Closed Bug 1520778 Opened 8 months ago Closed 8 months ago

Assertion failure: WeakMapBase::checkMarkingForZone(zone), at js/src/gc/GC.cpp:5278 with Debugger

Categories

(Core :: JavaScript Engine, defect, P1, critical)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla66
Tracking Status
firefox-esr60 --- unaffected
firefox64 --- unaffected
firefox65 --- wontfix
firefox66 --- fixed

People

(Reporter: decoder, Assigned: sfink)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision e56cc5e7b57a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

gcparam("markStackLimit", 1);
var g = newGlobal({
    newCompartment: true
});
var dbg = new Debugger;
var gw = dbg.addDebuggee(g);
dbg.onDebuggerStatement = function(frame) {
  frame.environment.parent.getVariable('y')
};
g.eval(`
  let y = 1;
  g = function () { debugger; };
  g();
`);
gczeal(9, 10);
f4();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0 MaybeCheckWeakMapMarking (gc=0x7ffff5f1c6a0) at js/src/gc/GC.cpp:5278
#1 js::gc::GCRuntime::endMarkingSweepGroup (this=0x7ffff5f1c6a0, fop=<optimized out>, budget=...) at js/src/gc/GC.cpp:5348
#2 0x00005555560095f0 in sweepaction::SweepActionSequence<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run (this=0x7ffff5f17330, args#0=0x7ffff5f1c6a0, args#1=0x7fffffffa8b0, args#2=...) at js/src/gc/GC.cpp:6330
#3 0x000055555600b28a in sweepaction::SweepActionRepeatFor<js::gc::SweepGroupsIter, JSRuntime*, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run (this=0x7ffff5f18250, args#0=0x7ffff5f1c6a0, args#1=0x7fffffffa8b0, args#2=...) at js/src/gc/GC.cpp:6390
#4 0x0000555555fca887 in js::gc::GCRuntime::performSweepActions (this=this@entry=0x7ffff5f1c6a0, budget=...) at js/src/gc/GC.cpp:6562
#5 0x0000555555fd4641 in js::gc::GCRuntime::incrementalSlice (this=this@entry=0x7ffff5f1c6a0, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC, session=...) at js/src/gc/GC.cpp:7085
#6 0x0000555555fd4fa2 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff5f1c6a0, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/gc/GC.cpp:7439
#7 0x0000555555fd57e5 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff5f1c6a0, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/gc/GC.cpp:7611
#8 0x0000555555fd780b in js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff5f1c6a0) at js/src/gc/GC.cpp:8232
#9 0x0000555555fd795e in js::gc::GCRuntime::gcIfNeededAtAllocation (this=0x7ffff5f1c6a0, cx=cx@entry=0x7ffff5f19000) at js/src/gc/Allocator.cpp:338
#10 0x000055555600bd08 in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=<optimized out>, cx=cx@entry=0x7ffff5f19000, kind=kind@entry=js::gc::AllocKind::ACCESSOR_SHAPE) at js/src/gc/Allocator.cpp:302
#11 0x000055555600c87d in js::Allocate<js::AccessorShape, (js::AllowGC)1> (cx=0x7ffff5f19000) at js/src/gc/Allocator.cpp:247
#12 0x0000555555cf2d85 in js::Shape::new_ (nfixed=0, other=..., cx=0x7ffff5f19000) at js/src/vm/Shape-inl.h:99
#13 js::PropertyTree::inlinedGetChild (this=0x7ffff5f559d0, cx=<optimized out>, cx@entry=0x7ffff5f19000, parent=<optimized out>, parent@entry=0x16bfe7fdc040, child=child@entry=...) at js/src/vm/Shape.cpp:1768
#14 0x0000555555cfc111 in js::NativeObject::getChildAccessorProperty (cx=0x7ffff5f19000, obj=obj@entry=..., parent=parent@entry=..., child=child@entry=...) at js/src/vm/Shape.cpp:373
#15 0x0000555555cd7ea8 in js::NativeObject::addAccessorPropertyInternal (cx=<optimized out>, cx@entry=0x7ffff5f19000, obj=..., obj@entry=..., id=..., id@entry=..., getter=<optimized out>, getter@entry=0x16bfe7fda140, setter=<optimized out>, setter@entry=0x0, attrs=attrs@entry=48, table=<optimized out>, entry=<optimized out>, keep=...) at js/src/vm/Shape.cpp:585
#16 0x0000555555ba5f51 in js::NativeObject::addAccessorProperty (attrs=48, setter=0x0, getter=0x16bfe7fda140, id=..., obj=..., cx=0x7ffff5f19000) at js/src/vm/Shape-inl.h:414
#17 AddOrChangeProperty<(IsAddOrChange)0> (cx=0x7ffff5f19000, obj=..., id=..., desc=...) at js/src/vm/NativeObject.cpp:1447
#18 0x0000555555ba88f1 in js::NativeDefineProperty (cx=cx@entry=0x7ffff5f19000, obj=..., id=..., id@entry=..., desc_=..., result=...) at js/src/vm/NativeObject.cpp:1749
#19 0x0000555555b3ae28 in js::DefineAccessorProperty (cx=cx@entry=0x7ffff5f19000, obj=..., id=..., getter=..., setter=..., attrs=attrs@entry=16, result=...) at js/src/vm/JSObject.cpp:3052
#20 0x0000555555b3aeaa in js::DefineAccessorProperty (cx=cx@entry=0x7ffff5f19000, obj=obj@entry=..., id=id@entry=..., getter=..., getter@entry=..., setter=..., setter@entry=..., attrs=attrs@entry=16) at js/src/vm/JSObject.cpp:3088
#21 0x0000555555e0469e in DefineAccessorPropertyById (cx=0x7ffff5f19000, obj=..., obj@entry=..., id=..., id@entry=..., getter=..., getter@entry=..., setter=..., setter@entry=..., attrs=attrs@entry=16) at js/src/jsapi.cpp:1886
#22 0x0000555555e04c37 in DefineAccessorPropertyById (cx=<optimized out>, cx@entry=0x7ffff5f19000, obj=..., obj@entry=..., id=..., id@entry=..., get=..., set=..., attrs=16, attrs@entry=0) at js/src/jsapi.cpp:1933
#23 0x0000555555e05187 in JS_DefineProperties (cx=0x7ffff5f19000, obj=..., obj@entry=..., ps=0x555557b651f0 <js::SavedFrame::protoAccessors+48>) at js/src/jsapi.cpp:2937
#24 0x0000555555afd761 in js::GlobalObject::resolveConstructor (cx=<optimized out>, cx@entry=0x7ffff5f19000, global=global@entry=..., key=key@entry=JSProto_SavedFrame, mode=mode@entry=js::GlobalObject::IfClassIsDisabled::Throw) at js/src/vm/GlobalObject.cpp:258
#25 0x0000555555bf83ce in js::GlobalObject::ensureConstructor (key=JSProto_SavedFrame, global=..., cx=0x7ffff5f19000) at js/src/vm/GlobalObject.h:163
#26 js::GlobalObject::getOrCreateSavedFramePrototype (global=..., cx=0x7ffff5f19000) at js/src/vm/GlobalObject.h:414
#27 js::SavedFrame::create (cx=0x7ffff5f19000) at js/src/vm/SavedStacks.cpp:519
#28 0x0000555555c0a77d in js::SavedStacks::createFrameFromLookup (this=this@entry=0x7ffff5f789e8, cx=<optimized out>, lookup=lookup@entry=...) at js/src/vm/SavedStacks.cpp:1600
#29 0x0000555555c0a962 in js::SavedStacks::getOrCreateSavedFrame (this=this@entry=0x7ffff5f789e8, cx=<optimized out>, lookup=lookup@entry=...) at js/src/vm/SavedStacks.cpp:1586
#30 0x0000555555c0c227 in js::SavedStacks::insertFrames(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=this@entry=0x7ffff5f789e8, cx=<optimized out>, cx@entry=0x7ffff5f19000, frame=..., capture=capture@entry=<unknown type in /mnt/LangFuzz/work/builds/debug64/dist/bin/js, CU 0x24aa44a, DIE 0x26a6059>) at js/src/vm/SavedStacks.cpp:1441
#31 0x0000555555c0ce8e in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=0x7ffff5f789e8, cx=cx@entry=0x7ffff5f19000, frame=..., capture=capture@entry=<unknown type in /mnt/LangFuzz/work/builds/debug64/dist/bin/js, CU 0x24aa44a, DIE 0x26a6059>) at js/src/vm/SavedStacks.cpp:1185
#32 0x0000555555e0a2a5 in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (cx=0x7ffff5f19000, stackp=..., capture=capture@entry=<unknown type ...>) at js/src/jsapi.cpp:6057
#33 0x0000555555e2a77b in CaptureStack (cx=<optimized out>, stack=..., stack@entry=...) at js/src/jsexn.cpp:319
#34 0x0000555555e33d17 in js::ErrorToException (cx=<optimized out>, reportp=0x7fffffffc690, callback=<optimized out>, userRef=<optimized out>) at js/src/jsexn.cpp:656
#35 0x0000555555b27c76 in js::ReportErrorNumberVA (cx=cx@entry=0x7ffff5f19000, flags=<optimized out>, flags@entry=0, callback=callback@entry=0x555555b15050 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=1, argumentsType=argumentsType@entry=js::ArgumentsAreUTF8, ap=0x7fffffffc770) at js/src/vm/JSContext.cpp:828
#36 0x0000555555df1c28 in JS_ReportErrorNumberUTF8VA (cx=0x7ffff5f19000, errorCallback=0x555555b15050 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0, errorNumber=1, ap=ap@entry=0x7fffffffc770) at js/src/jsapi.cpp:4848
#37 0x0000555555df1cd8 in JS_ReportErrorNumberUTF8 (cx=cx@entry=0x7ffff5f19000, errorCallback=errorCallback@entry=0x555555b15050 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=1) at js/src/jsapi.cpp:4837
#38 0x0000555555b24349 in js::ReportIsNotDefined (id=..., cx=0x7ffff5f19000) at js/src/vm/JSContext.cpp:875
#39 js::ReportIsNotDefined (cx=<optimized out>, name=...) at js/src/vm/JSContext.cpp:881
#40 0x00005555559018c8 in js::FetchName<(js::GetNameMode)0> (cx=<optimized out>, receiver=..., holder=..., name=..., prop=..., vp=...) at js/src/vm/Interpreter-inl.h:181
#41 0x00005555558edda5 in js::GetEnvironmentName<(js::GetNameMode)0> (vp=..., name=..., envChain=..., cx=<optimized out>) at js/src/vm/Interpreter-inl.h:256
#42 GetNameOperation (vp=..., pc=<optimized out>, fp=<optimized out>, cx=0x7ffff5f19000) at js/src/vm/Interpreter.cpp:241
#43 Interpret (cx=0x7ffff5f19000, state=...) at js/src/vm/Interpreter.cpp:3217
[...]
#53 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11328
rax 0x555557bee280 93825032708736
rbx 0x7ffff5f1d668 140737319655016
rcx 0x555556b81b40 93825015487296
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffa780 140737488332672
rsp 0x7fffffffa700 140737488332544
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6c80 140737354034304
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x7ffff5f1c6a0 140737319650976
r13 0x7fffffffa700 140737488332544
r14 0x7ffff5f1c720 140737319651104
r15 0x0 0
rip 0x555555fcac6c <js::gc::GCRuntime::endMarkingSweepGroup(js::FreeOp*, js::SliceBudget&)+444>
=> 0x555555fcac6c <js::gc::GCRuntime::endMarkingSweepGroup(js::FreeOp*, js::SliceBudget&)+444>: movl $0x0,0x0
0x555555fcac77 <js::gc::GCRuntime::endMarkingSweepGroup(js::FreeOp*, js::SliceBudget&)+455>: ud2

