Closed
Bug 1401141
Opened 7 years ago
Closed 7 years ago
Assertion failure: allocated(), at js/src/gc/Heap.h:627 or Assertion failure: MapAllocToTraceKind(cell->asTenured().getAllocKind()) == kind, at jsgc.cpp:8091
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla57
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox55 | --- | unaffected |
| firefox56 | --- | unaffected |
| firefox57 | --- | verified |
People
(Reporter: decoder, Assigned: jonco)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
5.63 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision ffe6cc09ccf3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):
gczeal(15,1);
setGCCallback({
action: "majorGC",
});
gcslice(3);
var lfGlobal = newGlobal();
lfGlobal.offThreadCompileScript("");
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x00000000006305f0 in js::gc::Arena::getAllocKind (this=<optimized out>) at js/src/gc/Heap.h:627
#0 0x00000000006305f0 in js::gc::Arena::getAllocKind (this=<optimized out>) at js/src/gc/Heap.h:627
#1 0x00000000009c0d78 in js::gc::TenuredCell::getAllocKind (this=<optimized out>) at js/src/gc/Heap.h:1330
#2 js::gc::AssertGCThingHasType (cell=cell@entry=0x7ffff46df080, kind=kind@entry=JS::TraceKind::String) at js/src/jsgc.cpp:8091
#3 0x0000000000598627 in JS::GCCellPtr::checkedCast (p=0x7ffff46df080, traceKind=traceKind@entry=JS::TraceKind::String) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/debug/dist/include/js/HeapAPI.h:257
#4 0x00000000008bbdf4 in JS::GCCellPtr::GCCellPtr<JSString> (p=<optimized out>, this=0x7fffffffcee0) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/debug/dist/include/js/HeapAPI.h:197
#5 JS::CallbackTracer::onStringEdge (this=0x7fffffffd130, strp=<optimized out>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/debug/dist/include/js/TracingAPI.h:146
#6 0x0000000000e753d5 in JS::CallbackTracer::dispatchToOnEdge (strp=0x7ffff46e93b8, this=0x7fffffffd130) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/debug/dist/include/js/TracingAPI.h:238
#7 DoCallback<JSString*> (trc=0x7fffffffd130, thingp=0x7ffff46e93b8, name=0x115314f "atom") at js/src/gc/Tracer.cpp:50
#8 0x00000000009c435a in JSFunction::trace (trc=0x7fffffffd138, this=0x7ffff46e9380) at js/src/jsfun.cpp:786
#9 fun_trace (trc=0x7fffffffd138, obj=<optimized out>) at js/src/jsfun.cpp:805
#10 0x0000000000a328fd in js::Class::doTrace (this=<optimized out>, obj=0x7ffff46e9380, trc=0x7fffffffd138) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/debug/dist/include/js/Class.h:885
#11 JSObject::traceChildren (this=0x7ffff46e9380, trc=0x7fffffffd138) at js/src/jsobj.cpp:4051
#12 0x0000000000e6765d in js::TraceChildren (kind=<optimized out>, thing=0x7ffff46e9380, trc=0x7fffffffd138) at js/src/gc/Tracer.cpp:130
#13 JS::TraceChildren (trc=trc@entry=0x7fffffffd138, thing=...) at js/src/gc/Tracer.cpp:110
#14 0x0000000000e6ab4a in HeapCheckTracerBase::traceHeap (this=this@entry=0x7fffffffd130, lock=...) at js/src/gc/Verifier.cpp:551
#15 0x0000000000e6ace1 in CheckHeapTracer::check (this=0x7fffffffd130, lock=...) at js/src/gc/Verifier.cpp:609
#16 0x0000000000e7087d in js::gc::CheckHeapAfterGC (rt=<optimized out>) at js/src/gc/Verifier.cpp:623
#17 0x0000000000a03389 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff695e738, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=<optimized out>, reason@entry=JS::gcreason::API) at js/src/jsgc.cpp:7328
#18 0x0000000000a034e9 in js::gc::GCRuntime::gc (this=0x7ffff695e738, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::API) at js/src/jsgc.cpp:7358
#19 0x0000000000a0352f in JS::GCForReason (cx=cx@entry=0x7ffff6948000, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::API) at js/src/jsgc.cpp:8265
#20 0x0000000000880221 in gcCallback::majorGC (cx=0x7ffff6948000, status=<optimized out>, data=0x7ffff69490e8) at js/src/builtin/TestingFunctions.cpp:3689
#21 0x0000000000a02cd4 in (anonymous namespace)::AutoNotifyGCActivity::~AutoNotifyGCActivity (this=<synthetic pointer>, __in_chrg=<optimized out>) at js/src/jsgc.cpp:1670
