1608355 - Assertion failure: (incMarkBits[i] & MarkBitMaskBothBits) != MarkBitMaskGrayOrBlack, at js/src/gc/Verifier.cpp:707 with grayRoot

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect, P1)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 558a2ae20a30 (build with --enable-debug --disable-optimize, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

try {
    // jsfunfuzz-generated
    enableShellAllocationMetadataBuilder();
    // Adapted from randomly chosen test: js/src/jit-test/tests/gc/bug-1456508.js
    gczeal(11);
    gczeal(22);
    grayRoot() = 0;
} catch (e) {}
newGlobal();

Backtrace:

#0  0x0000557620f7efff in js::gc::MarkingValidator::validate (this=0x7f4819d02e00) at js/src/gc/Verifier.cpp:706
#1  0x0000557620f7f2d9 in js::gc::GCRuntime::validateIncrementalMarking (this=0x7f481a529700) at js/src/gc/Verifier.cpp:728
#2  0x0000557620e78f6a in js::gc::GCRuntime::beginSweepingSweepGroup (this=0x7f481a529700, fop=0x7ffefaf7df28, budget=...) at js/src/gc/GC.cpp:5139
#3  0x0000557620ed073d in sweepaction::SweepActionCall::run (this=0x7f481a561080, args=...) at js/src/gc/GC.cpp:5803
#4  0x0000557620ef0428 in sweepaction::SweepActionSequence::run (this=0x7f481a5242e0, args=...) at js/src/gc/GC.cpp:5873
#5  0x0000557620ecf83f in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run (this=0x7f481a5252b0, args=...) at js/src/gc/GC.cpp:5908
#6  0x0000557620e7d130 in js::gc::GCRuntime::performSweepActions (this=0x7f481a529700, budget=...) at js/src/gc/GC.cpp:6041
/snip

For detailed crash information, see attachment.

Setting s-s as a start as this involves GC, though this needs checking as it requires grayRoot().

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Guessing :sfink may know more, but will bisect in a bit.

Comment 3

[Jon Coppeard (:jonco)]

The object that it's complaining about is the allocation metadata object created when creating the gray root.

Comment 4

[Jon Coppeard (:jonco)]

Attachment: Bug 1608355 - Mark all relevant zones when entering weak marking mode r=sfink

I have zero clue why the mark bits change caused this failure, but the problem seems to be that GCMarker::enterWeakMarking mode only marks zones in the current sweep group but this can be called from GCRuntime::markAllWeakReferences which attempts to mark weak references in all collecting zones. Fortunately this method is only called by the incremental marking verifier.

The patch moves the zone iteration out of enterWeakMaringMode() into the caller which knows which zones to mark. The new methods have fairly clunky names and better suggestions would be welcome.

Comment 5

[Andrew McCreight [:mccr8]]

Does that mean this is just a bug in the incremental marking verifier, so we can unhide this?

Comment 6

[Jon Coppeard (:jonco)]

Yes, done.

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/d389e3aa4522
user: Jon Coppeard
date: Thu Jan 09 10:35:24 2020 +0000
summary: Bug 1424934 - Replace the chunk's mark bitmap with one byte per cell in the arena r=sfink,jandem

Confirmed related to bug 1424934.

Comment 8

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fe231cb5ef9b
Mark all relevant zones when entering weak marking mode r=sfink

Comment 9

[Daniel Varga [:dvarga]]

https://hg.mozilla.org/mozilla-central/rev/fe231cb5ef9b