Closed
Bug 1624571
Opened 5 years ago
Closed 5 years ago
Assertion failure: !hasScriptCounts(), at vm/JSScript.cpp:4077
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla76
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox74 | --- | unaffected |
| firefox75 | --- | unaffected |
| firefox76 | --- | verified |
People
(Reporter: decoder, Assigned: tcampbell)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:verify])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20200324-9b338268ce36 (build with (buildFlags not available), run with --fuzzing-safe --ion-offthread-compile=off):
var g34 = newGlobal({
newCompartment: true
});
var dbg = Debugger(g34);
function loop(call) {}
g34.eval(loop.toString());
var countDown = 20;
dbg.collectCoverageInfo = true;
g34.eval("loop(" + (2 * countDown) + ");");
var dbg = new Debugger;
gczeal(14);
var g39 = newGlobal([2]);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555555c34f1b in JSScript::relazify(JSRuntime*) ()
#1 0x0000555555c34ba1 in JSFunction::maybeRelazify(JSRuntime*) ()
#2 0x000055555627616f in RelazifyFunctions(JS::Zone*, js::gc::AllocKind) ()
#3 0x0000555556275d07 in js::gc::GCRuntime::relazifyFunctionsForShrinkingGC() ()
#4 0x00005555562784f9 in js::gc::GCRuntime::beginMarkPhase(JS::GCReason, js::gc::AutoGCSession&) ()
#5 0x000055555628e08a in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason, js::gc::AutoGCSession&) ()
#6 0x000055555629130a in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#7 0x000055555629301e in js::gc::GCRuntime::collect(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#8 0x000055555624b5ea in js::gc::GCRuntime::runDebugGC() ()
#9 0x000055555624ad61 in js::gc::GCRuntime::gcIfNeededAtAllocation(JSContext*) ()
#10 0x0000555556245e07 in bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) ()
#11 0x00005555562459f5 in JSObject* js::AllocateObject<(js::AllowGC)1>(JSContext*, js::gc::AllocKind, unsigned long, js::gc::InitialHeap, JSClass const*) ()
#12 0x0000555555c8c799 in JSFunction::create(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::ObjectGroup*>) ()
#13 0x0000555555c4ed3c in NewObject(JSContext*, JS::Handle<js::ObjectGroup*>, js::gc::AllocKind, js::NewObjectKind, unsigned int) ()
#14 0x0000555555c4f1d5 in js::NewObjectWithClassProtoCommon(JSContext*, JSClass const*, JS::Handle<JSObject*>, js::gc::AllocKind, js::NewObjectKind) ()
#15 0x0000555555c2b673 in js::NewFunctionWithProto(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), unsigned int, js::FunctionFlags, JS::Handle<JSObject*>, JS::Handle<JSAtom*>, JS::Handle<JSObject*>, js::gc::AllocKind, js::NewObjectKind) ()
#16 0x0000555555a2e548 in JS::NewFunctionFromSpec(JSContext*, JSFunctionSpec const*, JS::Handle<JS::PropertyKey>) ()
#17 0x0000555555c61b09 in js::DefineFunctions(JSContext*, JS::Handle<JSObject*>, JSFunctionSpec const*, js::DefineAsIntrinsic) ()
#18 0x0000555555a2ec2b in JS_DefineFunctions(JSContext*, JS::Handle<JSObject*>, JSFunctionSpec const*) ()
#19 0x0000555555b5dc6a in js::DefinePropertiesAndFunctions(JSContext*, JS::Handle<JSObject*>, JSPropertySpec const*, JSFunctionSpec const*) ()
#20 0x0000555555c5ab1a in js::InitClass(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JSClass const*, bool (*)(JSContext*, unsigned int, JS::Value*), unsigned int, JSPropertySpec const*, JSFunctionSpec const*, JSPropertySpec const*, JSFunctionSpec const*, js::NativeObject**) ()
#21 0x0000555555fe7622 in JS_DefineDebuggerObject(JSContext*, JS::Handle<JSObject*>) ()
#22 0x00005555557905ee in NewGlobalObject(JSContext*, JS::RealmOptions&, JSPrincipals*, ShellGlobalKind) ()
#23 0x00005555557a77c7 in NewGlobal(JSContext*, unsigned int, JS::Value*) ()
#24 0x00005555558f12f2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#35 0x0000555555773219 in main ()
rax 0x555556e9da2d 93825018747437
rbx 0x3725c61f2060 60635377246304
rcx 0x555557edb850 93825035778128
rdx 0x0 0
rsi 0x7ffff6efd770 140737336301424
rdi 0x7ffff6efc540 140737336296768
rbp 0x7fffffffa640 140737488332352
rsp 0x7fffffffa5d0 140737488332240
r8 0x7ffff6efd770 140737336301424
r9 0x7ffff7f9cd00 140737353731328
r10 0x58 88
r11 0x7ffff6ba47a0 140737332791200
r12 0x2ea203138f30 51273371193136
r13 0x7ffff5e29000 140737318653952
r14 0x3725c61fb060 60635377283168
r15 0x7ffff4ce8160 140737300562272
rip 0x555555c34f1b <JSScript::relazify(JSRuntime*)+459>
=> 0x555555c34f1b <_ZN8JSScript8relazifyEP9JSRuntime+459>: movl $0xfed,0x0
0x555555c34f26 <_ZN8JSScript8relazifyEP9JSRuntime+470>: callq 0x5555557fe99a <abort>
|
Reporter | |
Comment 1•5 years ago
|
||
|
Assignee | |
Comment 2•5 years ago
|
||
Definitely related to my lazyscript work.
Assignee: nobody → tcampbell
|
||
Updated•5 years ago
|
Priority: -- → P1
|
|
Assignee | |
Updated•5 years ago
|
status-firefox74:
--- → unaffected
status-firefox75:
--- → affected
status-firefox-esr68:
--- → unaffected
|
|
Assignee | |
Comment 3•5 years ago
|
||
During relazification, cleanup any lingering ScriptCounts that the debugger
may have left behind. The debugger/code-coverage do not always clean this up
before releasing their guards against relazification. Previously, a distinct
JSScript instance would eventually have cleaned this up.
|
|
Assignee | |
Updated•5 years ago
|
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0ac09d06e223
Cleanup ScriptCounts on relazification r=jandem
|
|
Assignee | |
Updated•5 years ago
|
Keywords: leave-open
|
||
Comment 5•5 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 6•5 years ago
|
||
Checking for isDebuggee is sufficient to cover the collectCoverageForDebug
case. Make the lcov exemption explicit. Also cleanup checks in
JSScript::relazify to be consistent with the finalizer conditions.
|
|
Assignee | |
Updated•5 years ago
|
Keywords: leave-open
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9e2c0c0d9352
Cleanup relazification conditions. r=jandem
|
||
Updated•5 years ago
|
Keywords: bugmon
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
|
|
||
Updated•5 years ago
|
Whiteboard: [bugmon:update,bisected,confirmed] → [bugmon:confirm]
|
||
Comment 8•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
|
|
||
Updated•5 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:verify]
|
|
||
Updated•5 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 9•5 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200327094805-2998408f57b1.
|
|
||
Comment 10•5 years ago
|
||
Bugmon Analysis:
You need to log in
before you can comment on or make changes to this bug.
Description
•