Closed
Bug 1439284
Opened 6 years ago
Closed 6 years ago
Assertion failure: atomsZone->isGCMarking(), at js/src/gc/GC.cpp:4195
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla60
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox58 | --- | wontfix |
| firefox59 | --- | wontfix |
| firefox60 | --- | fixed |
People
(Reporter: decoder, Assigned: jonco)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update,ignore])
Attachments
(1 file)
|
5.85 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 48b635e3d447 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):
gcparam('allocationThreshold', 1);
setGCCallback({
action: "majorGC",
});
offThreadCompileScript(('Boolean.prototype.toSource.call(new String())'));
for (let i = 0; i < 10; i++) {
for (let j = 0; j < 10000; j++) Symbol.for(i + 10 * j);
}
runOffThreadScript();
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000000000e5c0fc in js::gc::GCRuntime::prepareZonesForCollection (this=this@entry=0x7ffff5f1a780, reason=reason@entry=JS::gcreason::DELAYED_ATOMS_GC, isFullOut=<optimized out>, lock=...) at js/src/gc/GC.cpp:4195
#0 0x0000000000e5c0fc in js::gc::GCRuntime::prepareZonesForCollection (this=this@entry=0x7ffff5f1a780, reason=reason@entry=JS::gcreason::DELAYED_ATOMS_GC, isFullOut=<optimized out>, lock=...) at js/src/gc/GC.cpp:4195
#1 0x0000000000e7ed94 in js::gc::GCRuntime::beginMarkPhase (this=this@entry=0x7ffff5f1a780, reason=reason@entry=JS::gcreason::DELAYED_ATOMS_GC, session=...) at js/src/gc/GC.cpp:4265
#2 0x0000000000e80458 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff5f1a780, budget=..., reason=reason@entry=JS::gcreason::DELAYED_ATOMS_GC, session=...) at js/src/gc/GC.cpp:6981
#3 0x0000000000e81871 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff5f1a780, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DELAYED_ATOMS_GC) at js/src/gc/GC.cpp:7375
#4 0x0000000000e81f4d in js::gc::GCRuntime::collect (this=this@entry=0x7ffff5f1a780, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DELAYED_ATOMS_GC) at js/src/gc/GC.cpp:7518
#5 0x0000000000e82502 in js::gc::GCRuntime::gcSlice (this=0x7ffff5f1a780, reason=JS::gcreason::DELAYED_ATOMS_GC, millis=0) at js/src/gc/GC.cpp:7607
#6 0x0000000000e825c7 in js::gc::GCRuntime::gcIfRequested (this=this@entry=0x7ffff5f1a780) at js/src/gc/GC.cpp:7785
#7 0x0000000000e84248 in js::gc::GCRuntime::gcIfNeededAtAllocation (this=0x7ffff5f1a780, cx=cx@entry=0x7ffff5f16000) at js/src/gc/Allocator.cpp:315
#8 0x0000000000eb43b8 in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=<optimized out>, cx=0x7ffff5f16000, kind=<optimized out>) at js/src/gc/Allocator.cpp:270
#9 0x0000000000eb4cd2 in js::Allocate<js::BaseShape, (js::AllowGC)1> (cx=cx@entry=0x7ffff5f16000) at js/src/gc/Allocator.cpp:221
#10 0x0000000000bdd999 in js::BaseShape::getUnowned (cx=cx@entry=0x7ffff5f16000, base=...) at js/src/vm/Shape.cpp:1440
#11 0x0000000000bde0ca in js::EmptyShape::getInitialShape (cx=0x7ffff5f16000, clasp=clasp@entry=0x201afe0 <js::BooleanObject::class_>, proto=..., nfixed=<optimized out>, objectFlags=<optimized out>) at js/src/vm/Shape.cpp:2116
#12 0x0000000000b3d8fa in NewObject (cx=0x7ffff5f16000, group=..., kind=<optimized out>, newKind=js::SingletonObject, initialShapeFlags=<optimized out>) at js/src/vm/JSObject.cpp:723
#13 0x0000000000b3dde1 in js::NewObjectWithGivenTaggedProto (cx=cx@entry=0x7ffff5f16000, clasp=clasp@entry=0x201afe0 <js::BooleanObject::class_>, proto=proto@entry=..., allocKind=js::gc::AllocKind::OBJECT2_BACKGROUND, newKind=newKind@entry=js::SingletonObject, initialShapeFlags=initialShapeFlags@entry=0) at js/src/vm/JSObject.cpp:793
