1691901 - MOZ_CRASH [@ js::gcstats::Statistics::lookupChildPhase]

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect, P1)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

enableShellAllocationMetadataBuilder()
Function('gcparam("markStackLimit",1);gc()'.replace(/x/))();

(gdb) bt
#0  MOZ_Crash (aFilename=<optimized out>, aLine=230, aReason=0x555557fc40d0 <sPrintfCrashReason> "Child phase kind MARK_DELAYED not found under current phase kind SWEEP_MARK_WEAK") at /home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-89c5f958a3ac/objdir-js/dist/include/mozilla/Assertions.h:254
#1  js::gcstats::Statistics::lookupChildPhase (this=this@entry=0x7ffff6946810, phaseKind=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/gc/Statistics.cpp:228
#2  0x00005555574467f5 in js::gcstats::Statistics::beginPhase (this=0x7ffff6946810, phaseKind=js::gcstats::PhaseKind::MARK_DELAYED) at /home/skygentoo/trees/mozilla-central/js/src/gc/Statistics.cpp:1374
#3  0x00005555573e8284 in js::gcstats::AutoPhase::AutoPhase (this=<optimized out>, stats=..., phaseKind=js::gcstats::PhaseKind::MARK_DELAYED) at /home/skygentoo/trees/mozilla-central/js/src/gc/Statistics.h:496
#4  mozilla::Maybe<js::gcstats::AutoPhase>::emplace<js::gcstats::Statistics&, js::gcstats::PhaseKind> (this=<optimized out>, aArgs=<optimized out>, aArgs=<optimized out>) at /home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-89c5f958a3ac/objdir-js/dist/include/mozilla/Maybe.h:864
#5  js::GCMarker::markAllDelayedChildren (this=this@entry=0x7ffff6947400, budget=..., reportTime=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/gc/Marking.cpp:2702
#6  0x00005555573e7f23 in js::GCMarker::markUntilBudgetExhausted (this=0x7ffff6947400, budget=..., reportTime=js::GCMarker::ReportMarkTime) at /home/skygentoo/trees/mozilla-central/js/src/gc/Marking.cpp:1828
#7  0x00005555573b129c in js::gc::GCRuntime::markWeakReferences<js::gc::SweepGroupZonesIter> (this=this@entry=0x7ffff6946788, incrementalBudget=...) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:4435
#8  0x000055555738659d in js::gc::GCRuntime::markWeakReferencesInCurrentGroup (this=0x7ffff6946788, budget=...) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:4457
#9  js::gc::GCRuntime::endMarkingSweepGroup (this=0x7ffff6946788, fop=<optimized out>, budget=...) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:5049
#10 0x00005555573dcd81 in sweepaction::SweepActionSequence::run (this=0x7ffff6905560, args=...) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:6060
#11 0x00005555573cc717 in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run (this=0x7ffff69227f0, args=...) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:6095
#12 0x000055555738cb90 in js::gc::GCRuntime::performSweepActions (this=this@entry=0x7ffff6946788, budget=...) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:6227
#13 0x0000555557392ad9 in js::gc::GCRuntime::incrementalSlice (this=this@entry=0x7ffff6946788, budget=..., gckind=..., reason=<optimized out>, reason@entry=JS::GCReason::API) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:6877
#14 0x00005555573954bd in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff6946788, nonincrementalByAPI=true, budgetArg=..., gckind=..., reason=reason@entry=JS::GCReason::API) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:7293
#15 0x000055555739682c in js::gc::GCRuntime::collect (this=0x7ffff6946788, nonincrementalByAPI=false, budget=..., gckindArg=..., reason=reason@entry=JS::GCReason::API) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:7496
#16 0x000055555739c3e1 in js::gc::GCRuntime::gc (this=0x7ffff7bad9a0 <_IO_stdfile_2_lock>, gckind=<optimized out>, reason=JS::GCReason::API) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:7576
#17 JS::NonIncrementalGC (cx=cx@entry=0x7ffff6924000, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::GCReason::API) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:8425
#18 0x00005555570170a3 in GC (cx=cx@entry=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:588
#19 0x0000555556b14582 in CallJSNative (cx=0x7ffff6924000, native=native@entry=0x555557016e60 <GC(JSContext*, unsigned int, JS::Value*)>, reason=<optimized out>, reason@entry=js::CallReason::Call, args=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:435
#20 0x0000555556b06eaf in js::InternalCallOrConstruct (cx=0x7ffff7bad9a0 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6924000, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=reason@entry=js::CallReason::Call) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:526
#21 0x0000555556b07a0e in InternalCall (cx=0x7ffff6924000, args=..., reason=reason@entry=js::CallReason::Call) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:579
#22 0x0000555556afb904 in js::CallFromStack (cx=0x7ffff7bad9a0 <_IO_stdfile_2_lock>, args=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:583
#23 Interpret (cx=0x7ffff7bad9a0 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6924000, state=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:3242
#24 0x0000555556af2768 in js::RunScript (cx=cx@entry=0x7ffff6924000, state=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:405
#25 0x0000555556b09236 in js::ExecuteKernel (cx=cx@entry=0x7ffff6924000, script=..., script@entry=..., envChainArg=envChainArg@entry=..., newTargetValue=..., evalInFrame=evalInFrame@entry=..., result=result@entry=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:771
#26 0x0000555556b096d0 in js::Execute (cx=cx@entry=0x7ffff6924000, script=..., envChain=..., rval=..., rval@entry=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:803
#27 0x0000555556cb69a2 in ExecuteScript (cx=cx@entry=0x7ffff6924000, envChain=..., script=..., rval=rval@entry=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:444
#28 0x0000555556cb6b46 in JS_ExecuteScript (cx=cx@entry=0x7ffff6924000, scriptArg=scriptArg@entry=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:468
#29 0x0000555556a4d72c in RunFile (cx=cx@entry=0x7ffff6924000, filename=0x5baf7cc4e9cc4 <error: Cannot access memory at address 0x5baf7cc4e9cc4>, filename@entry=0x7ffff7756d40 "\230$\255\373\344\344\344", <incomplete sequence \344>, file=<optimized out>, file@entry=0x7ffff7756d40, compileMethod=<optimized out>, compileMethod@entry=CompileUtf8::DontInflate, compileOnly=false) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:989
#30 0x0000555556a4ce21 in Process (cx=0x7ffff6924000, filename=<optimized out>, forceTTY=false, kind=kind@entry=FileScript) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:1580
#31 0x0000555556a17b83 in ProcessArgs (cx=0x7ffff7bad9a0 <_IO_stdfile_2_lock>, op=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:10481
#32 Shell (cx=0x7ffff6924000, op=<optimized out>, op@entry=0x7fffffffd7c0, envp=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:11216
#33 0x0000555556a10baf in main (argc=6, argv=<optimized out>, envp=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:12103
(gdb)

