Closed Bug 1492103 Opened 6 years ago Closed 6 years ago

Crash [@ js::TypeZone::setSweepingTypes] or Assertion failure: sweepingTypes != sweeping, at js/src/vm/TypeInference.h:1479

Categories

(Core :: JavaScript: GC, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1491530
Tracking Status
firefox64 --- fixed

People

(Reporter: decoder, Unassigned)

Details

(5 keywords, Whiteboard: [jsbugmon:update,ignore][adv-main64-])

Crash Data

The following testcase crashes on mozilla-central revision 7ac2e2fc613b (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2): gczeal(20, 2); eval(` function complex(aReal, aImag) { this.r = aReal; this.square = function() {} } function mandelbrotValueOO (aC, aIterMax) { let Z = new complex(0.0, 0.0); for (var iter = 0; iter < aIterMax; iter++) { if (Z.r * Z.r + Z.i * Z.i > 256) { break; } } } const width = 60; const height = 60; const max_iters = 50; for (let img_x = 0; img_x < width; img_x++) { for (let img_y = 0; img_y < height; img_y++) { let C = new complex(-2 + (img_x / width) * 3); var res = mandelbrotValueOO(C, max_iters); } } `) Backtrace: received signal SIGSEGV, Segmentation fault. js::TypeZone::setSweepingTypes (sweeping=<optimized out>, this=<optimized out>) at js/src/vm/TypeInference.h:1479 #0 js::TypeZone::setSweepingTypes (sweeping=<optimized out>, this=<optimized out>) at js/src/vm/TypeInference.h:1479 #1 js::AutoClearTypeInferenceStateOnOOM::AutoClearTypeInferenceStateOnOOM (this=<optimized out>, zone=0x7ffff57b8000) at js/src/vm/TypeInference.cpp:5028 #2 0x00005555557e3504 in js::AutoSweepObjectGroup::AutoSweepObjectGroup (this=0x7fffffffa7b4, group=0x7ffff59ac040) at js/src/vm/TypeInference-inl.h:1288 #3 0x0000555555ca32ea in js::TypeSet::addType (this=0x7ffff55424d8, type=..., alloc=0x7ffff57b84d8) at js/src/vm/TypeInference.cpp:719 #4 0x0000555555ca348a in js::ConstraintTypeSet::addType (this=0x7ffff55424d8, sweep=..., cx=0x7ffff5f27800, type=...) at js/src/vm/TypeInference.cpp:794 #5 0x0000555555caba16 in js::AddTypePropertyId (cx=cx@entry=0x7ffff5f27800, group=group@entry=0x7ffff59ca070, obj=obj@entry=0x0, id=id@entry=..., type=...) at js/src/vm/TypeInference.cpp:3124 #6 0x0000555555d00f70 in PropagatePropertyTypes (newGroup=0x7ffff59ca070, oldGroup=0x7ffff59ac070, id=..., cx=0x7ffff5f27800) at js/src/vm/UnboxedObject.cpp:552 #7 js::UnboxedLayout::makeNativeGroup (cx=cx@entry=0x7ffff5f27800, group=<optimized out>) at js/src/vm/UnboxedObject.cpp:692 #8 0x0000555555d074f8 in js::UnboxedPlainObject::convertToNative (cx=cx@entry=0x7ffff5f27800, obj=obj@entry=0x7ffff5a00040) at js/src/vm/UnboxedObject.cpp:734 #9 0x0000555555c98784 in js::TypeNewScript::rollbackPartiallyInitializedObjects (this=this@entry=0x7ffff5f73fd0, cx=cx@entry=0x7ffff5f27800, group=group@entry=0x7ffff59ac070) at js/src/vm/TypeInference.cpp:4423 #10 0x0000555555ca9a7e in js::ObjectGroup::clearNewScript (this=this@entry=0x7ffff59ac070, cx=cx@entry=0x7ffff5f27800, replacement=0x7ffff59ca040) at js/src/vm/TypeInference.cpp:3388 #11 0x0000555555d00838 in js::UnboxedLayout::makeNativeGroup (cx=cx@entry=0x7ffff5f27800, group=0x7ffff59ac070) at js/src/vm/UnboxedObject.cpp:624 #12 0x0000555555d074f8 in js::UnboxedPlainObject::convertToNative (cx=cx@entry=0x7ffff5f27800, obj=0x7ffff5a00040) at js/src/vm/UnboxedObject.cpp:734 #13 0x0000555555d07f4b in js::UnboxedPlainObject::obj_setProperty (cx=0x7ffff5f27800, obj=..., id=..., v=..., receiver=..., result=...) at js/src/vm/UnboxedObject.cpp:1070 #14 0x0000555555867ed0 in js::jit::DoSetPropFallback (cx=0x7ffff5f27800, frame=0x7fffffffbc68, stub_=0x7ffff5f660f8, stack=0x7fffffffbc50, lhs=..., rhs=...) at js/src/jit/BaselineIC.cpp:2993 #15 0x00003d959af9839a in ?? () [...] #65 0x0000000000000000 in ?? () rax 0x555556ef0020 93825019084832 rbx 0x7ffff57b8000 140737311899648 rcx 0x55555612b8c0 93825004648640 rdx 0x7ffff5f27800 140737319696384 rsi 0x7ffff57b8000 140737311899648 rdi 0x7ffff5f1a000 140737319641088 rbp 0x7ffff59ac040 140737313947712 rsp 0x7fffffffa760 140737488332640 r8 0x7ffff55424d8 140737309320408 r9 0x7ffff55424d8 140737309320408 r10 0x0 0 r11 0x8935bb4 143874996 r12 0x7fffffffa7b4 140737488332724 r13 0x7fffffffa7b4 140737488332724 r14 0x7ffff59ac040 140737313947712 r15 0x0 0 rip 0x555555c98c21 <js::AutoClearTypeInferenceStateOnOOM::AutoClearTypeInferenceStateOnOOM(JS::Zone*)+97> => 0x555555c98c21 <js::AutoClearTypeInferenceStateOnOOM::AutoClearTypeInferenceStateOnOOM(JS::Zone*)+97>: movl $0x0,0x0 0x555555c98c2c <js::AutoClearTypeInferenceStateOnOOM::AutoClearTypeInferenceStateOnOOM(JS::Zone*)+108>: ud2 Marking s-s because GC and TypeInference is involved.
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 85b4d2bf888a). JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/aa3c5d257b1e user: Jon Coppeard date: Thu Sep 13 16:46:51 2018 +0100 summary: Bug 1490042 - Only allow a single AutoClearTypeInferenceStateOnOOM to be active at once r=jandem r=sfink This iteration took 235.426 seconds to run.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
This is the same stack as bug 1491530, so should have been fixed by the backout of bug 1490042.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main64-]
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.