Closed Bug 1357070 Opened 3 years ago Closed 3 years ago

Assertion failure: ThingIsPermanentAtomOrWellKnownSymbol(thing) || thing->zoneFromAnyThread()->isSelfHostingZone(), at js/src/gc/Marking.cpp:185 with Profiler

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox55 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:])

The following testcase crashes on mozilla-central revision ce69b6e1773e (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

lfLogBuffer = `
  function loop(f) f();
  Function.prototype.toString = function () loop(this);
  function f()
    getBacktrace({ thisprops: true })
  f()
`;
lfPreamble = `
  readline =  {}
  stackDump = function() {}
  decompileThis = function() {}
  help = function() {}
  disassemble = function() {}
  dis = function() {}
  dumpHeap = function() {}
  dumpGCArenaInfo = function() {}
`
lfAccumulatedCode = lfPreamble;
while (true) {
    line = lfLogBuffer;
    lfCodeBuffer = line;
    loadFile(lfCodeBuffer);
    function loadFile(lfVarx) {
        evalInWorker(lfAccumulatedCode)
        lfAccumulatedCode += "try { evaluate(`\n" + lfVarx + "\n`) } catch(exc) {}\n"
    }
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff40ff700 (LWP 19935)]
0x000000000043698d in IsOwnedByOtherRuntime<js::ObjectGroup*> (thing=<optimized out>, rt=<optimized out>) at js/src/gc/Marking.cpp:183
#0  0x000000000043698d in IsOwnedByOtherRuntime<js::ObjectGroup*> (thing=<optimized out>, rt=<optimized out>) at js/src/gc/Marking.cpp:183
#1  0x0000000000ded8cd in IsOwnedByOtherRuntime<js::RegExpShared*> (rt=0x7ffff69b8000, thing=thing@entry=0x7fffbc90a9c0) at js/src/gc/Marking.cpp:187
#2  0x0000000000e03de4 in js::CheckTracedThing<JSScript> (trc=trc@entry=0x7ffff40feae8, thing=0x7fffbc90a9c0) at js/src/gc/Marking.cpp:213
#3  0x0000000000e2fc7f in DoCallback<JSScript*> (trc=0x7ffff40feae0, thingp=thingp@entry=0x7ffff40fe990, name=name@entry=0x1111452 "ProfileEntry script") at js/src/gc/Tracer.cpp:49
#4  0x0000000000e0e0c6 in DispatchToTracer<JSScript*> (trc=trc@entry=0x7ffff40feae8, thingp=thingp@entry=0x7ffff40fe990, name=name@entry=0x1111452 "ProfileEntry script") at js/src/gc/Marking.cpp:693
#5  0x0000000000e0e23a in js::TraceNullableRoot<JSScript*> (trc=trc@entry=0x7ffff40feae8, thingp=thingp@entry=0x7ffff40fe990, name=name@entry=0x1111452 "ProfileEntry script") at js/src/gc/Marking.cpp:522
#6  0x0000000000b42367 in js::ProfileEntry::trace (trc=0x7ffff40feae8, this=0x7ffff4522228) at js/src/vm/GeckoProfiler.cpp:422
#7  js::GeckoProfiler::trace (this=0x7ffff69b8258, trc=trc@entry=0x7ffff40feae8) at js/src/vm/GeckoProfiler.cpp:380
#8  0x0000000000e2277b in js::gc::GCRuntime::traceRuntimeCommon (this=this@entry=0x7ffff69b86f8, trc=trc@entry=0x7ffff40feae8, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::TraceRuntime, lock=...) at js/src/gc/RootMarking.cpp:367
#9  0x0000000000e22c54 in js::gc::GCRuntime::traceRuntime (this=0x7ffff69b86f8, trc=0x7ffff40feae8, lock=...) at js/src/gc/RootMarking.cpp:306
#10 0x0000000000e22fd5 in js::gc::GCRuntime::finishRoots (this=this@entry=0x7ffff69b86f8) at js/src/gc/RootMarking.cpp:436
#11 0x0000000000bbdb20 in JSRuntime::destroyRuntime (this=this@entry=0x7ffff69b8000) at js/src/vm/Runtime.cpp:308
#12 0x000000000095141c in js::DestroyContext (cx=0x7ffff4343000) at js/src/jscntxt.cpp:229
#13 0x00000000004635dd in <lambda()>::operator() (__closure=0x7ffff40fecf0) at js/src/shell/js.cpp:3563
#14 mozilla::ScopeExit<WorkerMain(void*)::<lambda()> >::~ScopeExit (this=<optimized out>, __in_chrg=<optimized out>) at mozilla/ScopeExit.h:112
#15 WorkerMain (arg=<optimized out>) at js/src/shell/js.cpp:3575
#16 0x0000000000465a62 in js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::callMain<0ul> (this=0x7ffff691e1f0) at js/src/threading/Thread.h:234
#17 js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::Start (aPack=0x7ffff691e1f0) at js/src/threading/Thread.h:227
#18 0x00007ffff7bc16fa in start_thread (arg=0x7ffff40ff700) at pthread_create.c:333
#19 0x00007ffff6c38b5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0x0	0
rbx	0x7ffff69b8000	140737330774016
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7ffff40fe8c0	140737288071360
rsp	0x7ffff40fe8c0	140737288071360
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff40ff700	140737288075008
r10	0x0	0
r11	0x0	0
r12	0x7fffbc90a9c0	140736356985280
r13	0x1111401	17896449
r14	0x3e8	1000
r15	0x7ffff69b8258	140737330774616
rip	0x43698d <IsOwnedByOtherRuntime<js::ObjectGroup*>(js::ObjectGroup*, JSRuntime*)+28>
=> 0x43698d <IsOwnedByOtherRuntime<js::ObjectGroup*>(js::ObjectGroup*, JSRuntime*)+28>:	movl   $0x0,0x0
   0x436998 <IsOwnedByOtherRuntime<js::ObjectGroup*>(js::ObjectGroup*, JSRuntime*)+39>:	ud2    



