Hit MOZ_CRASH(Mutex ordering violation) at js/src/threading/Mutex.cpp:32 with offThreadDecodeScript
Categories
(Core :: JavaScript: GC, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox86 | --- | unaffected |
| firefox87 | --- | unaffected |
| firefox88 | --- | verified |
People
(Reporter: decoder, Assigned: jonco)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20210307-74e3d611be8f (debug build, run with --fuzzing-safe --ion-offthread-compile=off test.js):
gczeal(4)
function a(b) {
c = cacheEntry(b)
evaluate(c, {
saveBytecode: true
})
return c
}
offThreadDecodeScript(a(""))
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x000055932a22fa53 in js::Mutex::lock() ()
#1 0x000055932a39bab1 in js::AtomsTable::atomIsPinned(JSRuntime*, JSAtom*) ()
#2 0x000055932a9312fe in bool js::gc::AtomMarkingRuntime::atomIsMarked<JSAtom>(JS::Zone*, JSAtom*) ()
#3 0x000055932a9ff628 in void js::GCMarker::checkTraversedEdge<js::Shape*, JSString>(js::Shape*, JSString*) ()
#4 0x000055932a9ff49c in auto js::MapGCThingTyped<js::ApplyGCThingTyped<js::GCMarker::markAndTraverseEdge<js::Shape*, JS::PropertyKey>(js::Shape*, JS::PropertyKey const&)::{lambda(auto:1)#1}>(JS::PropertyKey const&, js::GCMarker::markAndTraverseEdge<js::Shape*, JS::PropertyKey>(js::Shape*, JS::PropertyKey const&)::{lambda(auto:1)#1}&&)::{lambda(auto:1)#1}>(JS::PropertyKey const, JS::PropertyKey const&) ()
#5 0x000055932a9fef89 in js::GCMarker::eagerlyMarkChildren(js::Shape*) ()
#6 0x000055932a9d0d58 in js::GCMarker::traceBarrieredCell(JS::GCCellPtr) ()
#7 0x000055932a9bd2c0 in js::GCMarker::traceBarrieredCells(js::SliceBudget&) ()
#8 0x000055932aa1892b in js::gc::GCRuntime::endVerifyPreBarriers() ()
#9 0x000055932aa1929a in js::gc::GCRuntime::maybeVerifyPreBarriers(bool) ()
#10 0x000055932a0d7ed0 in Interpret(JSContext*, js::RunState&) ()
#11 0x000055932a0d6461 in js::RunScript(JSContext*, js::RunState&) ()
#12 0x000055932a0ed69e in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#13 0x000055932a0edbd4 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#14 0x000055932a29a86d in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#15 0x000055932a29aa6e in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#16 0x0000559329fbc21c in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#17 0x0000559329fbb7f2 in Process(JSContext*, char const*, bool, FileKind) ()
#18 0x0000559329f63f6a in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#19 0x0000559329f5bec1 in main ()
rax 0x559328dc3854 94090534074452
rbx 0x7f6d0c25ab80 140106331958144
rcx 0x55932b5433f8 94090575492088
rdx 0x1 1
rsi 0x0 0
rdi 0x7f6d0d2a94b0 140106349057200
rbp 0x7ffd2d8d59f0 140725367691760
rsp 0x7ffd2d8d59e0 140725367691744
r8 0x0 0
r9 0x68 104
r10 0xfffffffffffff276 -3466
r11 0x7f6d0d1404c0 140106347578560
r12 0x112b226a11c0 18876958642624
r13 0x7f6d0c25b000 140106331959296
r14 0x7f6d0d0b6880 140106347014272
r15 0x7f6d0aff8570 140106312680816
rip 0x55932a22fa53 <js::Mutex::lock()+307>
=> 0x55932a22fa53 <_ZN2js5Mutex4lockEv+307>: movl $0x20,0x0
0x55932a22fa5e <_ZN2js5Mutex4lockEv+318>: callq 0x559329fe58ac <abort>
|
Reporter | |
Comment 1•3 years ago
|
||
|
Assignee | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 2•3 years ago
|
||
We need to take a lock on part of the atoms table in some marking assertions, but AutoPrepareForTracing takes all the atom table locks for us.
|
||
Comment 3•3 years ago
|
||
Set release status flags based on info from the regressing bug 1695891
|
||
Comment 4•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210308094833-31551f880fc3.
The bug appears to have been introduced in the following build range:
Start: 64dbd32310ee74f0ef6904c267416bdfc61dc390 (20210302190341)
End: 7b02a20485dfd5e062112aeba80e4a37d7f4aa31 (20210302190509)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=64dbd32310ee74f0ef6904c267416bdfc61dc390&tochange=7b02a20485dfd5e062112aeba80e4a37d7f4aa31
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f0da71cb6879 Flush barrier tracer's buffer before preparing for tracing in pre-barrier verifier r=sfink
|
||
Comment 6•3 years ago
|
||
| bugherder | ||
|
|
||
Comment 7•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210308213435-419bc25a9148.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Description
•