Assertion failure: shape->canSkipMarkingShapeCache(), at gc/Marking.cpp:1311
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox88 | --- | unaffected |
| firefox89 | --- | unaffected |
| firefox90 | --- | verified |
People
(Reporter: decoder, Assigned: jandem)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])
Attachments
(2 files)
|
81 bytes,
text/plain
|
Details | |
|
Bug 1707820 - Fix pre-barrier verifier assertion failure when adding dictionary properties. r?jonco!
48 bytes,
text/x-phabricator-request
|
Details | Review |
The following testcase crashes on mozilla-central revision 20210426-6f8320a4798f (debug build, run with --fuzzing-safe --ion-offthread-compile=off):
gczeal(4);
for (i=0; i<100; ++i) {
a = "".padStart(1337);
for (b in a);
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x00005555574c7b82 in js::GCMarker::eagerlyMarkChildren(js::Shape*) ()
#0 0x00005555574c7b82 in js::GCMarker::eagerlyMarkChildren(js::Shape*) ()
#1 0x00005555574984c2 in js::GCMarker::traceBarrieredCell(JS::GCCellPtr) ()
#2 0x000055555747e813 in js::gc::BarrierTracer::performBarrier(JS::GCCellPtr) ()
#3 0x0000555556ba96d9 in js::gc::CellWithTenuredGCPointer<js::gc::Cell, js::Shape>::setHeaderPtr(js::Shape*) ()
#4 0x0000555556f600d0 in js::Shape::insertIntoDictionaryBefore(js::DictionaryShapeLink) ()
#5 0x0000555556f63db7 in js::NativeObject::getChildProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<js::Shape*>, JS::MutableHandle<js::StackShape>) ()
#6 0x0000555556f63558 in js::NativeObject::addProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, unsigned int, unsigned int, unsigned int*) ()
#7 0x0000555556ee21da in bool AddOrChangeProperty<(IsAddOrChange)0>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::PropertyDescriptor>, js::PropertyResult*) ()
#8 0x0000555556ee117b in js::NativeDefineProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) ()
#9 0x0000555556e901ae in js::DefineDataProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, unsigned int, JS::ObjectOpResult&) ()
#10 0x0000555556e6e9a4 in js::DefineDataProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, unsigned int) ()
#11 0x0000555556e903b7 in js::DefineDataElement(JSContext*, JS::Handle<JSObject*>, unsigned int, JS::Handle<JS::Value>, unsigned int) ()
#12 0x0000555556df8b8c in str_enumerate(JSContext*, JS::Handle<JSObject*>) ()
#13 0x0000555556e35ea6 in Snapshot(JSContext*, JS::Handle<JSObject*>, unsigned int, JS::MutableHandle<JS::StackGCVector<JS::PropertyKey, js::TempAllocPolicy> >) ()
#14 0x0000555556e39d27 in js::ValueToIterator(JSContext*, JS::Handle<JS::Value>) ()
#15 0x00005555579664fc in js::jit::IonGetIteratorIC::update(JSContext*, JS::Handle<JSScript*>, js::jit::IonGetIteratorIC*, JS::Handle<JS::Value>) ()
#16 0x00001d7f473ddc2d in ?? ()
#17 0x0000000000000000 in ?? ()
rax 0x5555557ad018 93824994693144
rbx 0x3231297040d0 55186730008784
rcx 0x555558023238 93825037120056
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffb060 140737488334944
rsp 0x7fffffffb020 140737488334880
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x0 0
r13 0x7ffff6049418 140737320883224
r14 0x7ffff6049418 140737320883224
r15 0x323129704102 55186730008834
rip 0x5555574c7b82 <js::GCMarker::eagerlyMarkChildren(js::Shape*)+626>
=> 0x5555574c7b82 <_ZN2js8GCMarker19eagerlyMarkChildrenEPNS_5ShapeE+626>: movl $0x51f,0x0
0x5555574c7b8d <_ZN2js8GCMarker19eagerlyMarkChildrenEPNS_5ShapeE+637>: callq 0x555556a8553e <abort>
This is happening frequently, marking as fuzzblocker.
|
Reporter | |
Comment 1•4 years ago
|
||
|
||
Comment 2•4 years ago
|
||
Possibly related to bug 1706900 which landed yesterday.
|
||
Comment 3•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210426213158-6f8320a4798f.
The bug appears to have been introduced in the following build range:
Start: 673e7a764fae324a38b3520d1249b4ccf514c520 (20210426105021)
End: 81284c0d6bdd44246c1043fd4cb6902b1ccdf57e (20210426110250)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=673e7a764fae324a38b3520d1249b4ccf514c520&tochange=81284c0d6bdd44246c1043fd4cb6902b1ccdf57e
|
Assignee | |
Comment 4•4 years ago
|
||
We were adding the new shape to the table first, but this confused the pre-barrier
verifier. Likely a false positive because the shape is newly allocated.
We now add the entry to the table at the end, and if this fails we remove the
dictionary shape again. This also removes some unnecessary code for growing slots.
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 5•4 years ago
|
||
Opening this up, it breaks the verifier but shouldn't be an actual issue because the shape is newly allocated and there can't be a new GC triggered after that.
|
|
Assignee | |
Updated•4 years ago
|
|
||
Comment 7•4 years ago
|
||
Set release status flags based on info from the regressing bug 1706900
|
||
Comment 8•4 years ago
|
||
| bugherder | ||
|
|
||
Comment 9•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210427155211-a765064201f8.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Description
•