Closed Bug 1671125 Opened 5 years ago Closed 5 years ago

Assertion failure: !zone->needsIncrementalBarrier() || zone->isAtomsZone(), at gc/Verifier.cpp:311

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
83 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox81 --- unaffected
firefox82 --- unaffected
firefox83 --- verified

People

(Reporter: decoder, Assigned: jonco)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])

Attachments

(2 files)

Testcase
78 bytes, text/plain
Details
Bug 1671125 - Relax assertions to allow pre-barrier verifier to turn on barriers on the self hosting zone as well as the atoms zone r?sfink
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20201013-d95aab08e480 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

verifyprebarriers()
evalInWorker(`
  Object.defineProperty(this, "x", {});
`);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555576ac720 in js::gc::AssertSafeToSkipPreWriteBarrier(js::gc::TenuredCell*) ()
#1  0x0000555556bcb68d in js::gc::PreWriteBarrierImpl(js::gc::TenuredCell*) ()
#2  0x00005555570ece67 in js::FunctionScope::clone(JSContext*, JS::Handle<js::FunctionScope*>, JS::Handle<JSFunction*>, JS::Handle<js::Scope*>) ()
#3  0x000055555700372d in js::CloneScriptIntoFunction(JSContext*, JS::Handle<js::Scope*>, JS::Handle<JSFunction*>, JS::Handle<JSScript*>, JS::Handle<js::ScriptSourceObject*>) ()
#4  0x0000555557101523 in JSRuntime::cloneSelfHostedFunctionScript(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JSFunction*>) ()
#5  0x0000555556ffea42 in JSFunction::delazifySelfHostedLazyFunction(JSContext*, JS::Handle<JSFunction*>) ()
#6  0x0000555556bc5e4a in JSFunction::getOrCreateScript(JSContext*, JS::Handle<JSFunction*>) ()
#7  0x0000555556d0e782 in Interpret(JSContext*, js::RunState&) ()
#8  0x0000555556d051e4 in js::RunScript(JSContext*, js::RunState&) ()
#9  0x0000555556d1c27c in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#10 0x0000555556d1c9cd in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#11 0x0000555556ed1335 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#12 0x0000555556ed1148 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#13 0x0000555556bc8e42 in WorkerMain(WorkerInput*) ()
#14 0x0000555556bc9494 in js::detail::ThreadTrampoline<void (&)(WorkerInput*), WorkerInput*&>::Start(void*) ()
#15 0x00007ffff7bc16ba in start_thread (arg=0x7ffff6967700) at pthread_create.c:333
#16 0x00007ffff6e4641d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0x55555583b00f	93824995274767
rbx	0x3840e6000000	61851387822080
rcx	0x555558548c30	93825042517040
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7ffff6965b90	140737330437008
rsp	0x7ffff6965b90	140737330437008
r8	0x7ffff7105770	140737338431344
r9	0x7ffff6967700	140737330444032
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7ffff4a4c0d0	140737297826000
r13	0x7ffff60fe000	140737321623552
r14	0x7ffff6965c10	140737330437136
r15	0x3840e60429c0	61851388094912
rip	0x5555576ac720 <js::gc::AssertSafeToSkipPreWriteBarrier(js::gc::TenuredCell*)+336>
=> 0x5555576ac720 <_ZN2js2gc31AssertSafeToSkipPreWriteBarrierEPNS0_11TenuredCellE+336>:	movl   $0x137,0x0
   0x5555576ac72b <_ZN2js2gc31AssertSafeToSkipPreWriteBarrierEPNS0_11TenuredCellE+347>:	callq  0x555556c105e6 <abort>
Attached file Testcase

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201014095212-f6615f173552.
The bug appears to have been introduced in the following build range:

Start: a90ba60415cc09cfcc7ee7c6eb6c49abacd93541 (20201013102911)
End: 97770f1880a215b81e1fe806f9d6e486246bfc69 (20201013103813)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a90ba60415cc09cfcc7ee7c6eb6c49abacd93541&tochange=97770f1880a215b81e1fe806f9d6e486246bfc69

Whiteboard: [bugmon:update,bisect][fuzzblocker] → [bugmon:update,bisected,confirmed][fuzzblocker]

This is a topcrasher in fuzzing, Jon can you please look into this?

Flags: needinfo?(jcoppeard)
Regressed by: 1670251
Has Regression Range: --- → yes

Sure.

Assignee: nobody → jcoppeard
Severity: -- → N/A
Flags: needinfo?(jcoppeard)
Priority: -- → P1

Set release status flags based on info from the regressing bug 1670251

status-firefox81: --- → unaffected
status-firefox82: --- → unaffected
status-firefox-esr78: --- → unaffected

The comments in PreWriteBarrierImpl mention that the per-barrier verifer can
turn on incremental barriers in the atoms zone outside of a GC. This also
applies to the self hosting zone so we just need to relax the assertions to
cover that too.

Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d5d66f10d928 Relax assertions to allow pre-barrier verifier to turn on barriers on the self hosting zone as well as the atoms zone r=sfink

https://hg.mozilla.org/mozilla-central/rev/d5d66f10d928

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox83: fix-optionalfixed
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20201016214537-ac431d6e63f0.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox83: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: