Assertion failure: isEnabled(), at src/js/src/gc/Nursery.h:378
Categories
(Core :: JavaScript: GC, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox-esr68 | --- | wontfix |
firefox68 | --- | wontfix |
firefox69 | --- | wontfix |
firefox70 | --- | fixed |
People
(Reporter: tsmith, Assigned: pbone)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: assertion, regression, testcase)
Attachments
(3 files)
STR:
- unpack test.zip
- using a clean profile and the included prefs.js launch the browser
- open launcher.html
- wait 30 - 45 seconds
Marking as s-s to be safe.
I can consistently reproduce the issue with a fuzzing debug build.
Tested with m-c:
BuildID=20190711144155
SourceStamp=a39b925a26ade6f6d05c51dde62764b149043a00
Assertion failure: isEnabled(), at src/js/src/gc/Nursery.h:378
0|0|libxul.so|js::Nursery::freeSpace() const|hg:hg.mozilla.org/mozilla-central:js/src/gc/Nursery.h:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|378|0x29
0|1|libxul.so|js::Nursery::shouldCollect() const|hg:hg.mozilla.org/mozilla-central:js/src/gc/Nursery.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|826|0x5
0|2|libxul.so|mozilla::CycleCollectedJSContext::IsIdleGCTaskNeeded() const|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|531|0xe
0|3|libxul.so|XPCJSContext::AfterProcessTask(unsigned int)|hg:hg.mozilla.org/mozilla-central:js/xpconnect/src/XPCJSContext.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|1315|0xb
0|4|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|1283|0xc
0|5|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|486|0x11
0|6|libxul.so|mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozIDOMWindowProxy**)|hg:hg.mozilla.org/mozilla-central:dom/ipc/ContentChild.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|1193|0x8e
0|7|libxul.so|mozilla::dom::BrowserChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozIDOMWindowProxy**)|hg:hg.mozilla.org/mozilla-central:dom/ipc/BrowserChild.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|939|0x16
0|8|libxul.so|nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**)|hg:hg.mozilla.org/mozilla-central:toolkit/components/windowwatcher/nsWindowWatcher.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|766|0x2f
0|9|libxul.so|nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**)|hg:hg.mozilla.org/mozilla-central:toolkit/components/windowwatcher/nsWindowWatcher.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|372|0xa
0|10|libxul.so|nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, nsPIDOMWindowOuter**)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowOuter.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|7223|0x5f
0|11|libxul.so|nsGlobalWindowOuter::OpenJS(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsPIDOMWindowOuter**)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowOuter.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|5715|0x18
0|12|libxul.so|nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowOuter.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|5678|0x26
0|13|libxul.so|nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowInner.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|3771|0x29
0|14|libxul.so|mozilla::dom::Window_Binding::open|s3:gecko-generated-sources:0f0170af1cc124b69ec2d3225cfc79c8409684c630ee293e7ef96996537d943706f098b528a8a5db524bc45f2666388d6cf69fcee5634de680422c6e037860bb/dom/bindings/WindowBinding.cpp:|2868|0x2d
0|15|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|3181|0x24
0|16|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|448|0x16
0|17|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:a017ceb1c7d2a7623fdaad9ce0ae2c8ed0b5d4cb|540|0x12
...
see full log for complete log.
Reporter | ||
Comment 1•6 years ago
|
||
Comment 2•6 years ago
|
||
Paul, any idea what this assert means? Maybe the browser is poking the GC at some point it shouldn't be?
Assignee | ||
Comment 3•6 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #2)
Paul, any idea what this assert means? Maybe the browser is poking the GC at some point it shouldn't be?
The assert means I should have written an early exit in shouldCollect() ;-\
Bug 1506761 almost certainly regressed this.
Assignee | ||
Comment 4•6 years ago
|
||
I don't seem to be able to remove the security flag from the bug. Nothing changes when I click it.
This bug is probably a security problem.
Assignee | ||
Comment 5•6 years ago
|
||
Comment 6•6 years ago
|
||
(In reply to Paul Bone [:pbone] from comment #4)
I don't seem to be able to remove the security flag from the bug. Nothing changes when I click it.
This bug is probably a security problem.
Do you mean it probably isn't a security problem? I can unhide it if that's what you would like. It looks like you don't have sec bug access so you won't be able to unhide it.
Assignee | ||
Comment 7•6 years ago
|
||
Oops, Yes, it's not a security problem. Please unhide it.
Updated•6 years ago
|
Assignee | ||
Comment 8•6 years ago
|
||
I can reproduce and verify that my patch fixes the problem.
Comment 10•6 years ago
|
||
bugherder |
Updated•6 years ago
|
Comment 11•6 years ago
|
||
Is there a user impact which justifies backport consideration? Also, can we land a test for this?
Reporter | ||
Comment 12•6 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #11)
Also, can we land a test for this?
We don't want to land the test case because it was found with crossfuzz. So in this case there is no test case it is a seeded fuzzer.
Assignee | ||
Comment 13•6 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #11)
Is there a user impact which justifies backport consideration? Also, can we land a test for this?
No, I'm fairly sure that when this assertion fails in this use of these functions it doesn't affect the result of shouldCollect().
Updated•5 years ago
|
Updated•5 years ago
|
Updated•3 years ago
|
Description
•