1517158 - Assertion failure: !JS::RuntimeHeapIsCollecting(), at js/src/gc/Cell.h:356

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 0def5ac36b5b (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/jit-test/tests/debug/onExceptionUnwind-03.js
(function() {
    var g = newGlobal();
    g.debuggeeGlobal = this;
    g.eval("(" + function() {
        dbg = new Debugger(debuggeeGlobal);
        dbg.onExceptionUnwind = function(frame, exc) {
            var s = '!';
            for (var f = frame; f; f = f.older)
                if (f.type === "call")
                    s += f.callee.name;
        };
    } + ")();");
    try {
        h();
    } catch (e) {}
    g.dbg.enabled = false;
})();
// jsfunfuzz-generated
startgc(114496726);

Backtrace:

#0  js::gc::TenuredCell::readBarrier (thing=0x7fefa178b060) at js/src/gc/Cell.h:355
#1  0x000055f31a05de67 in JSObject::readBarrier (obj=0x7fefa178b060) at js/src/vm/JSObject.h:676
#2  js::InternalBarrierMethods<js::GlobalObject*>::readBarrier (v=0x7fefa178b060) at js/src/gc/Barrier.h:268
#3  js::ReadBarrieredBase<js::GlobalObject*>::read (this=0x7fefa1977048) at js/src/gc/Barrier.h:602
#4  js::ReadBarriered<js::GlobalObject*>::get (this=<optimized out>) at js/src/gc/Barrier.h:653
#5  js::ReadBarriered<js::GlobalObject*>::operator-> (this=<optimized out>) at js/src/gc/Barrier.h:664
#6  JS::Realm::maybeGlobal (this=0x7fefa1977000) at js/src/vm/Realm-inl.h:26
/snip

For detailed crash information, see attachment.

I don't think this is s-s since it's related to debugger but GC is also involved so setting it to be safe.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Due to skipped revisions, the first bad revision could be any of:

changeset:   https://hg.mozilla.org/mozilla-central/rev/3d706269aea5
parent:      32810619d6b3
user:        Yoshi Cheng-Hao Huang
date:        Thu Dec 20 15:34:25 2018 +0100
summary:     Bug 1515648 - Part 1: Assert read barriers won't fire during collection. r=jonco

changeset:   https://hg.mozilla.org/mozilla-central/rev/8fe391c74c65
user:        Yoshi Cheng-Hao Huang
date:        Thu Dec 20 15:43:56 2018 +0100
summary:     Bug 1515648 - Part 2: fix in Shape.cpp. r=jonco

changeset:   https://hg.mozilla.org/mozilla-central/rev/c4c07de1d4f4
user:        Yoshi Cheng-Hao Huang
date:        Fri Dec 14 15:11:10 2018 +0100
summary:     Bug 1515648 - Part 3: use unbarrieredGet() for Debugger. r=jonco

changeset:   https://hg.mozilla.org/mozilla-central/rev/64e9482f70bc
user:        Yoshi Cheng-Hao Huang
date:        Wed Dec 19 17:30:10 2018 +0100
summary:     Bug 1515648 - Part 4: fix in SavedStacks.cpp. r=jonco

Yoshi, is bug 1515648 a likely regressor?

Comment 3

[Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]]

Attachment: Patch

Comment 4

[Jon Coppeard (:jonco)]

Comment on attachment 9034440 [details] [diff] [review]
Patch

Review of attachment 9034440 [details] [diff] [review]:
-----------------------------------------------------------------

Nice!

::: js/src/jit-test/tests/debug/onExceptionUnwind-16.js
@@ +1,1 @@
> +(function() {

Generally test cases like this should be named after the bug (e.g. bug-123456.js) otherwise it looks like this is a feature test.  This should probably go in jit-test/tests/gc too.

Comment 5

[Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]]

Attachment: Patch. v2

Comment 6

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/501ffb16f40b1912877c2448117fdefd76e0b836
https://hg.mozilla.org/mozilla-central/rev/501ffb16f40b

Comment 7

[Fuzzing Team]

JSBugMon: This bug has been automatically verified fixed.