#14 0x0000000000af2a4a in js::NewObjectWithGivenTaggedProto (initialShapeFlags=0, newKind=js::SingletonObject, proto=..., clasp=0x201afe0 <js::BooleanObject::class_>, cx=0x7ffff5f16000) at js/src/vm/JSObject-inl.h:611
#15 js::NewObjectWithGivenProto (newKind=js::SingletonObject, proto=..., clasp=0x201afe0 <js::BooleanObject::class_>, cx=0x7ffff5f16000) at js/src/vm/JSObject-inl.h:646
#16 js::NewNativeObjectWithGivenProto (newKind=js::SingletonObject, proto=..., clasp=0x201afe0 <js::BooleanObject::class_>, cx=0x7ffff5f16000) at js/src/vm/NativeObject-inl.h:746
#17 CreateBlankProto (cx=0x7ffff5f16000, clasp=clasp@entry=0x201afe0 <js::BooleanObject::class_>, proto=proto@entry=..., global=...) at js/src/vm/GlobalObject.cpp:706
#18 0x0000000000b07fd5 in js::GlobalObject::createBlankPrototype (cx=0x7ffff5f16000, global=..., global@entry=..., clasp=clasp@entry=0x201afe0 <js::BooleanObject::class_>) at js/src/vm/GlobalObject.cpp:721
#19 0x00000000009c9c68 in js::GlobalObject::createBlankPrototype<js::BooleanObject> (global=..., cx=<optimized out>) at js/src/vm/GlobalObject.h:312
#20 js::InitBooleanClass (cx=0x7ffff5f16000, obj=...) at js/src/jsbool.cpp:141
#21 0x0000000000b07bc6 in js::GlobalObject::resolveConstructor (cx=cx@entry=0x7ffff5f16000, global=global@entry=..., key=key@entry=JSProto_Boolean) at js/src/vm/GlobalObject.cpp:168
#22 0x000000000056cc39 in js::GlobalObject::ensureConstructor (cx=0x7ffff5f16000, global=..., key=JSProto_Boolean) at js/src/vm/GlobalObject.h:156
#23 0x00000000009abeda in JS_ResolveStandardClass (cx=0x7ffff5f16000, obj=..., id=..., resolved=0x7fffffffb3ff) at js/src/jsapi.cpp:1115
#24 0x0000000000b3ab58 in js::CallResolveOp (recursedp=<synthetic pointer>, propp=..., id=..., obj=..., cx=0x7ffff5f16000) at js/src/vm/NativeObject-inl.h:797
#25 js::LookupOwnPropertyInline<(js::AllowGC)1> (donep=<synthetic pointer>, propp=..., id=..., obj=..., cx=<optimized out>) at js/src/vm/NativeObject-inl.h:869
#26 js::LookupPropertyInline<(js::AllowGC)1> (propp=..., objp=..., id=..., obj=..., cx=0x7ffff5f16000) at js/src/vm/NativeObject-inl.h:941
#27 js::LookupProperty (cx=<optimized out>, obj=..., id=id@entry=..., objp=..., propp=propp@entry=...) at js/src/vm/JSObject.cpp:2206
#28 0x0000000000b3b0d6 in js::LookupName (cx=0x7ffff5f16000, name=..., envChain=..., objp=..., pobjp=..., propp=...) at js/src/vm/JSObject.cpp:2216
#29 0x000000000055c33d in js::GetEnvironmentName<(js::GetNameMode)0> (vp=..., name=..., envChain=..., cx=<optimized out>) at js/src/vm/Interpreter-inl.h:250
#30 GetNameOperation (vp=..., pc=<optimized out>, fp=<optimized out>, cx=0x7ffff5f16000) at js/src/vm/Interpreter.cpp:244
#31 Interpret (cx=0x7ffff5f16000, state=...) at js/src/vm/Interpreter.cpp:3223
#32 0x0000000000567355 in js::RunScript (cx=0x7ffff5f16000, state=...) at js/src/vm/Interpreter.cpp:423
#33 0x000000000056a52d in js::ExecuteKernel (cx=0x7ffff5f16000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffc6d8) at js/src/vm/Interpreter.cpp:706
#34 0x000000000056aa11 in js::Execute (cx=cx@entry=0x7ffff5f16000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x7fffffffc6d8) at js/src/vm/Interpreter.cpp:739
#35 0x00000000009bd836 in ExecuteScript (cx=0x7ffff5f16000, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x7fffffffc6d8) at js/src/jsapi.cpp:4726
