gc/Marking.cpp:213
#3 0x0000000000e2fc7f in DoCallback<JSScript*> (trc=0x7ffff40feae0, thingp=thingp@entry=0x7ffff40fe990, name=name@entry=0x1111452 "ProfileEntry script") at js/src/gc/Tracer.cpp:49
#4 0x0000000000e0e0c6 in DispatchToTracer<JSScript*> (trc=trc@entry=0x7ffff40feae8, thingp=thingp@entry=0x7ffff40fe990, name=name@entry=0x1111452 "ProfileEntry script") at js/src/gc/Marking.cpp:693
#5 0x0000000000e0e23a in js::TraceNullableRoot<JSScript*> (trc=trc@entry=0x7ffff40feae8, thingp=thingp@entry=0x7ffff40fe990, name=name@entry=0x1111452 "ProfileEntry script") at js/src/gc/Marking.cpp:522
#6 0x0000000000b42367 in js::ProfileEntry::trace (trc=0x7ffff40feae8, this=0x7ffff4522228) at js/src/vm/GeckoProfiler.cpp:422
#7 js::GeckoProfiler::trace (this=0x7ffff69b8258, trc=trc@entry=0x7ffff40feae8) at js/src/vm/GeckoProfiler.cpp:380
#8 0x0000000000e2277b in js::gc::GCRuntime::traceRuntimeCommon (this=this@entry=0x7ffff69b86f8, trc=trc@entry=0x7ffff40feae8, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::TraceRuntime, lock=...) at js/src/gc/RootMarking.cpp:367
#9 0x0000000000e22c54 in js::gc::GCRuntime::traceRuntime (this=0x7ffff69b86f8, trc=0x7ffff40feae8, lock=...) at js/src/gc/RootMarking.cpp:306
#10 0x0000000000e22fd5 in js::gc::GCRuntime::finishRoots (this=this@entry=0x7ffff69b86f8) at js/src/gc/RootMarking.cpp:436
#11 0x0000000000bbdb20 in JSRuntime::destroyRuntime (this=this@entry=0x7ffff69b8000) at js/src/vm/Runtime.cpp:308
#12 0x000000000095141c in js::DestroyContext (cx=0x7ffff4343000) at js/src/jscntxt.cpp:229
#13 0x00000000004635dd in <lambda()>::operator() (__closure=0x7ffff40fecf0) at js/src/shell/js.cpp:3563
#14 mozilla::ScopeExit<WorkerMain(void*)::<lambda()> >::~ScopeExit (this=<optimized out>, __in_chrg=<optimized out>) at mozilla/ScopeExit.h:112
#15 WorkerMain (arg=<optimized out>) at js/src/shell/js.cpp:3575
#16 0x0000000000465a62 in js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::callMain<0ul> (this=0x7ffff691e1f0) at js/src/threading/Thread.h:234
#17 js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::Start (aPack=0x7ffff691e1f0) at js/src/threading/Thread.h:227
#18 0x00007ffff7bc16fa in start_thread (arg=0x7ffff40ff700) at pthread_create.c:333
#19 0x00007ffff6c38b5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax 0x0 0
rbx 0x7ffff69b8000 140737330774016
rcx 0x7ffff6c28a2d 140737333332525
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7ffff40fe8c0 140737288071360
rsp 0x7ffff40fe8c0 140737288071360
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff40ff700 140737288075008
r10 0x0 0
r11 0x0 0
r12 0x7fffbc90a9c0 140736356985280
r13 0x1111401 17896449
r14 0x3e8 1000
r15 0x7ffff69b8258 140737330774616
rip 0x43698d <IsOwnedByOtherRuntime<js::ObjectGroup*>(js::ObjectGroup*, JSRuntime*)+28>
=> 0x43698d <IsOwnedByOtherRuntime<js::ObjectGroup*>(js::ObjectGroup*, JSRuntime*)+28>: movl $0x0,0x0
0x436998 <IsOwnedByOtherRuntime<js::ObjectGroup*>(js::ObjectGroup*, JSRuntime*)+39>: ud2
This is very likely shell-only and the testcase is probably calling enableGeckoProfiling. Produced several hard to reproduce crashes through with different signatures, so marking as fuzzblocker.
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20151218124430" and the hash "dd319db81bb855825d851b344fd2da070f1a7e74".
The "bad" changeset has the timestamp "20151218131930" and the hash "c7a3d4a1a2f817865caeb0004f918d77c728f91e".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=dd319db81bb855825d851b344fd2da070f1a7e74&tochange=c7a3d4a1a2f817865caeb0004f918d77c728f91e
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/001519eae1c8
user: Shu-yu Guo
date: Fri Dec 18 13:18:19 2015 -0800
summary: Bug 1071646 - Make functions block-scoped in JS and implement Annex B semantics for compatibility. (r=jorendorff)
Shu-yu, is bug 1071646 a likely regressor?
Flags: needinfo?(shu)
Comment 3•8 years ago
|
||
I don't know what this is, will look next week.
Updated•8 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:]
Comment 4•8 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Comment 7•8 years ago
|
||
I can't reproduce this on my machine. I let it run for a bit and it seems to keep printing "Mutator: ..." lines.
:decoder, is this intermittent? How long does it take on the fuzzing machines to crash?
Flags: needinfo?(shu)
Reporter | ||
Comment 8•8 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #7)
> I can't reproduce this on my machine. I let it run for a bit and it seems to
> keep printing "Mutator: ..." lines.
>
> :decoder, is this intermittent? How long does it take on the fuzzing
> machines to crash?
I tried reproducing this on tip and it seems is gone. I can't tell how frequent it was on the fuzzing machines because we had more than one signature, but I tried the ones that match this particular signature and they are all from May. I assume it was fixed by another bug that we fixed around that time (we had multiple bugs open related to evalInWorker), so marking as fixed.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Resolution: FIXED → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•