1597970 - Assertion failure: isDouble(), at dist/include/js/Value.h:810 or Crash [@ js::NativeObject::getReservedSlot] with WeakRefs

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 4def8673359e (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --enable-weak-refs):

enableShellAllocationMetadataBuilder();
evaluate(`
  gczeal(9,3);
  new FinalizationGroup(function() {});
`);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  JS::Value::toPrivate (this=<optimized out>) at dist/include/js/Value.h:810
#1  0x0000555555a2818f in js::FinalizationGroupObject::holdingsToBeCleanedUp (this=<optimized out>) at js/src/builtin/FinalizationGroupObject.cpp:280
#2  js::FinalizationGroupObject::trace (trc=0x7ffff5f2a788, obj=0xefa1519f220) at js/src/builtin/FinalizationGroupObject.cpp:251
#3  0x0000555556207aad in JSClass::doTrace (this=0x555557fea4e0 <js::FinalizationGroupObject::class_>, obj=0xefa1519f220, trc=0x7ffff5f2a788) at dist/include/js/Class.h:835
#4  CallTraceHook<js::GCMarker::processMarkStackTop(js::SliceBudget&)::<lambda(auto:15)> > (check=CheckGeneration::DoChecks, obj=0xefa1519f220, trc=0x7ffff5f2a788, f=<optimized out>) at js/src/gc/Marking.cpp:1472
#5  js::GCMarker::processMarkStackTop (this=this@entry=0x7ffff5f2a788, budget=...) at js/src/gc/Marking.cpp:1867
#6  0x00005555561e0145 in js::GCMarker::markUntilBudgetExhausted (this=this@entry=0x7ffff5f2a788, budget=...) at js/src/gc/Marking.cpp:1653
#7  0x000055555616066a in js::gc::GCRuntime::markUntilBudgetExhausted (this=this@entry=0x7ffff5f29700, sliceBudget=...) at js/src/gc/GC.cpp:5673
#8  0x00005555561606d7 in js::gc::GCRuntime::markUntilBudgetExhausted (this=this@entry=0x7ffff5f29700, sliceBudget=..., phase=phase@entry=js::gcstats::PhaseKind::MARK) at js/src/gc/GC.cpp:5654
#9  0x0000555556195184 in js::gc::GCRuntime::incrementalSlice (this=this@entry=0x7ffff5f29700, budget=..., gckind=..., reason=reason@entry=JS::GCReason::DEBUG_GC, session=...) at js/src/gc/GC.cpp:6783
#10 0x0000555556195cce in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff5f29700, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., gckind=..., reason=reason@entry=JS::GCReason::DEBUG_GC) at js/src/gc/GC.cpp:7243
#11 0x000055555619629e in js::gc::GCRuntime::collect (this=this@entry=0x7ffff5f29700, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., gckindArg=..., reason=reason@entry=JS::GCReason::DEBUG_GC) at js/src/gc/GC.cpp:7428
#12 0x00005555561985e1 in js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff5f29700) at js/src/gc/GC.cpp:8020
#13 0x0000555556198762 in js::gc::GCRuntime::gcIfNeededAtAllocation (this=this@entry=0x7ffff5f29700, cx=cx@entry=0x7ffff5f27000) at js/src/gc/Allocator.cpp:362
#14 0x00005555561bed38 in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=this@entry=0x7ffff5f29700, cx=cx@entry=0x7ffff5f27000, kind=kind@entry=js::gc::AllocKind::OBJECT8_BACKGROUND) at js/src/gc/Allocator.cpp:326
#15 0x00005555561bef7f in js::AllocateObject<(js::AllowGC)1> (cx=cx@entry=0x7ffff5f27000, kind=<optimized out>, nDynamicSlots=0, heap=<optimized out>, clasp=clasp@entry=0x555557fe8140 <js::ArrayObject::class_>) at js/src/gc/Allocator.cpp:60
#16 0x0000555555a16047 in js::ArrayObject::createArrayInternal (cx=0x7ffff5f27000, kind=kind@entry=js::gc::AllocKind::OBJECT8_BACKGROUND, heap=<optimized out>, shape=..., group=...) at js/src/vm/ArrayObject-inl.h:54
#17 0x0000555555a1621a in js::ArrayObject::createArray (cx=<optimized out>, kind=kind@entry=js::gc::AllocKind::OBJECT8_BACKGROUND, heap=<optimized out>, shape=shape@entry=..., group=..., group@entry=..., length=length@entry=0, metadata=...) at js/src/vm/ArrayObject-inl.h:90
#18 0x0000555555a03011 in NewArray<0u> (cx=<optimized out>, length=<optimized out>, protoArg=..., newKind=js::GenericObject) at js/src/builtin/Array.cpp:4060
