Closed Bug 1684829 Opened 5 years ago Closed 5 years ago

Crash [@ js::gc::ArenaCellSet::check() const] with warp generators

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1683309
Tracking Flags:
Tracking Status
firefox86 --- disabled

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Crash Data

Attachments

(1 file)

Testcase
140 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20210103-89fef9703703 (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --warp-generator --ion-full-warmup-threshold=0):

new new Function(`
  gczeal(8,10);
  function* g8() { yield* [1, 2, 3]; }
  let {errors} = new AggregateError(g8());
  new new.target();
`);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556e1d300 in js::gc::ArenaCellSet::check() const ()
#1  0x00005555574a1066 in js::gc::ArenaCellSet::trace(js::TenuringTracer&) ()
#2  0x00005555574a1bf2 in js::gc::StoreBuffer::WholeCellBuffer::trace(js::TenuringTracer&) ()
#3  0x00005555574b77e8 in js::Nursery::doCollection(JS::GCReason) ()
#4  0x00005555574b6d1b in js::Nursery::collect(JSGCInvocationKind, JS::GCReason) ()
#5  0x000055555744ea68 in js::gc::GCRuntime::collectNursery(JSGCInvocationKind, JS::GCReason, js::gcstats::PhaseKind) ()
#6  0x000055555744dbd5 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#7  0x000055555744f839 in js::gc::GCRuntime::collect(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#8  0x000055555745504a in js::gc::GCRuntime::runDebugGC() ()
#9  0x00005555574025d3 in bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) ()
#10 0x000055555740246e in JSObject* js::AllocateObject<(js::AllowGC)1>(JSContext*, js::gc::AllocKind, unsigned long, js::gc::InitialHeap, JSClass const*) ()
#11 0x0000555556c0e3fc in js::ArrayObject::createArrayInternal(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::ObjectGroup*>, js::AutoSetNewObjectMetadata&) ()
#12 0x0000555556bf039d in js::ArrayObject::createArray(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::ObjectGroup*>, unsigned int, js::AutoSetNewObjectMetadata&) ()
#13 0x0000555556bee8de in js::ArrayObject* NewArray<0u>(JSContext*, unsigned int, JS::Handle<JSObject*>, js::NewObjectKind) ()
#14 0x0000555556d8162a in AggregateError(JSContext*, unsigned int, JS::Value*) ()
#15 0x00000ebda468d24f in ?? ()
#16 0x0000000000000000 in ?? ()
rax	0xce072ea2000	14158140153856
rbx	0xfffe1b9b9b9b9b9b	-532594808874085
rcx	0xce072ea2000	14158140153856
rdx	0x2	2
rsi	0x7fffffff9cb8	140737488329912
rdi	0x7ffff4a17020	140737297608736
rbp	0x7fffffff9c10	140737488329744
rsp	0x7fffffff9c00	140737488329728
r8	0x90b54c00000	9944271159296
r9	0x90b54c00000	9944271159296
r10	0x3f750	259920
r11	0x246	582
r12	0x7ffff4a17020	140737297608736
r13	0x7ffff60490e8	140737320882408
r14	0x7ffff4a17020	140737297608736
r15	0x7ffff6049708	140737320883976
rip	0x555556e1d300 <js::gc::ArenaCellSet::check() const+240>
=> 0x555556e1d300 <_ZNK2js2gc12ArenaCellSet5checkEv+240>:	cmpb   $0x1,0x15(%rbx)
   0x555556e1d304 <_ZNK2js2gc12ArenaCellSet5checkEv+244>:	je     0x555556e1d3dd <_ZNK2js2gc12ArenaCellSet5checkEv+461>
Attached file Testcase

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210104090857-3cba4d895b8e.
The bug appears to have been introduced in the following build range:

Start: a4ce10afc0f660ece5eca5f3d700646d8dd19c4c (20201215174456)
End: 1b3cd56bc7db0ba8fa5f0db0cfb2633242575ef0 (20201215174615)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a4ce10afc0f660ece5eca5f3d700646d8dd19c4c&tochange=1b3cd56bc7db0ba8fa5f0db0cfb2633242575ef0

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

I wasn't able to reproduce this on central, but could reproduce on original revision. Backporting the patches from Bug 1683309 appears to fix this, so I'm going to resolve as a dupe of that one.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE

Bugmon Analysis
No valid actions for resolution (DUPLICATE)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: