1543589 - Crash [@ js::gc::FreeLists::allocate] or Assertion failure: !zone()->isAtomsZone(), at vm/JSContext-inl.h:348

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision a1eb490ba448 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

for (var i = 0; import("nonexistent.js");)
  Symbol();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555555d90cda in js::gc::FreeLists::allocate (kind=js::gc::AllocKind::SYMBOL, this=<optimized out>) at js/src/gc/ArenaList-inl.h:223
#1  js::gc::GCRuntime::tryNewTenuredThing<JS::Symbol, (js::AllowGC)1> (kind=js::gc::AllocKind::SYMBOL, thingSize=16, cx=0x7ffff5f27000) at js/src/gc/Allocator.cpp:264
#2  js::Allocate<JS::Symbol, (js::AllowGC)1> (cx=cx@entry=0x7ffff5f27000) at js/src/gc/Allocator.cpp:249
#3  0x0000555555b38343 in JS::Symbol::newInternal (description=..., hash=3514457843, code=<incomplete type>, cx=0x7ffff5f27000) at js/src/vm/SymbolType.cpp:27
#4  JS::Symbol::new_ (cx=cx@entry=0x7ffff5f27000, code=code@entry=<incomplete type>, description=..., description@entry=...) at js/src/vm/SymbolType.cpp:44
#5  0x0000555555a9b2e1 in js::SymbolObject::construct (cx=0x7ffff5f27000, argc=<optimized out>, vp=0x7fffffffc8a8) at js/src/builtin/Symbol.cpp:118
#6  0x00003ba1754672e0 in ?? ()
#7  0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x0	0
rcx	0x0	0
rdx	0x0	0
rsi	0x7fffffffc680	140737488340608
rdi	0x12dad24d790a16d	84914341736915309
rbp	0x7ffff5f27000	140737319694336
rsp	0x7fffffffc7a0	140737488340896
r8	0x298	664
r9	0x53	83
r10	0x10	16
r11	0x246	582
r12	0xffffffff	4294967295
r13	0xd17a5ef3	3514457843
r14	0x7ffff4d70000	140737301118976
r15	0x3ba17545b010	65564643274768
rip	0x555555d90cda <js::Allocate<JS::Symbol, (js::AllowGC)1>(JSContext*)+26>
=> 0x555555d90cda <js::Allocate<JS::Symbol, (js::AllowGC)1>(JSContext*)+26>:	mov    0xb8(%rax),%rdx
   0x555555d90ce1 <js::Allocate<JS::Symbol, (js::AllowGC)1>(JSContext*)+33>:	movzwl (%rdx),%eax

Marking s-s because this is a GC-related assertion/crash.

Comment 1

[Jon Coppeard (:jonco)]

The problem is that we can now we allow GC on Symbol allocation (bug 1540719), we can attempt to enter a different realm after we have entered the atoms zone. This happens when a minor GC sets the pretenuring flag for an ObjectGroup.

Comment 2

[Jon Coppeard (:jonco)]

Attachment: Bug 1543589 - Allow pretenuring of promoted nursery objects while context is in atoms zone r=jandem?

Currently we assert that we never leave the atoms zone. That's still true except for tthis one place where we do a minor GC and enter a realm so we can set the shouldPretenure flag on an ObjectGroup.

The patch allows AutoRealmUnchecked to skip this assertion and uses it there.

This was caused by letting Symbol allocation GC.

Comment 3

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/87ae5e3b6962
parent:      468492:1b7309612d60
user:        Jon Coppeard
date:        Mon Apr 01 18:36:41 2019 +0100
summary:     Bug 1540719 - Perform a last ditch GC if symbol allocation fails as we do for most other GC things r=sfink

This iteration took 443.192 seconds to run.

Comment 4

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/887b3d67fb43056c5f59b60789bb0f003492ca5b
https://hg.mozilla.org/mozilla-central/rev/887b3d67fb43

Comment 5

[Fuzzing Team]

JSBugMon: This bug has been automatically verified fixed.