1572065 - Assertion failure: !isMarkStackEmpty(), at js/src/gc/Marking.cpp:1551

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision b94a6b06c9b9 (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var g2 = newGlobal({
    newCompartment: true
});
function tripleZoneMarking2() {
    var g1 = newGlobal();
    var wm = g1.eval("wm = new WeakMap()");
    enqueueMark("enter-weak-marking-mode");
    g1.eval("enqueueMark(wm)"); // weakmap
    g1.wm = g2.key = undefined;
}
tripleZoneMarking2();
startgc(1);
oomAfterAllocations(6)

Backtrace:

received signal SIGSEGV, Segmentation fault.
js::GCMarker::processMarkQueue (this=this@entry=0x7ffff5f276f8) at js/src/gc/Marking.cpp:1551
#0  js::GCMarker::processMarkQueue (this=this@entry=0x7ffff5f276f8) at js/src/gc/Marking.cpp:1551
#1  0x0000555556046f70 in js::GCMarker::processMarkQueue (this=0x7ffff5f276f8) at js/src/gc/Marking.cpp:2531
#2  js::GCMarker::enterWeakMarkingMode (this=0x7ffff5f276f8) at js/src/gc/Marking.cpp:2536
#3  0x0000555556091586 in js::gc::GCRuntime::markWeakReferences<js::gc::SweepGroupZonesIter> (this=this@entry=0x7ffff5f266d8, phase=phase@entry=js::gcstats::PhaseKind::SWEEP_MARK_WEAK) at js/src/gc/GC.cpp:4653
#4  0x0000555556047192 in js::gc::GCRuntime::markWeakReferencesInCurrentGroup (phase=js::gcstats::PhaseKind::SWEEP_MARK_WEAK, this=0x7ffff5f266d8) at js/src/gc/GC.cpp:4680
#5  js::gc::GCRuntime::endMarkingSweepGroup (this=0x7ffff5f266d8, fop=<optimized out>, budget=...) at js/src/gc/GC.cpp:5533
#6  0x000055555608bdb0 in sweepaction::SweepActionSequence::run (this=0x7ffff5f22330, args=...) at js/src/gc/GC.cpp:6539
#7  0x0000555556099896 in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run (this=0x7ffff5f212e0, args=...) at js/src/gc/GC.cpp:6574
#8  0x0000555556046da3 in js::gc::GCRuntime::performSweepActions (this=this@entry=0x7ffff5f266d8, budget=...) at js/src/gc/GC.cpp:6707
#9  0x000055555605e8b5 in js::gc::GCRuntime::incrementalSlice (this=this@entry=0x7ffff5f266d8, budget=..., gckind=..., reason=reason@entry=JS::GCReason::FINISH_GC, session=...) at js/src/gc/GC.cpp:7234
#10 0x000055555605f3ec in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff5f266d8, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., gckind=..., reason=reason@entry=JS::GCReason::FINISH_GC) at js/src/gc/GC.cpp:7601
#11 0x000055555605fc17 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff5f266d8, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., gckindArg=..., reason=reason@entry=JS::GCReason::FINISH_GC) at js/src/gc/GC.cpp:7786
#12 0x0000555556060ad8 in js::gc::GCRuntime::finishGC (this=0x7ffff5f266d8, reason=reason@entry=JS::GCReason::FINISH_GC) at js/src/gc/GC.cpp:7901
#13 0x000055555606195f in JS::FinishIncrementalGC (cx=cx@entry=0x7ffff5f23000, reason=reason@entry=JS::GCReason::FINISH_GC) at js/src/gc/GC.cpp:8725
#14 0x0000555556061989 in js::gc::FinishGC (cx=0x7ffff5f23000, reason=JS::GCReason::FINISH_GC) at js/src/gc/GC.cpp:8081
#15 0x0000555555817596 in CancelOffThreadJobsForRuntime (cx=0x7ffff5f23000) at js/src/shell/js.cpp:399
#16 <lambda()>::operator() (__closure=0x7fffffffd810) at js/src/shell/js.cpp:11335
#17 mozilla::ScopeExit<main(int, char**, char**)::<lambda()> >::~ScopeExit(void) (this=0x7fffffffd810, __in_chrg=<optimized out>) at dist/include/mozilla/ScopeExit.h:109
#18 0x00005555558269b5 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11336
rax	0x555557cfb200	93825033810432
rbx	0x7ffff5f276f8	140737319696120
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x555556cd8648	93825016890952
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffce30	140737488342576
rsp	0x7fffffffcd80	140737488342400
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7ffff5f26000	140737319690240
r13	0x7fffffffcdf6	140737488342518
r14	0x7fffffffcdc8	140737488342472
r15	0x7ffff5f277b2	140737319696306
rip	0x55555604694c <js::GCMarker::processMarkQueue()+1532>
=> 0x55555604694c <js::GCMarker::processMarkQueue()+1532>:	movl   $0x0,0x0
   0x555556046957 <js::GCMarker::processMarkQueue()+1543>:	ud2

This looks like it might be shell-only, so not marking s-s.

Comment 1

[Jon Coppeard (:jonco)]

NI Steve for GCMarker::enterWeakMarkingMode on the stack.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/d5c768b50d69
user: Steve Fink
date: Thu May 30 20:34:42 2019 +0000
summary: Bug 1167452 - Implement a mark queue to control marking order during testing r=jonco

Steve, is bug 1167452 a likely regressor?

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Bugbug thinks this bug is a defect, but please change it back in case of error.

Comment 4

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d5c768b50d69
user:        Steve Fink
date:        Thu May 30 20:34:42 2019 +0000
summary:     Bug 1167452 - Implement a mark queue to control marking order during testing r=jonco

This iteration took 503.614 seconds to run.

Comment 5

[Steve Fink [:sfink] [:s:]]

Attachment: Bug 1572065 - Avoid assertion when OOMing with test mark queue, r=jonco

Comment 6

[Pulsebot]

Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bec868476d8a
Avoid assertion when OOMing with test mark queue, r=jonco

Comment 7

[Bogdan Tara[:bogdan_tara | bogdant]]

https://hg.mozilla.org/mozilla-central/rev/bec868476d8a