Closed Bug 1620195 Opened 4 years ago Closed 4 years ago

Assertion failure: UncheckedUnwrapWithoutExpose(record)->is<FinalizationRecordObject>(), at gc/FinalizationGroup.cpp:25 with --enable-weak-refs

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla76
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox74 --- wontfix
firefox75 --- wontfix
firefox76 --- fixed

People

(Reporter: decoder, Assigned: allstars.chh)

Details

(Keywords: assertion, regression, testcase, Whiteboard: jspdate,isect)

Attachments

(2 files)

Testcase
179 bytes, text/plain
Details
Bug 1620195 - Check if it's a dead wrapper after wrapping.
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200305-2e1a978b09d7 (build with (buildFlags not available), run with --fuzzing-safe --ion-offthread-compile=off --enable-weak-refs):

var g99 = newGlobal({});
nukeAllCCWs();
let group = new FinalizationGroup(x90 => 0);
let other = newGlobal({
    newCompartment: true
});
group.register(evalcx('({})', other), 1);

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000555556248274 in js::gc::GCRuntime::registerWithFinalizationGroup(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>) ()
#0  0x0000555556248274 in js::gc::GCRuntime::registerWithFinalizationGroup(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>) ()
#1  0x0000555555969298 in js::FinalizationGroupObject::register_(JSContext*, unsigned int, JS::Value*) ()
#2  0x00005555558e66b2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#13 0x000055555576675e in main ()
rax	0x555556f32fbf	93825019359167
rbx	0x7fffffffb918	140737488337176
rcx	0x555557ef4850	93825035880528
rdx	0x0	0
rsi	0x7ffff6efd770	140737336301424
rdi	0x7ffff6efc540	140737336296768
rbp	0x7fffffffb8d0	140737488337104
rsp	0x7fffffffb810	140737488336912
r8	0x7ffff6efd770	140737336301424
r9	0x7ffff7f9cd00	140737353731328
r10	0x58	88
r11	0x7ffff6ba47a0	140737332791200
r12	0x7fffffffb908	140737488337160
r13	0x7fffffffb900	140737488337152
r14	0x7ffff5e27000	140737318645760
r15	0x7fffffffb900	140737488337152
rip	0x555556248274 <js::gc::GCRuntime::registerWithFinalizationGroup(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>)+948>
=> 0x555556248274 <_ZN2js2gc9GCRuntime29registerWithFinalizationGroupEP9JSContextN2JS6HandleIP8JSObjectEES8_+948>:	movl   $0x19,0x0
   0x55555624827f <_ZN2js2gc9GCRuntime29registerWithFinalizationGroupEP9JSContextN2JS6HandleIP8JSObjectEES8_+959>:	callq  0x5555557ef05e <abort>
Attached file Testcase 

    
    

    
  
Jon, this looks like something in GC and related to Finalization Groups.   Hopefully you can take a look at this.


Component: JavaScript Engine → JavaScript: GC
Flags: needinfo?(jcoppeard)

    
    

    
  
Check the crash signatures and it's like bug 1605633 for WeakRef objects, will take this bug and apply the same fix from bug 1605633 here.


Assignee: nobody → allstars.chh
Flags: needinfo?(jcoppeard)
Priority: -- → P1
Keywords: bugmon
Whiteboard: [jsbugmon:update,bisect] → jspdate,isect

    
    

    
  
Bugmon Analysis:
Unable to reproduce bug using the following builds:
> mozilla-central 20200313095322-b5c4cdbb59c9
> mozilla-central 20200305095541-2e1a978b09d7
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

        Attachment #9132564 -
        Attachment description: Bug 1620195 - Check if it's a dead wrapper after wrapping. s?sfink → Bug 1620195 - Check if it's a dead wrapper after wrapping. s=jonco

        Attachment #9132564 -
        Attachment description: Bug 1620195 - Check if it's a dead wrapper after wrapping. s=jonco → Bug 1620195 - Check if it's a dead wrapper after wrapping. r=jonco

        Attachment #9132564 -
        Attachment description: Bug 1620195 - Check if it's a dead wrapper after wrapping. r=jonco → Bug 1620195 - Check if it's a dead wrapper after wrapping.

    
    

    
  
Pushed by allstars.chh@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/030682a62f78
Check if it's a dead wrapper after wrapping. r=jonco

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/030682a62f78


Status: NEW → RESOLVED
Closed: 4 years ago

          status-firefox76:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76

          status-firefox74:
          --- → wontfix

          status-firefox-esr68:
          --- → unaffected
Flags: in-testsuite+

    
    

    
  
The patch landed in nightly and beta is affected.

:allstars.chh, is this bug important enough to require an uplift?

If not please set status_beta to wontfix.


For more information, please visit auto_nag documentation.


Flags: needinfo?(allstars.chh)

    
    

    
  
This doesn't require uplift because this is related to WeakRef and WeakRef is behind a pref with default off.



          status-firefox75:
          affectedwontfix
Flags: needinfo?(allstars.chh)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: