Assertion failure: IsGCThingValidAfterMovingGC(t), at gc/Marking-inl.h:148 or crashes with shell-only functions
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox84 | --- | unaffected |
firefox85 | --- | unaffected |
firefox86 | --- | verified |
People
(Reporter: decoder, Assigned: caroline)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(4 files, 2 obsolete files)
The following testcase crashes on mozilla-central revision 20201219-3262affdccf6 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --blinterp-eager):
while(true)
evaluate(`
function dummyAssertCallFunction(f) {}
assertErrorMessage = dummyAssertCallFunction;
assertErrorMessage(() => new WebAssembly.Memory({initial: 1, maximum: 1, shared: true}), /x/);
rateMyCacheIR();
relazifyFunctions();
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555574fd3fb in JS::Zone::checkScriptMapsAfterMovingGC() ()
#1 0x000055555743d8c4 in js::gc::GCRuntime::checkHashTablesAfterMovingGC() ()
#2 0x000055555743d4a9 in js::gc::GCRuntime::compactPhase(JS::GCReason, js::SliceBudget&, js::gc::AutoGCSession&) ()
#3 0x00005555574425a6 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#4 0x0000555557444f00 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#5 0x0000555557446239 in js::gc::GCRuntime::collect(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#6 0x000055555744d962 in JS::NonIncrementalGC(JSContext*, JSGCInvocationKind, JS::GCReason) ()
#7 0x00005555570b8b53 in RelazifyFunctions(JSContext*, unsigned int, JS::Value*) ()
#8 0x0000555556b96c62 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#9 0x0000555556b9651a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#10 0x0000555556b978a4 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#11 0x00005555575af6f4 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) ()
#12 0x000002b58038cbd3 in ?? ()
[...]
#21 0x0000000000000000 in ?? ()
rax 0x5555557a67f2 93824994666482
rbx 0x7ffff5657280 140737310454400
rcx 0x555557fca8d8 93825036757208
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffa260 140737488331360
rsp 0x7fffffffa1e0 140737488331232
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f998c0 140737353717952
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x7ffff5afe000 140737315332096
r13 0x7ffff5a1c288 140737314407048
r14 0x7fffffffa1f0 140737488331248
r15 0x7fffffffa1e8 140737488331240
rip 0x5555574fd3fb <JS::Zone::checkScriptMapsAfterMovingGC()+2331>
=> 0x5555574fd3fb <_ZN2JS4Zone28checkScriptMapsAfterMovingGCEv+2331>: movl $0x94,0x0
0x5555574fd406 <_ZN2JS4Zone28checkScriptMapsAfterMovingGCEv+2342>: callq 0x555556a8e79a <abort>
This looks like a problem with rateMyCacheIR
in combination with relazifyFunctions
but I keep getting use-after-free crashes from this and it is consuming resources because we need to investigate each time. Would be great if we could fix this shell-only bug.
Reporter | ||
Comment 1•3 years ago
|
||
Comment 2•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201220093524-13f304ed6039.
The bug appears to have been introduced in the following build range:
Start: f4dae20686a4c81685f19c8e89a9cddbf0b40352 (20201219005341)
End: 1387fe7fd09dab27b355a38555ea101c8b363662 (20201219005907)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f4dae20686a4c81685f19c8e89a9cddbf0b40352&tochange=1387fe7fd09dab27b355a38555ea101c8b363662
Comment 3•3 years ago
|
||
Caroline, could you investigate this bug, this may be cause by your recent push.
Updated•3 years ago
|
Assignee | ||
Comment 4•3 years ago
|
||
This definitely is an issue from my latest push for CacheIR health report. Will look into further right now.
Updated•3 years ago
|
Assignee | ||
Comment 5•3 years ago
|
||
Updated•3 years ago
|
Updated•3 years ago
|
Assignee | ||
Comment 6•3 years ago
|
||
Assignee | ||
Comment 7•3 years ago
|
||
Depends on D100295
Comment 8•3 years ago
|
||
Set release status flags based on info from the regressing bug 1672787
Assignee | ||
Comment 9•3 years ago
|
||
Depends on D100295
Assignee | ||
Comment 10•3 years ago
|
||
Depends on D100296
Comment 11•3 years ago
|
||
Comment on attachment 9194572 [details]
Bug 1683608 - Clean up JSOp spew for CacheIR health report. r?iain
Revision D100403 was moved to bug 1684096. Setting attachment 9194572 [details] to obsolete.
Comment 12•3 years ago
|
||
Pushed by ccullen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/54a475dfd36e Fix error handing from addScriptToFinalWarmUpCount. r=iain https://hg.mozilla.org/integration/autoland/rev/4823e56beb36 Free filename when we fail to add it to the hash map. r=iain https://hg.mozilla.org/integration/autoland/rev/03fe8484bcaa Temporarily mark RateMyCacheIR as fuzzing unsafe. r=iain
Comment 13•3 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/54a475dfd36e
https://hg.mozilla.org/mozilla-central/rev/4823e56beb36
https://hg.mozilla.org/mozilla-central/rev/03fe8484bcaa
Comment 14•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20201224094230-1833e81ad250.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Description
•