Closed Bug 1565631 Opened 6 years ago Closed 6 years ago

Assertion failure: isEnabled(), at src/js/src/gc/Nursery.h:378

Categories

(Core :: JavaScript: GC, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- fixed

People

(Reporter: tsmith, Assigned: pbone)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: assertion, regression, testcase)

Attachments

(3 files)

Attached file test.zip

STR:

  1. unpack test.zip
  2. using a clean profile and the included prefs.js launch the browser
  3. open launcher.html
  4. wait 30 - 45 seconds

Marking as s-s to be safe.

I can consistently reproduce the issue with a fuzzing debug build.
Tested with m-c:
BuildID=20190711144155
SourceStamp=a39b925a26ade6f6d05c51dde62764b149043a00

Assertion failure: isEnabled(), at src/js/src/gc/Nursery.h:378

0|0|libxul.so|js::Nursery::freeSpace() const|hg:hg.mozilla.org/mozilla-central:js/src/gc/Nursery.h:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|378|0x29
0|1|libxul.so|js::Nursery::shouldCollect() const|hg:hg.mozilla.org/mozilla-central:js/src/gc/Nursery.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|826|0x5
0|2|libxul.so|mozilla::CycleCollectedJSContext::IsIdleGCTaskNeeded() const|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|531|0xe
0|3|libxul.so|XPCJSContext::AfterProcessTask(unsigned int)|hg:hg.mozilla.org/mozilla-central:js/xpconnect/src/XPCJSContext.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|1315|0xb
0|4|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|1283|0xc
0|5|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|486|0x11
0|6|libxul.so|mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozIDOMWindowProxy**)|hg:hg.mozilla.org/mozilla-central:dom/ipc/ContentChild.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|1193|0x8e
0|7|libxul.so|mozilla::dom::BrowserChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozIDOMWindowProxy**)|hg:hg.mozilla.org/mozilla-central:dom/ipc/BrowserChild.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|939|0x16
0|8|libxul.so|nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**)|hg:hg.mozilla.org/mozilla-central:toolkit/components/windowwatcher/nsWindowWatcher.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|766|0x2f
0|9|libxul.so|nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**)|hg:hg.mozilla.org/mozilla-central:toolkit/components/windowwatcher/nsWindowWatcher.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|372|0xa
0|10|libxul.so|nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, nsPIDOMWindowOuter**)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowOuter.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|7223|0x5f
0|11|libxul.so|nsGlobalWindowOuter::OpenJS(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsPIDOMWindowOuter**)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowOuter.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|5715|0x18
0|12|libxul.so|nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowOuter.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|5678|0x26
0|13|libxul.so|nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowInner.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|3771|0x29
0|14|libxul.so|mozilla::dom::Window_Binding::open|s3:gecko-generated-sources:0f0170af1cc124b69ec2d3225cfc79c8409684c630ee293e7ef96996537d943706f098b528a8a5db524bc45f2666388d6cf69fcee5634de680422c6e037860bb/dom/bindings/WindowBinding.cpp:|2868|0x2d
0|15|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|3181|0x24
0|16|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|448|0x16
0|17|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|540|0x12
...
see full log for complete log.
Attached file full_log.txt

Paul, any idea what this assert means? Maybe the browser is poking the GC at some point it shouldn't be?

Flags: needinfo?(pbone)

(In reply to Andrew McCreight [:mccr8] from comment #2)

Paul, any idea what this assert means? Maybe the browser is poking the GC at some point it shouldn't be?

The assert means I should have written an early exit in shouldCollect() ;-\

Bug 1506761 almost certainly regressed this.

Assignee: nobody → pbone
Status: NEW → ASSIGNED
Flags: needinfo?(pbone)
Keywords: regression
Priority: -- → P1
Regressed by: 1506761

I don't seem to be able to remove the security flag from the bug. Nothing changes when I click it.

This bug is probably a security problem.

(In reply to Paul Bone [:pbone] from comment #4)

I don't seem to be able to remove the security flag from the bug. Nothing changes when I click it.

This bug is probably a security problem.

Do you mean it probably isn't a security problem? I can unhide it if that's what you would like. It looks like you don't have sec bug access so you won't be able to unhide it.

Flags: needinfo?(pbone)

Oops, Yes, it's not a security problem. Please unhide it.

Flags: needinfo?(pbone) → needinfo?(continuation)
Group: javascript-core-security
Flags: needinfo?(continuation)
Blocks: crossfuzz

I can reproduce and verify that my patch fixes the problem.

Pushed by pbone@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/73f4c3742016 Add an early return to Nursery::shouldCollect() r=sfink
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

Is there a user impact which justifies backport consideration? Also, can we land a test for this?

Flags: needinfo?(pbone)

(In reply to Ryan VanderMeulen [:RyanVM] from comment #11)

Also, can we land a test for this?

We don't want to land the test case because it was found with crossfuzz. So in this case there is no test case it is a seeded fuzzer.

Flags: in-testsuite-

(In reply to Ryan VanderMeulen [:RyanVM] from comment #11)

Is there a user impact which justifies backport consideration? Also, can we land a test for this?

No, I'm fairly sure that when this assertion fails in this use of these functions it doesn't affect the result of shouldCollect().

Flags: qe-verify+
Flags: qe-verify+
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: