Closed Bug 1543208 Opened 6 years ago Closed 6 years ago

Crash [@ JS::Symbol::isWellKnownSymbol] involving the --gc-zeal runtime flag

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- unaffected
firefox68 --- fixed

People

(Reporter: gkw, Assigned: sfink)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(2 files)

Detailed Crash Information
8.53 KB, text/plain
Details
Bug 1543208 - Prevent GC from seeing uninitialized well-known symbols r=jonco
47 bytes, text/x-phabricator-request
Details | Review

The js shell crashes on mozilla-central revision ec009b98c217 (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion --gc-zeal=2,1) without any testcase.

Backtrace:

#0 JS::Symbol::isWellKnownSymbol (this=0xe4e4e4e4e4e4e4e4) at js/src/vm/SymbolType.h:74
#1 ThingIsPermanentAtomOrWellKnownSymbol (sym=<optimized out>) at js/src/gc/Marking.cpp:175
#2 js::TraceProcessGlobalRoot<JS::Symbol> (trc=0x7f21d0b1c6d0, thing=<optimized out>, name=0x55e1dafecaf6 "well_known_symbol") at js/src/gc/Marking.cpp:492
#3 0x000055e1dc3047f3 in js::TraceWellKnownSymbols (trc=0x7f21d0b1c6d0) at js/src/vm/JSAtom.cpp:469
#4 0x000055e1dc92f468 in js::gc::GCRuntime::traceRuntimeAtoms (this=0x7f21d0b1b6d8, trc=0x7f21d0b1c6d0, access=...) at js/src/gc/RootMarking.cpp:330
/snip

For detailed crash information, see attachment.

Whiteboard: [jsbugmon:update] → [jsbugmon:]

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/54dffe309994
user: Jon Coppeard
date: Mon Apr 01 18:36:41 2019 +0100
summary: Bug 1540719 - Perform a last ditch GC if symbol allocation fails as we do for most other GC things r=sfink

Jon, is bug 1540719 a likely regressor?

Flags: needinfo?(jcoppeard)
Summary: Crash [@ JS::Symbol::isWellKnownSymbol] → Crash [@ JS::Symbol::isWellKnownSymbol] involving the --gc-zeal runtime flag

Yes, it seems likely. I'll take a look.

Flags: needinfo?(jcoppeard)
Assignee: nobody → sphink
Status: NEW → ASSIGNED
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8428f4ba4a51 Prevent GC from seeing uninitialized well-known symbols r=jonco

https://hg.mozilla.org/mozilla-central/rev/8428f4ba4a51

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox68: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: