Closed Bug 1574877 Opened 2 years ago Closed 2 years ago

Assertion failure: !zone->usedByHelperThread(), at js/src/gc/Marking.cpp:235 with ES6 Modules and OOM

Categories

(Core :: JavaScript Engine, defect, P1)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision ffeb52190484 (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

function parseModule(source) {
    offThreadCompileModule(source);
    return finishOffThreadModule();
}
function loadFile(lfVarx) {
  oomTest(function() {
      parseModule(lfVarx);
  });
}
loadFile(`
  expect = new class prototype extends Object {
    a43 = function () {}
  }
`);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::CheckTracedThing<JSObject> (trc=trc@entry=0x7ffff5efbb88, thing=0x6d522a060b0) at js/src/gc/Marking.cpp:235
#1  0x00005555560d20e8 in DoCallback<JSObject> (trc=0x7ffff5efbb80, thingp=thingp@entry=0x7ffff595e910, name=name@entry=0x555556c15e13 "scope canonical function") at js/src/gc/Tracer.cpp:42
#2  0x00005555560a17b6 in js::gc::TraceEdgeInternal<JSObject*> (trc=trc@entry=0x7ffff5efbb88, thingp=thingp@entry=0x7ffff595e910, name=name@entry=0x555556c15e13 "scope canonical function") at js/src/gc/Marking.cpp:594
#3  0x0000555556059acc in js::TraceEdge<JSFunction*> (name=0x555556c15e13 "scope canonical function", thingp=0x7ffff595e910, trc=0x7ffff5efbb88) at js/src/gc/Tracer.h:124
#4  js::TraceNullableEdge<JSFunction*> (name=0x555556c15e13 "scope canonical function", thingp=0x7ffff595e910, trc=0x7ffff5efbb88) at js/src/gc/Tracer.h:140
#5  js::FunctionScope::Data::trace (this=this@entry=0x7ffff595e910, trc=trc@entry=0x7ffff5efbb88) at js/src/gc/Marking.cpp:1232
#6  0x0000555555b9523e in js::GCManagedDeletePolicy<js::FunctionScope::Data>::operator() (this=<optimized out>, constPtr=0x7ffff595e910) at js/src/gc/DeletePolicy.h:33
#7  mozilla::UniquePtr<js::FunctionScope::Data, JS::DeletePolicy<js::FunctionScope::Data> >::reset (aPtr=0x0, this=0x7ffff5efbb78) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/debug/dist/include/mozilla/UniquePtr.h:323
#8  mozilla::UniquePtr<js::FunctionScope::Data, JS::DeletePolicy<js::FunctionScope::Data> >::~UniquePtr (this=0x7ffff5efbb78, __in_chrg=<optimized out>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/debug/dist/include/mozilla/UniquePtr.h:274
#9  js::DispatchWrapper<mozilla::UniquePtr<js::FunctionScope::Data, JS::DeletePolicy<js::FunctionScope::Data> > >::~DispatchWrapper (this=0x7ffff5efbb70, __in_chrg=<optimized out>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/debug/dist/include/js/RootingAPI.h:834
#10 JS::Rooted<mozilla::UniquePtr<js::FunctionScope::Data, JS::DeletePolicy<js::FunctionScope::Data> > >::~Rooted (this=0x7ffff5efbb60, __in_chrg=<optimized out>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/debug/dist/include/js/RootingAPI.h:1068
#11 js::FunctionScope::create (cx=cx@entry=0x7ffff5f17000, dataArg=..., dataArg@entry=..., hasParameterExprs=<optimized out>, needsEnvironment=needsEnvironment@entry=true, fun=..., fun@entry=..., enclosing=..., enclosing@entry=...) at js/src/vm/Scope.cpp:672
#12 0x0000555555fb7e67 in js::frontend::EmitterScope::<lambda(JSContext*, js::HandleScope)>::operator() (enclosing=..., cx=0x7ffff5f17000, __closure=<synthetic pointer>) at js/src/frontend/EmitterScope.cpp:650
#13 js::frontend::EmitterScope::internScope<js::frontend::EmitterScope::enterFunction(js::frontend::BytecodeEmitter*, js::frontend::FunctionBox*)::<lambda(JSContext*, js::HandleScope)> > (createScope=..., bce=0x7ffff5efc3b0, this=0x7ffff59509d0) at js/src/frontend/EmitterScope.cpp:341
