Assertion failure: this->flags() == 0, at js/src/gc/Cell.h:764 or Crash [@ Interpret] with --warp-async
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox86 | --- | disabled |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(1 file)
|
327 bytes,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 20210103-89fef9703703 (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --ion-full-warmup-threshold=0 --warp-async):
const v8 = "10000".padStart(10000, "bigint");
async function v12(v13, v14, v15, v16, v17) {
const v22 = function() {
with(gc) return v4();
};
for (const v24 in v8) {}
for (const v25 in v15) {
const v26 = await v25;
}
}
const v27 = v12("bigint", v12, "tyKYodwxXu", "-4294967296", 1337);
gc();
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x000055555749965e in js::GCMarker::processMarkStackTop(js::SliceBudget&) ()
#1 0x0000555557499a15 in js::GCMarker::markUntilBudgetExhausted(js::SliceBudget&, js::GCMarker::ShouldReportMarkTime) ()
#2 0x000055555743da05 in js::gc::GCRuntime::markUntilBudgetExhausted(js::SliceBudget&, js::GCMarker::ShouldReportMarkTime) ()
#3 0x000055555744b352 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason, js::gc::AutoGCSession&) ()
#4 0x000055555744dd5b in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#5 0x000055555744f839 in js::gc::GCRuntime::collect(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#6 0x0000555557456ed2 in JS::NonIncrementalGC(JSContext*, JSGCInvocationKind, JS::GCReason) ()
#7 0x00005555570c0155 in GC(JSContext*, unsigned int, JS::Value*) ()
#8 0x0000555556ba0662 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#20 0x0000555556a081c9 in main ()
rax 0x555555740f8b 93824994250635
rbx 0x1f4cfc4c048 2150969425992
rcx 0x555557fed188 93825036898696
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffb4e0 140737488336096
rsp 0x7fffffffb480 140737488336000
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f998c0 140737353717952
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x1 1
r13 0x6 6
r14 0xfffe01f4cfc4c048 -560798983995320
r15 0x53c78b2f128 5757281169704
rip 0x55555749965e <js::GCMarker::processMarkStackTop(js::SliceBudget&)+2350>
=> 0x55555749965e <_ZN2js8GCMarker19processMarkStackTopERNS_11SliceBudgetE+2350>: movl $0x2fc,0x0
0x555557499669 <_ZN2js8GCMarker19processMarkStackTopERNS_11SliceBudgetE+2361>: callq 0x555556a97b9a <abort>
We have this assert already on file, but the test differs significantly. Trying to ensure that we catch all variations here, please dup as needed :)
|
Reporter | |
Comment 1•5 years ago
|
||
|
|
Reporter | |
Comment 2•5 years ago
|
||
Also, this crashes with the 0x2f pattern in opt builds.
|
||
Comment 3•5 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210104090857-3cba4d895b8e.
The bug appears to have been introduced in the following build range:
Start: a4ce10afc0f660ece5eca5f3d700646d8dd19c4c (20201215174456)
End: 1b3cd56bc7db0ba8fa5f0db0cfb2633242575ef0 (20201215174615)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a4ce10afc0f660ece5eca5f3d700646d8dd19c4c&tochange=1b3cd56bc7db0ba8fa5f0db0cfb2633242575ef0
|
||
Comment 4•5 years ago
|
||
Dupe of 1683614
|
||
Comment 5•4 years ago
|
||
Bugmon Analysis
No valid actions for resolution (DUPLICATE)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•