#36 0x00000000009bda1e in JS_ExecuteScript (cx=cx@entry=0x7ffff5f16000, scriptArg=scriptArg@entry=..., rval=...) at js/src/jsapi.cpp:4752
#37 0x000000000046514d in runOffThreadScript (cx=0x7ffff5f16000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:4782
#38 0x0000000000573351 in js::CallJSNative (cx=0x7ffff5f16000, native=0x465070 <runOffThreadScript(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:290
#39 0x000000000056784f in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff5f16000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:473
#40 0x0000000000567c2d in InternalCall (cx=0x7ffff5f16000, args=...) at js/src/vm/Interpreter.cpp:522
#41 0x0000000000567d7a in js::CallFromStack (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:528
#42 0x000000000064c85b in js::jit::DoCallFallback (cx=0x7ffff5f16000, frame=0x7fffffffc728, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc6d8, res=...) at js/src/jit/BaselineIC.cpp:2383
#43 0x00002e1a4192d83f in ?? ()
#44 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7fffffffa4e0 140737488332000
rcx 0x7ffff6c282ad 140737333330605
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffffa590 140737488332176
rsp 0x7fffffffa4c0 140737488331968
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fe4780 140737354024832
r10 0x58 88
r11 0x7ffff6b9e7a0 140737332766624
r12 0x7ffff5f1a780 140737319643008
r13 0xc 12
r14 0x7ffff5f3d800 140737319786496
r15 0x1 1
rip 0xe5c0fc <js::gc::GCRuntime::prepareZonesForCollection(JS::gcreason::Reason, bool*, js::AutoLockForExclusiveAccess&)+1388>
=> 0xe5c0fc <js::gc::GCRuntime::prepareZonesForCollection(JS::gcreason::Reason, bool*, js::AutoLockForExclusiveAccess&)+1388>: movl $0x0,0x0
0xe5c107 <js::gc::GCRuntime::prepareZonesForCollection(JS::gcreason::Reason, bool*, js::AutoLockForExclusiveAccess&)+1399>: ud2
Marking s-s due to GC assertion.
|
||
Updated•6 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•6 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/acd4c55de436 user: Jon Coppeard date: Thu Aug 31 10:27:04 2017 +0100 summary: Bug 1393597 - Remove FinishIncrementalGC when merging compartments r=sfink This iteration took 260.603 seconds to run.
|
||
Updated•6 years ago
|
Flags: needinfo?(jcoppeard)
|
|
||
Updated•6 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 2•6 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision b3191953ccda).
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Comment 3•6 years ago
|
||
When we call GC begin callbacks we preserve the zone scheduling state in case they do a GC and end up changing it. I didn't do this for the end callback but I should have done because the loop in collect() can repeat a GC after the end callback has run.
Attachment #8954093 -
Flags: review?(sphink)
|
||
Updated•6 years ago
|
Priority: -- → P1
|
||
Updated•6 years ago
|
Attachment #8954093 -
Flags: review?(sphink) → review+
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/55c6bbcc1b8d Preserve scheduled zones over call to GC end callback r=sfink
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/724b51d7263f Fix passing wrong callback type r=me on a CLOSED TREE
|
||
Comment 7•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/55c6bbcc1b8d https://hg.mozilla.org/mozilla-central/rev/724b51d7263f
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
|
||
Updated•6 years ago
|
status-firefox58:
--- → wontfix
status-firefox59:
--- → wontfix
status-firefox-esr52:
--- → unaffected
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•