#14 js::frontend::EmitterScope::internBodyScope<js::frontend::EmitterScope::enterFunction(js::frontend::BytecodeEmitter*, js::frontend::FunctionBox*)::<lambda(JSContext*, js::HandleScope)> > (createScope=..., bce=0x7ffff5efc3b0, this=0x7ffff59509d0) at js/src/frontend/EmitterScope.cpp:355
#15 js::frontend::EmitterScope::enterFunction (this=this@entry=0x7ffff5efc018, bce=<optimized out>, funbox=0x7ffff59509d0) at js/src/frontend/EmitterScope.cpp:652
#16 0x0000555555fcb303 in js::frontend::FunctionScriptEmitter::prepareForParameters (this=this@entry=0x7ffff5efbfc0) at js/src/frontend/FunctionEmitter.cpp:433
#17 0x0000555555f947df in js::frontend::BytecodeEmitter::emitFunctionScript (this=this@entry=0x7ffff5efc3b0, funNode=funNode@entry=0x7ffff5950990, isTopLevel=isTopLevel@entry=js::frontend::BytecodeEmitter::TopLevelFunction::No) at js/src/frontend/BytecodeEmitter.cpp:2547
#18 0x0000555555f95459 in js::frontend::BytecodeEmitter::emitFunction (this=this@entry=0x7ffff5efd590, funNode=funNode@entry=0x7ffff5950990, needsProto=<optimized out>, classContentsIfConstructor=classContentsIfConstructor@entry=0x7ffff5950118) at js/src/frontend/BytecodeEmitter.cpp:5768
#19 0x0000555555f95c1f in js::frontend::BytecodeEmitter::emitClass (this=this@entry=0x7ffff5efd590, classNode=<optimized out>, nameKind=nameKind@entry=js::frontend::BytecodeEmitter::ClassNameKind::BindingName, nameForAnonymousClass=..., nameForAnonymousClass@entry=...) at js/src/frontend/BytecodeEmitter.cpp:8818
#20 0x0000555555f9163c in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7ffff5efd590, pn=pn@entry=0x7ffff595f0c0, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9536
#21 0x0000555555f919b3 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7ffff5efd590, pn=pn@entry=0x7ffff595f0c0, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9576
#22 0x0000555555f9f8eb in js::frontend::BytecodeEmitter::emitCalleeAndThis (this=this@entry=0x7ffff5efd590, callee=callee@entry=0x7ffff595f0c0, call=call@entry=0x7ffff595f140, cone=...) at js/src/frontend/BytecodeEmitter.cpp:7302
#23 0x0000555555fa15bc in js::frontend::BytecodeEmitter::emitCallOrNew (this=this@entry=0x7ffff5efd590, callNode=callNode@entry=0x7ffff595f140, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:7451
#24 0x0000555555f916cc in js::frontend::BytecodeEmitter::emitTree (this=0x7ffff5efd590, pn=0x7ffff595f140, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:9390
#25 0x0000555555f9b73a in js::frontend::BytecodeEmitter::emitAssignmentOrInit (this=this@entry=0x7ffff5efd590, kind=<optimized out>, lhs=lhs@entry=0x7ffff5950090, rhs=rhs@entry=0x7ffff595f140) at js/src/frontend/BytecodeEmitter.cpp:4171
#26 0x0000555555f91208 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7ffff5efd590, pn=pn@entry=0x7ffff595f180, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9215
#27 0x0000555555fa4db3 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7ffff5efd590, pn=pn@entry=0x7ffff595f180, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=js::frontend::BytecodeEmitter::EMIT_LINENOTE, emitLineNote=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9576
#28 0x0000555555fa59bb in js::frontend::BytecodeEmitter::emitExpressionStatement (this=this@entry=0x7ffff5efd590, exprStmt=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:6786
#29 0x0000555555f90b63 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7ffff5efd590, pn=pn@entry=0x7ffff595f1b8, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9183
