Closed
Bug 1543014
Opened 5 years ago
Closed 5 years ago
Assertion failure: WeakMapBase::checkMarkingForZone(zone), at js/src/gc/GC.cpp:5287 with evalInWorker and WeakMap
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
FIXED
mozilla68
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox66 | --- | wontfix |
| firefox67 | --- | wontfix |
| firefox68 | --- | fixed |
People
(Reporter: decoder, Assigned: jonco)
References
(Regression)
Details
(4 keywords, Whiteboard: [jsbugmon:])
Attachments
(1 file)
The following testcase crashes on mozilla-central revision bdaf1b36c442 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):
evalInWorker(`
var sym4 = Symbol.match;
function basicSweeping() {};
var wm1 = new WeakMap();
wm1.set(basicSweeping, sym4);
startgc(100000, 'shrinking');
`);
gczeal(2);
var d1 = newGlobal({});
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 MaybeCheckWeakMapMarking (gc=0x7ffff59af6d8) at js/src/gc/GC.cpp:5287
#1 js::gc::GCRuntime::endMarkingSweepGroup (this=0x7ffff59af6d8, fop=<optimized out>, budget=...) at js/src/gc/GC.cpp:5357
#2 0x000055555602efd0 in sweepaction::SweepActionSequence<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run (this=0x7ffff5992240, args#0=0x7ffff59af6d8, args#1=0x7ffff68fd7a0, args#2=...) at js/src/gc/GC.cpp:6333
#3 0x000055555602fcea in sweepaction::SweepActionRepeatFor<js::gc::SweepGroupsIter, JSRuntime*, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run (this=0x7ffff5998340, args#0=0x7ffff59af6d8, args#1=0x7ffff68fd7a0, args#2=...) at js/src/gc/GC.cpp:6393
#4 0x0000555555fdf97a in js::gc::GCRuntime::performSweepActions (this=this@entry=0x7ffff59af6d8, budget=...) at js/src/gc/GC.cpp:6565
#5 0x0000555555ff6a91 in js::gc::GCRuntime::incrementalSlice (this=this@entry=0x7ffff59af6d8, budget=..., reason=reason@entry=JS::GCReason::DEBUG_GC, session=...) at js/src/gc/GC.cpp:7086
#6 0x0000555555ff75da in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff59af6d8, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::GCReason::DEBUG_GC) at js/src/gc/GC.cpp:7437
#7 0x0000555555ff7c5c in js::gc::GCRuntime::collect (this=this@entry=0x7ffff59af6d8, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::GCReason::DEBUG_GC) at js/src/gc/GC.cpp:7610
#8 0x0000555555ff9975 in js::gc::GCRuntime::startDebugGC (this=this@entry=0x7ffff59af6d8, gckind=GC_SHRINK, budget=...) at js/src/gc/GC.cpp:7758
#9 0x0000555555c21fb5 in StartGC (cx=<optimized out>, cx@entry=0x7ffff5993000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1218
#10 0x00005555558f0a99 in CallJSNative (cx=0x7ffff5993000, native=native@entry=0x555555c21f10 <StartGC(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:442
[...]
#20 0x000055555585a0f1 in WorkerMain (input=<optimized out>) at js/src/shell/js.cpp:4035
#21 0x000055555585c992 in js::detail::ThreadTrampoline<void (&)(WorkerInput*), WorkerInput*&>::callMain<0ul> (this=0x7ffff5f1aeb0) at js/src/threading/Thread.h:239
#22 js::detail::ThreadTrampoline<void (&)(WorkerInput*), WorkerInput*&>::Start (aPack=0x7ffff5f1aeb0) at js/src/threading/Thread.h:232
#23 0x00007ffff7bc16ba in start_thread (arg=0x7ffff68ff700) at pthread_create.c:333
#24 0x00007ffff6c2c41d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax 0x555557c3d300 93825033032448
rbx 0x7ffff59b06d0 140737313965776
rcx 0x555556bc88e8 93825015777512
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7ffff68fd670 140737330009712
rsp 0x7ffff68fd5f0 140737330009584
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff68ff700 140737330018048
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x7ffff59af6d8 140737313961688
r13 0x7ffff68fd5f0 140737330009584
r14 0x7ffff59af760 140737313961824
r15 0x0 0
rip 0x555555fdfd5c <js::gc::GCRuntime::endMarkingSweepGroup(js::FreeOp*, js::SliceBudget&)+444>
=> 0x555555fdfd5c <js::gc::GCRuntime::endMarkingSweepGroup(js::FreeOp*, js::SliceBudget&)+444>: movl $0x0,0x0
0x555555fdfd67 <js::gc::GCRuntime::endMarkingSweepGroup(js::FreeOp*, js::SliceBudget&)+455>: ud2
This could be the same as bug 1542387 but it is hard to say because the test there is unreduced. This bug is also no new regression, it just took me quite a while to get the testcase somewhat reproducible. The test here is also still slightly intermittent, so bisection/tracking might fail.
|
||
Updated•5 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
||
Comment 1•5 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
||
Updated•5 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → jcoppeard
|
|
Assignee | |
Comment 2•5 years ago
|
||
The problem is that we're looking at a weakmap value that is owned by another runtime (in this case it's a well know symbol). These are shared between runtimes and never die, so we don't have to worry about whether it's marked or not.
|
|
Assignee | |
Comment 3•5 years ago
|
||
|
||
Comment 4•5 years ago
|
||
It looks like this is a bug in the verifier, so I'm going to unhide this.
Group: javascript-core-security
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/0d99df46e4c9 Skip checking weakmap value marking for values owned by other runtimes r=sfink
|
||
Comment 6•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
|
||
Updated•5 years ago
|
status-firefox66:
--- → wontfix
status-firefox67:
--- → wontfix
status-firefox-esr60:
--- → unaffected
Flags: in-testsuite+
Regressed by: 1513465
|
||
Updated•2 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•