1556321 - Assertion failure: state == MarkingState::WeakMarking || state == MarkingState::IterativeMarking, at js/src/gc/Marking.cpp:2623

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 6d71d3ca0124 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/jit-test/tests/debug/Memory-drainAllocationsLog-13.js
const root = newGlobal({
    newCompartment: true
});
root.eval("dbg = new Debugger()");
root.dbg.addDebuggee(this);
root.dbg.memory.trackingAllocationSites = true;
// jsfunfuzz-generated
relazifyFunctions('compartment');
print(/x/);
oomTest((function() {
    String.prototype.localeCompare()
}), {
    keepFailing: true
});

Backtrace:

#0 js::GCMarker::leaveWeakMarkingMode (this=0x7f3571b1d6f8) at js/src/gc/Marking.cpp:2621
#1 0x000055cc273092f3 in js::GCMarker::abortLinearWeakMarking (this=<optimized out>) at js/src/gc/GCMarker.h:314
#2 js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::addWeakEntry (marker=0x7f3571b1d6f8, key=<optimized out>, markable=...) at js/src/gc/WeakMap-inl.h:200
#3 0x000055cc27307412 in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::markEntries (this=<optimized out>, marker=<optimized out>) at js/src/gc/WeakMap-inl.h:245
#4 0x000055cc273062df in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::trace (this=0x7f357132acf0, trc=0x7f3571b1d6f8) at js/src/gc/WeakMap-inl.h:163
#5 0x000055cc270bc3a8 in js::ObjectRealm::trace (this=<optimized out>, trc=<optimized out>) at js/src/vm/Realm.cpp:291
#6 JS::Realm::traceRoots (this=0x7f3571b54000, trc=0x7f3571b1d6f8, traceOrMark=<optimized out>) at js/src/vm/Realm.cpp:330
/snip

For detailed crash information, see attachment.

Setting s-s as a start as this is a GC assert.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Christian Holler (:decoder)]

This uses the Debugger API, so likely not s-s.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/37f9bd277c34
user: Steve Fink
date: Fri May 31 23:33:48 2019 +0000
summary: Bug 1167452 - Barrier weakmap operations and maintain weak keys table during incremental collections. r=jonco

Steve, is bug 1167452 a likely regressor?

Comment 4

[Steve Fink [:sfink] [:s:]]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3)

Steve, is bug 1167452 a likely regressor?

Yes.

This is a harmless assertion. It's from bad logic with respect to when we might abort weak marking, but it actually does the right thing in an opt build. Simple fix, does not need to be hidden.

Comment 5

[Steve Fink [:sfink] [:s:]]

Attachment: Bug 1556321 - Weak marking abort can happen during regular marking phase r=jonco

Comment 6

[Pulsebot]

Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/585157ab153a
Weak marking abort can happen during regular marking phase r=jonco

Comment 7

[Pulsebot]

Pushed by archaeopteryx@coole-files.de:
https://hg.mozilla.org/integration/autoland/rev/5ec3133f6457
Weak marking abort can happen during regular marking phase: skip if oomTest is not defined. a=test-fix CLOSED TREE

Comment 8

[Alexandru Michis [:malexandru]]

https://hg.mozilla.org/mozilla-central/rev/585157ab153a
https://hg.mozilla.org/mozilla-central/rev/5ec3133f6457

Comment 9

[Intermittent Failures Robot]

2 failures in 5197 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• autoland: 1
• mozilla-central: 1

Platform breakdown:

• linux64: 2

For more details, see:
https://treeherder.mozilla.org/intermittent-failures.html#/bugdetails?bug=1556321&startday=2019-06-03&endday=2019-06-09&tree=all

Comment 10

[Pulsebot]

Backout by csabou@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/97ea8a900a18
Backed out 6 changesets (bug 1556321, bug 1556430, bug 1167452) for causing multiple regressions.

Comment 11

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

More information about the backout in bug 1514421.

Comment 12

[Steve Fink [:sfink] [:s:]]

This can be closed again. It was reintroduced by the backout of this bug 1556321, but the backout of https://phabricator.services.mozilla.com/D31958 will fix it, and I won't reland without the fix here.