#30 0x0000555555f919b3 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7ffff5efd590, pn=pn@entry=0x7ffff595f1b8, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9576
#31 0x0000555555f9ebc0 in js::frontend::BytecodeEmitter::emitStatementList (this=this@entry=0x7ffff5efd590, stmtList=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:6729
#32 0x0000555555f90d73 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7ffff5efd590, pn=pn@entry=0x7ffff5950050, valueUsage=valueUsage@entry=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9174
#33 0x0000555555f919b3 in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7ffff5efd590, pn=pn@entry=0x7ffff5950050, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE, valueUsage=js::frontend::ValueUsage::WantValue) at js/src/frontend/BytecodeEmitter.cpp:9576
#34 0x0000555555fa22e6 in js::frontend::BytecodeEmitter::emitScript (this=0x7ffff5efd590, body=body@entry=0x7ffff5950050) at js/src/frontend/BytecodeEmitter.cpp:2496
#35 0x0000555555fb107f in js::frontend::ModuleCompiler<char16_t>::compile (this=this@entry=0x7ffff5efdb40, info=...) at js/src/frontend/BytecodeCompiler.cpp:591
#36 0x0000555555fa33e1 in InternalParseModule<char16_t> (cx=0x7ffff5f17000, optionsInput=..., srcBuf=..., sourceObjectOut=sourceObjectOut@entry=0x7ffff5efe720) at js/src/frontend/BytecodeCompiler.cpp:808
#37 0x0000555555fa39ba in js::frontend::ParseModule (cx=<optimized out>, optionsInput=..., srcBuf=..., sourceObjectOut=sourceObjectOut@entry=0x7ffff5efe720) at js/src/frontend/BytecodeCompiler.cpp:821
#38 0x0000555555a951f3 in ModuleParseTask<char16_t>::parse (this=0x7ffff552d3c0, cx=<optimized out>) at js/src/vm/HelperThreads.cpp:645
#39 0x0000555555a6161b in js::ParseTask::runTask (this=0x7ffff552d3c0) at js/src/vm/HelperThreads.cpp:567
#40 0x0000555555a674bc in js::HelperThread::handleParseWorkload (this=0x7ffff5f3c100, locked=...) at js/src/vm/HelperThreads.cpp:2289
[...]
#46 0x00007ffff6c2c41d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0x555557cfe120	93825033822496
rbx	0x6d522a060b0	7512478736560
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x555556ca6b88	93825016687496
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7ffff5efba90	140737319516816
rsp	0x7ffff5efba70	140737319516784
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff5eff700	140737319532288
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7ffff5efbb88	140737319517064
r13	0x7ffff5522000	140737309188096
r14	0x7ffff5f26000	140737319690240
r15	0x7ffff5efbd00	140737319517440
rip	0x555556083c0f <js::CheckTracedThing<JSObject>(JSTracer*, JSObject*)+1231>
=> 0x555556083c0f <js::CheckTracedThing<JSObject>(JSTracer*, JSObject*)+1231>:	movl   $0x0,0x0
   0x555556083c1a <js::CheckTracedThing<JSObject>(JSTracer*, JSObject*)+1242>:	ud2

I'm marking this s-s for now because I don't know what the implications are, if GC is touching something that is apparently still used by a helper thread.

This is not security sensitive.

Assignee: nobody → jcoppeard
Group: javascript-core-security
Priority: -- → P1
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/9e789088540d
user:        Jason Orendorff
date:        Thu Jun 27 14:57:44 2019 +0000
summary:     Bug 1555464 - Part 2: Enable fields by default in the JS shell. r=khyperia

This iteration took 460.143 seconds to run.
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/eb21f2893c91
Relax assertions to allow GCManagedDeletePolicy to be used on helper threads r=sfink
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
You need to log in before you can comment on or make changes to this bug.