Assignee: nobody → jcoppeard
Priority: -- → P1

I should probably have spotted this when I reviewed your last patch, but we need to do markImplicitEdges() in both the Foo::traceChildren() methods and whatever our optimised marking path ends up calling, since either of these can get called to mark a thing.

Attachment #9037313 - Flags: review?(sphink)
Comment on attachment 9037313 [details] [diff] [review]
bug1520778-weakmap-marking

Review of attachment 9037313 [details] [diff] [review]:
-----------------------------------------------------------------

Doh! Yeah, I totally missed that. Actually, I think I did have it in -- but put in the wrong place, inside Shape::eagerlyMarkChildren or something, when I thought I was in LazyScript::eagerlyMarkChildren. Then I deleted it from Shape, because clearly it wasn't supposed to be there...

On the other hand, to re-figure out how all this stuff works, I needed to reread the big ASCII art comment at the top of the file, and found it to be incomplete. I'll send you a patch for that.
Attachment #9037313 - Flags: review?(sphink) → review+
I added in the markAndTraceChildren(T) -> T::traceChildren() edge, and also updated things to either foo(T) or T::foo() to specify whether they're overloads or class methods. It helped me get my head around things.
Attachment #9037611 - Flags: review?(jcoppeard)
Assignee: jcoppeard → sphink
Status: NEW → ASSIGNED
Comment on attachment 9037611 [details] [diff] [review]
Update marking documentation

Review of attachment 9037611 [details] [diff] [review]:
-----------------------------------------------------------------

Nice, thanks for updating that.
Attachment #9037611 - Flags: review?(jcoppeard) → review+
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/48810cb8ba3f
Ensure implicit edges are marked on all paths through the marking code r=sfink
Status: ASSIGNED → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
You need to log in before you can comment on or make changes to this bug.