This is very likely shell-only and the testcase is probably calling enableGeckoProfiling. Produced several hard to reproduce crashes through with different signatures, so marking as fuzzblocker.
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151218124430" and the hash "dd319db81bb855825d851b344fd2da070f1a7e74".
The "bad" changeset has the timestamp "20151218131930" and the hash "c7a3d4a1a2f817865caeb0004f918d77c728f91e".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=dd319db81bb855825d851b344fd2da070f1a7e74&tochange=c7a3d4a1a2f817865caeb0004f918d77c728f91e
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/001519eae1c8
user:        Shu-yu Guo
date:        Fri Dec 18 13:18:19 2015 -0800
summary:     Bug 1071646 - Make functions block-scoped in JS and implement Annex B semantics for compatibility. (r=jorendorff)

Shu-yu, is bug 1071646 a likely regressor?
Flags: needinfo?(shu)
I don't know what this is, will look next week.
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Shu, any ideas?
Flags: needinfo?(shu)
(oops)
Flags: needinfo?(shu)
I can't reproduce this on my machine. I let it run for a bit and it seems to keep printing "Mutator: ..." lines.

:decoder, is this intermittent? How long does it take on the fuzzing machines to crash?
Flags: needinfo?(shu)
(In reply to Shu-yu Guo [:shu] from comment #7)
> I can't reproduce this on my machine. I let it run for a bit and it seems to
> keep printing "Mutator: ..." lines.
> 
> :decoder, is this intermittent? How long does it take on the fuzzing
> machines to crash?

I tried reproducing this on tip and it seems is gone. I can't tell how frequent it was on the fuzzing machines because we had more than one signature, but I tried the ones that match this particular signature and they are all from May. I assume it was fixed by another bug that we fixed around that time (we had multiple bugs open related to evalInWorker), so marking as fixed.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Resolution: FIXED → WORKSFORME
You need to log in before you can comment on or make changes to this bug.