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev 89c5f958a3ac.

Highly unlikely this is s-s, and this should blow up fuzzers. Please fix this quickly. Setting needinfo? from :jonco as a start.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Maybe related to https://hg.mozilla.org/mozilla-central/rev/1473dbb7ada0 ? Still awaiting bisection result.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Confirmed:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/1473dbb7ada0
user:        Jon Coppeard
date:        Tue Feb 09 09:46:57 2021 +0000
summary:     Bug 1691373 - Pass reportTime to GCMarker::markAllDelayedChildren rather than checking current GC phase r=sfink

Comment 3

[Jon Coppeard (:jonco)]

Attachment: Bug 1691901 - Add missing MARK_DELAYED phase to SWEEP_MARK_WEAK phase r?sfink

Anywhere we call GCMarker::markUntilBudgetExhausted can potentailly do delayed marking if we hit OOM.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1691373

Comment 5

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8e3ec05a8f42
Add missing MARK_DELAYED phase to SWEEP_MARK_WEAK phase r=sfink

Comment 6

[Dorel Luca [:dluca]]

Backed out changeset 8e3ec05a8f42 (bug 1691901) for Spidermonkey failure in /js/src/jit-test/tests/gc/bug-1691901.js. CLOSED TREE

Log:
https://treeherder.mozilla.org/logviewer?job_id=329596453&repo=autoland&lineNumber=16228

Push wtih failures:
https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&revision=8e3ec05a8f42228f4c14ed6b72187090f84f4fcc

Backout:
https://hg.mozilla.org/integration/autoland/rev/e2d9a54e6bb410a9b18038a7ab2046f91a4504c6

Comment 7

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c9f6c0ba93f0
Add missing MARK_DELAYED phase to SWEEP_MARK_WEAK phase r=sfink

Comment 8

[Andreea Pavel [:apavel]]

https://hg.mozilla.org/mozilla-central/rev/c9f6c0ba93f0