#22 js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff695e738, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::API) at js/src/jsgc.cpp:7089
#23 0x0000000000a03202 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff695e738, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::API) at js/src/jsgc.cpp:7291
#24 0x0000000000a03df1 in js::gc::GCRuntime::finishGC (this=0x7ffff695e738, reason=reason@entry=JS::gcreason::API) at js/src/jsgc.cpp:7397
#25 0x0000000000a04b3f in JS::FinishIncrementalGC (cx=cx@entry=0x7ffff6948000, reason=reason@entry=JS::gcreason::API) at js/src/jsgc.cpp:8284
#26 0x0000000000a04c8a in js::gc::FinishGC (cx=cx@entry=0x7ffff6948000) at js/src/jsgc.cpp:7591
#27 0x0000000000c02c28 in JSRuntime::destroyRuntime (this=0x7ffff695e000) at js/src/vm/Runtime.cpp:289
#28 0x00000000009999f4 in js::DestroyContext (cx=0x7ffff6948000) at js/src/jscntxt.cpp:249
#29 0x0000000000443701 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:8618
rax 0x0 0
rbx 0x7ffff46df080 140737294233728
rcx 0x7ffff6c28a2d 140737333332525
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffffce90 140737488342672
rsp 0x7fffffffce90 140737488342672
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fe4740 140737354024768
r10 0x58 88
r11 0x7ffff6b9f750 140737332770640
r12 0x2 2
r13 0x115314f 18166095
r14 0x0 0
r15 0x7ffff46e9380 140737294275456
rip 0x6305f0 <js::gc::Arena::getAllocKind() const+80>
=> 0x6305f0 <js::gc::Arena::getAllocKind() const+80>: movl $0x0,0x0
0x6305fb <js::gc::Arena::getAllocKind() const+91>: ud2
Marking s-s because this is a GC assert.
|
||
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•7 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/f80146e7ec85
user: Jon Coppeard
date: Wed Sep 06 09:07:09 2017 +0100
summary: Bug 1395366 - Extend zone group's state to cover those intended for future use by helper threads and disallow GC of such groups r=sfink
This iteration took 270.647 seconds to run.
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → jcoppeard
|
||
Comment 2•7 years ago
|
||
It sounds like this could cause some kind of memory corruption, so I'm marking it sec-high. Feel free to remove the keyword if that is inaccurate.
Keywords: csectype-uaf,
sec-high
|
|
Assignee | |
Comment 3•7 years ago
|
||
The patch for bug 1395366 changed ZoneGroupsIter to skip zone groups created for helper threads, where it previously only skipped zone groups in use by helper threads. ZonesIter uses this, so this also filtered out zones created for helper threads. In the GC we use this to check whether we're doing a full GC and for atoms marking. The testcase here demonstrates that we can collect atoms that are used by a helper thread zone.
The fix is to restore the original behaviour. Zones are filtered out only if they are currently used by helper threads, and we factor the existence of active helper threads into our calculations of which zones we can GC etc. We now have to also check Zone::canCollect() for non-atoms zones so we don't try and collect zones created for helper threads that are not active yet.
I also did a little refactoring along the way.
Attachment #8909867 -
Flags: review?(sphink)
|
||
Comment 4•7 years ago
|
||
Comment on attachment 8909867 [details] [diff] [review]
bug1401141-zone-group-iter
Review of attachment 8909867 [details] [diff] [review]:
-----------------------------------------------------------------
Ugh. Ok, I guess this makes sense.
Attachment #8909867 -
Flags: review?(sphink) → review+
|
|
Assignee | |
Updated•7 years ago
|
|
|
Assignee | |
Comment 5•7 years ago
|
||
|
||
Updated•7 years ago
|
status-firefox55:
--- → unaffected
status-firefox56:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
|
|
||
Updated•7 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 7•7 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•7 years ago
|
Group: javascript-core-security → core-security-release
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•