Closed Bug 1517158 Opened 2 years ago Closed 2 years ago

Assertion failure: !JS::RuntimeHeapIsCollecting(), at js/src/gc/Cell.h:356

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla66
Tracking Status
firefox-esr60 --- unaffected
firefox64 --- unaffected
firefox65 --- unaffected
firefox66 --- verified

People

(Reporter: gkw, Assigned: allstars.chh)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files, 1 obsolete file)

The following testcase crashes on mozilla-central revision 0def5ac36b5b (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/jit-test/tests/debug/onExceptionUnwind-03.js
(function() {
    var g = newGlobal();
    g.debuggeeGlobal = this;
    g.eval("(" + function() {
        dbg = new Debugger(debuggeeGlobal);
        dbg.onExceptionUnwind = function(frame, exc) {
            var s = '!';
            for (var f = frame; f; f = f.older)
                if (f.type === "call")
                    s += f.callee.name;
        };
    } + ")();");
    try {
        h();
    } catch (e) {}
    g.dbg.enabled = false;
})();
// jsfunfuzz-generated
startgc(114496726);

Backtrace:

#0  js::gc::TenuredCell::readBarrier (thing=0x7fefa178b060) at js/src/gc/Cell.h:355
#1  0x000055f31a05de67 in JSObject::readBarrier (obj=0x7fefa178b060) at js/src/vm/JSObject.h:676
#2  js::InternalBarrierMethods<js::GlobalObject*>::readBarrier (v=0x7fefa178b060) at js/src/gc/Barrier.h:268
#3  js::ReadBarrieredBase<js::GlobalObject*>::read (this=0x7fefa1977048) at js/src/gc/Barrier.h:602
#4  js::ReadBarriered<js::GlobalObject*>::get (this=<optimized out>) at js/src/gc/Barrier.h:653
#5  js::ReadBarriered<js::GlobalObject*>::operator-> (this=<optimized out>) at js/src/gc/Barrier.h:664
#6  JS::Realm::maybeGlobal (this=0x7fefa1977000) at js/src/vm/Realm-inl.h:26
/snip

For detailed crash information, see attachment.

I don't think this is s-s since it's related to debugger but GC is also involved so setting it to be safe.
Due to skipped revisions, the first bad revision could be any of:

changeset:   https://hg.mozilla.org/mozilla-central/rev/3d706269aea5
parent:      32810619d6b3
user:        Yoshi Cheng-Hao Huang
date:        Thu Dec 20 15:34:25 2018 +0100
summary:     Bug 1515648 - Part 1: Assert read barriers won't fire during collection. r=jonco

changeset:   https://hg.mozilla.org/mozilla-central/rev/8fe391c74c65
user:        Yoshi Cheng-Hao Huang
date:        Thu Dec 20 15:43:56 2018 +0100
summary:     Bug 1515648 - Part 2: fix in Shape.cpp. r=jonco

changeset:   https://hg.mozilla.org/mozilla-central/rev/c4c07de1d4f4
user:        Yoshi Cheng-Hao Huang
date:        Fri Dec 14 15:11:10 2018 +0100
summary:     Bug 1515648 - Part 3: use unbarrieredGet() for Debugger. r=jonco

changeset:   https://hg.mozilla.org/mozilla-central/rev/64e9482f70bc
user:        Yoshi Cheng-Hao Huang
date:        Wed Dec 19 17:30:10 2018 +0100
summary:     Bug 1515648 - Part 4: fix in SavedStacks.cpp. r=jonco

Yoshi, is bug 1515648 a likely regressor?
Blocks: 1515648
Flags: needinfo?(allstars.chh)
Assignee: nobody → allstars.chh
Status: NEW → ASSIGNED
Flags: needinfo?(allstars.chh)
Attached patch Patch (obsolete) — Splinter Review
Attachment #9034440 - Flags: review?(jcoppeard)
Comment on attachment 9034440 [details] [diff] [review]
Patch

Review of attachment 9034440 [details] [diff] [review]:
-----------------------------------------------------------------

Nice!

::: js/src/jit-test/tests/debug/onExceptionUnwind-16.js
@@ +1,1 @@
> +(function() {

Generally test cases like this should be named after the bug (e.g. bug-123456.js) otherwise it looks like this is a feature test.  This should probably go in jit-test/tests/gc too.
Attachment #9034440 - Flags: review?(jcoppeard) → review+
Attached patch Patch. v2Splinter Review
Attachment #9034440 - Attachment is obsolete: true
Attachment #9034748 - Flags: review+
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.