Assertion failure: !JS::RuntimeHeapIsCollecting(), at js/src/gc/Cell.h:356

VERIFIED FIXED in Firefox 66

Status

()

defect
--
critical
VERIFIED FIXED
4 months ago
28 days ago

People

(Reporter: gkw, Assigned: allstars.chh)

Tracking

(Blocks 2 bugs, 5 keywords)

Trunk
mozilla66
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox64 unaffected, firefox65 unaffected, firefox66 verified)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

4 months ago
The following testcase crashes on mozilla-central revision 0def5ac36b5b (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/jit-test/tests/debug/onExceptionUnwind-03.js
(function() {
    var g = newGlobal();
    g.debuggeeGlobal = this;
    g.eval("(" + function() {
        dbg = new Debugger(debuggeeGlobal);
        dbg.onExceptionUnwind = function(frame, exc) {
            var s = '!';
            for (var f = frame; f; f = f.older)
                if (f.type === "call")
                    s += f.callee.name;
        };
    } + ")();");
    try {
        h();
    } catch (e) {}
    g.dbg.enabled = false;
})();
// jsfunfuzz-generated
startgc(114496726);

Backtrace:

#0  js::gc::TenuredCell::readBarrier (thing=0x7fefa178b060) at js/src/gc/Cell.h:355
#1  0x000055f31a05de67 in JSObject::readBarrier (obj=0x7fefa178b060) at js/src/vm/JSObject.h:676
#2  js::InternalBarrierMethods<js::GlobalObject*>::readBarrier (v=0x7fefa178b060) at js/src/gc/Barrier.h:268
#3  js::ReadBarrieredBase<js::GlobalObject*>::read (this=0x7fefa1977048) at js/src/gc/Barrier.h:602
#4  js::ReadBarriered<js::GlobalObject*>::get (this=<optimized out>) at js/src/gc/Barrier.h:653
#5  js::ReadBarriered<js::GlobalObject*>::operator-> (this=<optimized out>) at js/src/gc/Barrier.h:664
#6  JS::Realm::maybeGlobal (this=0x7fefa1977000) at js/src/vm/Realm-inl.h:26
/snip

For detailed crash information, see attachment.

I don't think this is s-s since it's related to debugger but GC is also involved so setting it to be safe.
(Reporter)

Comment 2

4 months ago
Due to skipped revisions, the first bad revision could be any of:

changeset:   https://hg.mozilla.org/mozilla-central/rev/3d706269aea5
parent:      32810619d6b3
user:        Yoshi Cheng-Hao Huang
date:        Thu Dec 20 15:34:25 2018 +0100
summary:     Bug 1515648 - Part 1: Assert read barriers won't fire during collection. r=jonco

changeset:   https://hg.mozilla.org/mozilla-central/rev/8fe391c74c65
user:        Yoshi Cheng-Hao Huang
date:        Thu Dec 20 15:43:56 2018 +0100
summary:     Bug 1515648 - Part 2: fix in Shape.cpp. r=jonco

changeset:   https://hg.mozilla.org/mozilla-central/rev/c4c07de1d4f4
user:        Yoshi Cheng-Hao Huang
date:        Fri Dec 14 15:11:10 2018 +0100
summary:     Bug 1515648 - Part 3: use unbarrieredGet() for Debugger. r=jonco

changeset:   https://hg.mozilla.org/mozilla-central/rev/64e9482f70bc
user:        Yoshi Cheng-Hao Huang
date:        Wed Dec 19 17:30:10 2018 +0100
summary:     Bug 1515648 - Part 4: fix in SavedStacks.cpp. r=jonco

Yoshi, is bug 1515648 a likely regressor?
Blocks: 1515648
Flags: needinfo?(allstars.chh)
Assignee: nobody → allstars.chh
Status: NEW → ASSIGNED
Flags: needinfo?(allstars.chh)
Posted patch Patch (obsolete) — Splinter Review
Attachment #9034440 - Flags: review?(jcoppeard)
Comment on attachment 9034440 [details] [diff] [review]
Patch

Review of attachment 9034440 [details] [diff] [review]:
-----------------------------------------------------------------

Nice!

::: js/src/jit-test/tests/debug/onExceptionUnwind-16.js
@@ +1,1 @@
> +(function() {

Generally test cases like this should be named after the bug (e.g. bug-123456.js) otherwise it looks like this is a feature test.  This should probably go in jit-test/tests/gc too.
Attachment #9034440 - Flags: review?(jcoppeard) → review+
Posted patch Patch. v2Splinter Review
Attachment #9034440 - Attachment is obsolete: true
Attachment #9034748 - Flags: review+
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Last Resolved: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66

Updated

3 months ago
Status: RESOLVED → VERIFIED

Comment 7

3 months ago
JSBugMon: This bug has been automatically verified fixed.
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.