Closed Bug 1620221 Opened 6 years ago Closed 6 years ago

Assertion failure: gcMarker->tracingCompartment == comp, at gc/Marking.cpp:273 with Debugger

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla76
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox74 --- wontfix
firefox75 --- wontfix
firefox76 --- verified

People

(Reporter: decoder, Assigned: allstars.chh)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Testcase
614 bytes, text/plain
Details
Bug 1620221 - Clear gc->tracingCompartment in GCMarker::markImplicitEdgesHelper.
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200305-2e1a978b09d7 (build with (buildFlags not available), run with --fuzzing-safe --ion-offthread-compile=off --blinterp-eager):

function testStepping(script, expected) {
    let g = newGlobal({newCompartment: true});
    let f = g.eval(script);
    let log = [];
    function maybePause(frame) {
        let line = frame.script.getOffsetLocation(frame.offset).lineNumber;
        log.push(line);
    }
    let dbg = new Debugger(g);
    dbg.onEnterFrame = frame => {
        maybePause(frame);
    };
    f();
}
var g7 = newGlobal({newCompartment: true});
g7.parent = this;
g7.eval(`
    Debugger(parent).onEnterFrame = function(frame) {
        let v = frame.environment.getVariable('var0');
    };
`);
testStepping("(function() {})");
gc();

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x00005555562b994b in void js::CheckTracedThing<JSObject>(JSTracer*, JSObject*) ()
#0  0x00005555562b994b in void js::CheckTracedThing<JSObject>(JSTracer*, JSObject*) ()
#1  0x00005555562f0f79 in void DoMarking<JSObject>(js::GCMarker*, JSObject*) ()
#2  0x00005555562be8d1 in bool js::gc::TraceEdgeInternal<JSObject*>(JSTracer*, JSObject**, char const*) ()
#3  0x00005555560093e1 in js::WeakMap<js::HeapPtr<js::BaseScript*>, js::HeapPtr<js::DebuggerScript*> >::markEntry(js::GCMarker*, js::HeapPtr<js::BaseScript*>&, js::HeapPtr<js::DebuggerScript*>&) ()
#4  0x0000555556007062 in js::WeakMap<js::HeapPtr<js::BaseScript*>, js::HeapPtr<js::DebuggerScript*> >::markKey(js::GCMarker*, js::gc::Cell*, js::gc::Cell*) ()
#5  0x00005555562c1ec3 in void js::GCMarker::markImplicitEdgesHelper<js::BaseScript*>(js::BaseScript*) ()
#6  0x00005555562c78f0 in js::GCMarker::processMarkStackTop(js::SliceBudget&) ()
#7  0x00005555562c8835 in js::GCMarker::markUntilBudgetExhausted(js::SliceBudget&) ()
#8  0x000055555626ba74 in void js::gc::GCRuntime::markWeakReferences<js::gc::SweepGroupZonesIter>(js::gcstats::PhaseKind) ()
#9  0x0000555556271534 in js::gc::GCRuntime::endMarkingSweepGroup(JSFreeOp*, js::SliceBudget&) ()
#10 0x00005555562b3c41 in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&) ()
#11 0x00005555562a3ba7 in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run(js::gc::SweepAction::Args&) ()
#12 0x0000555556278fc5 in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) ()
#13 0x000055555627d7b9 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason, js::gc::AutoGCSession&) ()
#14 0x00005555562805dc in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#15 0x000055555628222e in js::gc::GCRuntime::collect(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#16 0x00005555562888f9 in JS::NonIncrementalGC(JSContext*, JSGCInvocationKind, JS::GCReason) ()
#17 0x0000555555eb37b8 in GC(JSContext*, unsigned int, JS::Value*) ()
#18 0x00005555558e66b2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#19 0x00005555558e5fcf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#20 0x00005555563a6b39 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) ()
#21 0x0000169cb1d4af43 in ?? ()
[...]
#31 0x0000000000000000 in ?? ()
rax	0x555556f3b66f	93825019393647
rbx	0x160273dfffe8	24199789805544
rcx	0x555557ef4850	93825035880528
rdx	0x0	0
rsi	0x7ffff6efd770	140737336301424
rdi	0x7ffff6efc540	140737336296768
rbp	0x7fffffffac60	140737488333920
rsp	0x7fffffffac20	140737488333856
r8	0x7ffff6efd770	140737336301424
r9	0x7ffff7f9cd00	140737353731328
r10	0x58	88
r11	0x7ffff6ba47a0	140737332791200
r12	0x7ffff5e64fc0	140737318899648
r13	0x7ffff5e2a8e8	140737318660328
r14	0x160273d863c0	24199789306816
r15	0x7ffff5e2a7d8	140737318660056
rip	0x5555562b994b <void js::CheckTracedThing<JSObject>(JSTracer*, JSObject*)+2603>
=> 0x5555562b994b <_ZN2js16CheckTracedThingI8JSObjectEEvP8JSTracerPT_+2603>:	movl   $0x111,0x0
   0x5555562b9956 <_ZN2js16CheckTracedThingI8JSObjectEEvP8JSTracerPT_+2614>:	callq  0x5555557ef05e <abort>
Attached file Testcase

Yoshi, is this a GC bug you could possibly look into?

Flags: needinfo?(allstars.chh)
Assignee: nobody → allstars.chh
Flags: needinfo?(allstars.chh)
Priority: -- → P1
Whiteboard: [jsbugmon:update,bisect] → [bugmon:confirm]
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200313163649-87ab9a88abce The bug appears to have been introduced in the following build range: > Start: 83fc8cf83221d0b488ea2f01fb1aebcd688e3fa3 (20191217104440) > End: 930ad6def3c7961c82b2af20b66be3351603684f (20191217161753) > Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=83fc8cf83221d0b488ea2f01fb1aebcd688e3fa3&tochange=930ad6def3c7961c82b2af20b66be3351603684f

Hi Yoshi, are you able to work on this soon? Thank you!

Flags: needinfo?(allstars.chh)

I am actively working on this.

Flags: needinfo?(allstars.chh)
Status: NEW → ASSIGNED
Pushed by allstars.chh@gmail.com: https://hg.mozilla.org/integration/autoland/rev/549202f8d33b Clear gc->tracingCompartment in GCMarker::markImplicitEdgesHelper. r=jonco
Version: Trunk → 73 Branch

https://hg.mozilla.org/mozilla-central/rev/549202f8d33b

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox76: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
Keywords: bugmon
Bugmon Analysis: Bug filed against non-supported branch (73) Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Version: 73 Branch → Trunk
Bugmon Analysis: Bug appears to be fixed on mozilla-central 20200422163521-2203d818a3b4 but BugMon was unable to reproduce using mozilla-central 20200305095541-2e1a978b09d7.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: