Assertion failure: (asBits_ & js::gc::CellAlignMask) == 0 (GC pointer is not aligned. Is this memory corruption?), at js/Value.h:587 or various crashes with Debugger
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox86 | --- | wontfix |
| firefox87 | --- | wontfix |
| firefox88 | --- | wontfix |
| firefox89 | --- | verified |
People
(Reporter: decoder, Assigned: jandem)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])
Crash Data
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20210328-058997a8167d (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --fast-warmup):
for (i = 0; i < 100; ++i)
try { evaluate(`
dbgGlobal = newGlobal({newCompartment: true});
dbg = new dbgGlobal.Debugger;
dbg.addDebuggee(this);
dbg.collectCoverageInfo = true;
var g93 = newGlobal({newCompartment: true});
g93.debuggeeGlobal = this;
g93.eval("(" + function () {
var dbg = new Debugger(debuggeeGlobal);
} + ")();");
var dbg = false;
function TestGenerator(g76) {
function testThrow(thunk) {
var iter = thunk();
unescape(iter.next());
}
testThrow(function() {
return g76();
});
}
TestGenerator(function*() { gc(); });
`); } catch (lfVare) {}
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555556a04a81 in JS::Value::toObject() const ()
#1 0x000055555745d38a in js::GCMarker::processMarkStackTop(js::SliceBudget&) ()
#2 0x000055555745dc05 in js::GCMarker::markUntilBudgetExhausted(js::SliceBudget&, js::GCMarker::ShouldReportMarkTime) ()
#3 0x0000555557404b25 in js::gc::GCRuntime::markUntilBudgetExhausted(js::SliceBudget&, js::GCMarker::ShouldReportMarkTime) ()
#4 0x00005555574122fe in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#5 0x000055555741515d in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#6 0x00005555574164cc in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#7 0x000055555741d701 in JS::NonIncrementalGC(JSContext*, JSGCInvocationKind, JS::GCReason) ()
#8 0x000055555707f503 in GC(JSContext*, unsigned int, JS::Value*) ()
#9 0x0000555556b89e61 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#10 0x0000555556b895a0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#11 0x0000555556b8a9c1 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#12 0x0000555556b7e24d in Interpret(JSContext*, js::RunState&) ()
#13 0x0000555556b750d1 in js::RunScript(JSContext*, js::RunState&) ()
#14 0x0000555556b895bd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#15 0x0000555556b8a9c1 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#16 0x0000555556b8abe0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#17 0x0000555556f53c2f in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) ()
#18 0x00005555576109cc in js::jit::InterpretResume(JSContext*, JS::Handle<JSObject*>, JS::Value*, JS::MutableHandle<JS::Value>) ()
#19 0x000015ef173e6b3b in ?? ()
[...]
#39 0x0000000000000000 in ?? ()
rax 0x5555558358e3 93824995252451
rbx 0x0 0
rcx 0x555558001f18 93825036984088
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffff98c0 140737488328896
rsp 0x7fffffff98c0 140737488328896
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x16 22
r13 0x7fffffff9b90 140737488329616
r14 0x7ffff6019408 140737320686600
r15 0xfffe2d688f7c03c1 -513022846303295
rip 0x555556a04a81 <JS::Value::toObject() const+289>
=> 0x555556a04a81 <_ZNK2JS5Value8toObjectEv+289>: movl $0x24b,0x0
0x555556a04a8c <_ZNK2JS5Value8toObjectEv+300>: callq 0x555556a8321f <abort>
The test here uses the debugger but it is not clear to me if this is strictly required, so marking s-s until investigated. This is most likely a JIT-related GC issue as it requires warmup and it crashes in opt builds in various ways, including [@ JS::Zone::discardJitCode].
|
Reporter | |
Comment 1•4 years ago
|
||
|
||
Comment 2•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210330035059-52d2c9e672d0.
The bug appears to have been introduced in the following build range:
Start: 1406f8da7b25ae60ba56d8b42828d659b2aaeecb (20201001133123)
End: fe936dd686a0e92e087ea0467508f738576efa0b (20201001133149)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1406f8da7b25ae60ba56d8b42828d659b2aaeecb&tochange=fe936dd686a0e92e087ea0467508f738576efa0b
|
||
Updated•4 years ago
|
|
||
Comment 3•4 years ago
|
||
Jan, could you look at this, bugmon seem to think it is related to enabling warp on in the js shell.
|
Assignee | |
Comment 4•4 years ago
|
||
This is a problem with the debugger's code coverage mechanism.
|
|
Assignee | |
Comment 5•4 years ago
|
||
|
||
Comment 7•4 years ago
|
||
| bugherder | ||
|
|
||
Updated•4 years ago
|
|
|
||
Comment 8•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210331164215-88275f615ea5.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Comment 9•4 years ago
|
||
:jandem, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 10•4 years ago
|
||
I can set bug 1666417 as regressor because it exposed this, but the underlying bug is older.
|
||
Updated•4 years ago
|
Description
•