Closed Bug 1492103 Opened 6 years ago Closed 6 years ago

Crash [@ js::TypeZone::setSweepingTypes] or Assertion failure: sweepingTypes != sweeping, at js/src/vm/TypeInference.h:1479

Categories

(Core :: JavaScript: GC, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1491530
Tracking Status
firefox64 --- fixed

People

(Reporter: decoder, Unassigned)

Details

(5 keywords, Whiteboard: [jsbugmon:update,ignore][adv-main64-])

Crash Data

The following testcase crashes on mozilla-central revision 7ac2e2fc613b (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2):

gczeal(20, 2);
eval(`
  function complex(aReal, aImag) {
    this.r = aReal;
    this.square = function() {}
  }
  function mandelbrotValueOO (aC, aIterMax) {
    let Z = new complex(0.0, 0.0);
    for (var iter = 0; iter < aIterMax; iter++) {
      if (Z.r * Z.r + Z.i * Z.i > 256) { break; }
    }
  }
  const width = 60;
  const height = 60;
  const max_iters = 50;
  for (let img_x = 0; img_x < width; img_x++) {
    for (let img_y = 0; img_y < height; img_y++) {
      let C = new complex(-2 + (img_x / width) * 3);
      var res = mandelbrotValueOO(C, max_iters);
  }
}
`)


Backtrace:

received signal SIGSEGV, Segmentation fault.
js::TypeZone::setSweepingTypes (sweeping=<optimized out>, this=<optimized out>) at js/src/vm/TypeInference.h:1479
#0  js::TypeZone::setSweepingTypes (sweeping=<optimized out>, this=<optimized out>) at js/src/vm/TypeInference.h:1479
#1  js::AutoClearTypeInferenceStateOnOOM::AutoClearTypeInferenceStateOnOOM (this=<optimized out>, zone=0x7ffff57b8000) at js/src/vm/TypeInference.cpp:5028
#2  0x00005555557e3504 in js::AutoSweepObjectGroup::AutoSweepObjectGroup (this=0x7fffffffa7b4, group=0x7ffff59ac040) at js/src/vm/TypeInference-inl.h:1288
#3  0x0000555555ca32ea in js::TypeSet::addType (this=0x7ffff55424d8, type=..., alloc=0x7ffff57b84d8) at js/src/vm/TypeInference.cpp:719
#4  0x0000555555ca348a in js::ConstraintTypeSet::addType (this=0x7ffff55424d8, sweep=..., cx=0x7ffff5f27800, type=...) at js/src/vm/TypeInference.cpp:794
#5  0x0000555555caba16 in js::AddTypePropertyId (cx=cx@entry=0x7ffff5f27800, group=group@entry=0x7ffff59ca070, obj=obj@entry=0x0, id=id@entry=..., type=...) at js/src/vm/TypeInference.cpp:3124
#6  0x0000555555d00f70 in PropagatePropertyTypes (newGroup=0x7ffff59ca070, oldGroup=0x7ffff59ac070, id=..., cx=0x7ffff5f27800) at js/src/vm/UnboxedObject.cpp:552
#7  js::UnboxedLayout::makeNativeGroup (cx=cx@entry=0x7ffff5f27800, group=<optimized out>) at js/src/vm/UnboxedObject.cpp:692
#8  0x0000555555d074f8 in js::UnboxedPlainObject::convertToNative (cx=cx@entry=0x7ffff5f27800, obj=obj@entry=0x7ffff5a00040) at js/src/vm/UnboxedObject.cpp:734
#9  0x0000555555c98784 in js::TypeNewScript::rollbackPartiallyInitializedObjects (this=this@entry=0x7ffff5f73fd0, cx=cx@entry=0x7ffff5f27800, group=group@entry=0x7ffff59ac070) at js/src/vm/TypeInference.cpp:4423
#10 0x0000555555ca9a7e in js::ObjectGroup::clearNewScript (this=this@entry=0x7ffff59ac070, cx=cx@entry=0x7ffff5f27800, replacement=0x7ffff59ca040) at js/src/vm/TypeInference.cpp:3388
#11 0x0000555555d00838 in js::UnboxedLayout::makeNativeGroup (cx=cx@entry=0x7ffff5f27800, group=0x7ffff59ac070) at js/src/vm/UnboxedObject.cpp:624
#12 0x0000555555d074f8 in js::UnboxedPlainObject::convertToNative (cx=cx@entry=0x7ffff5f27800, obj=0x7ffff5a00040) at js/src/vm/UnboxedObject.cpp:734
#13 0x0000555555d07f4b in js::UnboxedPlainObject::obj_setProperty (cx=0x7ffff5f27800, obj=..., id=..., v=..., receiver=..., result=...) at js/src/vm/UnboxedObject.cpp:1070
#14 0x0000555555867ed0 in js::jit::DoSetPropFallback (cx=0x7ffff5f27800, frame=0x7fffffffbc68, stub_=0x7ffff5f660f8, stack=0x7fffffffbc50, lhs=..., rhs=...) at js/src/jit/BaselineIC.cpp:2993
#15 0x00003d959af9839a in ?? ()
[...]
#65 0x0000000000000000 in ?? ()
rax	0x555556ef0020	93825019084832
rbx	0x7ffff57b8000	140737311899648
rcx	0x55555612b8c0	93825004648640
rdx	0x7ffff5f27800	140737319696384
rsi	0x7ffff57b8000	140737311899648
rdi	0x7ffff5f1a000	140737319641088
rbp	0x7ffff59ac040	140737313947712
rsp	0x7fffffffa760	140737488332640
r8	0x7ffff55424d8	140737309320408
r9	0x7ffff55424d8	140737309320408
r10	0x0	0
r11	0x8935bb4	143874996
r12	0x7fffffffa7b4	140737488332724
r13	0x7fffffffa7b4	140737488332724
r14	0x7ffff59ac040	140737313947712
r15	0x0	0
rip	0x555555c98c21 <js::AutoClearTypeInferenceStateOnOOM::AutoClearTypeInferenceStateOnOOM(JS::Zone*)+97>
=> 0x555555c98c21 <js::AutoClearTypeInferenceStateOnOOM::AutoClearTypeInferenceStateOnOOM(JS::Zone*)+97>:	movl   $0x0,0x0
   0x555555c98c2c <js::AutoClearTypeInferenceStateOnOOM::AutoClearTypeInferenceStateOnOOM(JS::Zone*)+108>:	ud2


Marking s-s because GC and TypeInference is involved.
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 85b4d2bf888a).
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/aa3c5d257b1e
user:        Jon Coppeard
date:        Thu Sep 13 16:46:51 2018 +0100
summary:     Bug 1490042 - Only allow a single AutoClearTypeInferenceStateOnOOM to be active at once r=jandem r=sfink

This iteration took 235.426 seconds to run.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
This is the same stack as bug 1491530, so should have been fixed by the backout of bug 1490042.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main64-]
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.