#19 0x0000555555e61932 in ShellAllocationMetadataBuilder::build (this=<optimized out>, cx=<optimized out>, oomUnsafe=...) at js/src/builtin/TestingFunctions.cpp:2885
#20 0x0000555555d19a1b in JS::Realm::setNewObjectMetadata (this=0x7ffff471d800, cx=cx@entry=0x7ffff5f27000, obj=obj@entry=...) at js/src/vm/Realm.cpp:515
#21 0x0000555555b1b5c9 in js::SetNewObjectMetadata<js::NativeObject> (obj=0xefa1519f220, cx=0x7ffff5f27000) at js/src/vm/JSObject-inl.h:215
#22 js::NativeObject::create (cx=0x7ffff5f27000, kind=<optimized out>, heap=<optimized out>, shape=..., group=...) at js/src/vm/NativeObject-inl.h:517
#23 0x0000555555c815d6 in NewObject (cx=<optimized out>, group=..., kind=<optimized out>, newKind=js::GenericObject, initialShapeFlags=<optimized out>) at js/src/vm/JSObject.cpp:800
#24 0x0000555555c81b5e in js::NewObjectWithGivenTaggedProto (cx=<optimized out>, cx@entry=0x7ffff5f27000, clasp=clasp@entry=0x555557fea4e0 <js::FinalizationGroupObject::class_>, proto=..., allocKind=js::gc::AllocKind::OBJECT8_BACKGROUND, newKind=newKind@entry=js::GenericObject, initialShapeFlags=initialShapeFlags@entry=0) at js/src/vm/JSObject.cpp:867
#25 0x0000555555c81de8 in js::NewObjectWithClassProtoCommon (cx=<optimized out>, cx@entry=0x7ffff5f27000, clasp=clasp@entry=0x555557fea4e0 <js::FinalizationGroupObject::class_>, protoArg=..., protoArg@entry=..., allocKind=<optimized out>, newKind=newKind@entry=js::GenericObject) at js/src/vm/JSObject.cpp:894
#26 0x0000555555a447bd in js::NewObjectWithClassProto (newKind=js::GenericObject, allocKind=<optimized out>, proto=..., clasp=0x555557fea4e0 <js::FinalizationGroupObject::class_>, cx=0x7ffff5f27000) at js/src/vm/JSObject-inl.h:493
#27 js::NewObjectWithClassProto (newKind=js::GenericObject, proto=..., clasp=0x555557fea4e0 <js::FinalizationGroupObject::class_>, cx=0x7ffff5f27000) at js/src/vm/JSObject-inl.h:500
#28 js::NewObjectWithClassProto<js::FinalizationGroupObject> (newKind=js::GenericObject, proto=..., cx=0x7ffff5f27000) at js/src/vm/JSObject-inl.h:506
#29 js::FinalizationGroupObject::construct (cx=<optimized out>, cx@entry=0x7ffff5f27000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/FinalizationGroupObject.cpp:231
#30 0x00005555559ce6f0 in CallJSNative (cx=0x7ffff5f27000, native=native@entry=0x555555a44480 <js::FinalizationGroupObject::construct(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call, args=...) at js/src/vm/Interpreter.cpp:456
[...]
#53 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11535
rax	0x5555580befa0	93825037758368
rbx	0x7ffff5f2a788	140737319708552
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x555556e489fa	93825018399226
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffa270	140737488331376
rsp	0x7fffffffa270	140737488331376
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7fffffffa6e0	140737488332512
r13	0x7ffff5f2a788	140737319708552
r14	0xefa1519f220	16467258634784
r15	0x555557fea4e0	93825036887264
rip	0x555555919821 <JS::Value::toPrivate() const+97>
=> 0x555555919821 <JS::Value::toPrivate() const+97>:	movl   $0x0,0x0
   0x55555591982c <JS::Value::toPrivate() const+108>:	ud2

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Jon Coppeard (:jonco)]

Attachment: Bug 1597970 - Allow for the possiblity of FinalizationGroupObject's slots being uninitialized r?sfink

The problem is that object metadata builder API can trigger GC after the object has been allocated but before its slots have been initialized. The fix is to take account that some slots may be undefined and handle this appropriately.

Comment 3

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/866b8ca52a96
Allow for the possiblity of FinalizationGroupObject's slots being uninitialized r=sfink

Comment 4

[Bogdan Tara[:bogdan_tara | bogdant]]

https://hg.mozilla.org/mozilla-central/rev/866b8ca52a96