Closed Bug 1430752 Opened 2 years ago Closed 2 years ago

Assertion failure: !rt->gc.isIncrementalGCInProgress(), at js/src/gc/Verifier.cpp:714

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla59
Tracking Status
firefox-esr52 --- unaffected
firefox57 --- unaffected
firefox58 --- wontfix
firefox59 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision b7d66e4e60ef (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):

gczeal(18);
gcslice(3);


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000000000eb1a30 in js::CheckGrayMarkingState (rt=0x7ffff5f1a000) at js/src/gc/Verifier.cpp:714
#0  0x0000000000eb1a30 in js::CheckGrayMarkingState (rt=0x7ffff5f1a000) at js/src/gc/Verifier.cpp:714
#1  0x0000000000a20d97 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff5f1a740, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=<optimized out>, reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:7500
#2  0x0000000000a22c25 in js::gc::GCRuntime::startDebugGC (this=0x7ffff5f1a740, gckind=gckind@entry=GC_NORMAL, budget=...) at js/src/jsgc.cpp:7599
#3  0x00000000008b8352 in GCSlice (cx=0x7ffff5f16000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1075
#4  0x0000000000575a91 in js::CallJSNative (cx=0x7ffff5f16000, native=0x8b81d0 <GCSlice(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:291
[...]
#18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9157
rax	0x0	0
rbx	0x7ffff5f1a000	140737319641088
rcx	0x7ffff6c282ad	140737333330605
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffc7d0	140737488340944
rsp	0x7fffffffc6a0	140737488340640
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4780	140737354024832
r10	0x58	88
r11	0x7ffff6b9e7a0	140737332766624
r12	0x7	7
r13	0x7ffff5f1a740	140737319642944
r14	0x1	1
r15	0x0	0
rip	0xeb1a30 <js::CheckGrayMarkingState(JSRuntime*)+640>
=> 0xeb1a30 <js::CheckGrayMarkingState(JSRuntime*)+640>:	movl   $0x0,0x0
   0xeb1a3b <js::CheckGrayMarkingState(JSRuntime*)+651>:	ud2



Marking as fuzzblocker, this is highly frequent.
Assignee: nobody → jcoppeard
Blocks: 1413914
We need to make the zeal mode that checks the gray marking state skip the check if we're in the middle of an incremental GC.  Gray marking state is not expected to be correct during an incremental GC.
Attachment #8942907 - Flags: review?(sphink)
Comment on attachment 8942907 [details] [diff] [review]
bug1430752-zeal-assert

Review of attachment 8942907 [details] [diff] [review]:
-----------------------------------------------------------------

Makes sense.
Attachment #8942907 - Flags: review?(sphink) → review+
Due to computer issues I can't push at the moment.
Keywords: checkin-needed
Pushed by cbrindusan@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4e3657c2c270
Fix GC zeal to not attempt to check gray marking state during incremental GC r=sfink
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/4e3657c2c270
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
You need to log in before you can comment on or make changes to this bug.