Assertion failure: found(), at mozilla/HashTable.h:1283 with gczeal
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox88 | --- | unaffected |
| firefox89 | --- | unaffected |
| firefox90 | --- | verified |
People
(Reporter: decoder, Assigned: jandem)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20210426-6f8320a4798f (debug build, run with --fuzzing-safe --ion-offthread-compile=off):
gczeal(4);
a = b = 20 * 1024;
c(a, b);
function c(d, count) {
e = Array;
while (count) e[--count] = d;
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555556f69c09 in js::Shape::canSkipMarkingShapeCache() ()
#1 0x00005555574c7a6c in js::GCMarker::eagerlyMarkChildren(js::Shape*) ()
#2 0x00005555574984c2 in js::GCMarker::traceBarrieredCell(JS::GCCellPtr) ()
#3 0x000055555747e813 in js::gc::BarrierTracer::performBarrier(JS::GCCellPtr) ()
#4 0x0000555556ba96d9 in js::gc::CellWithTenuredGCPointer<js::gc::Cell, js::Shape>::setHeaderPtr(js::Shape*) ()
#5 0x0000555556f5fbbc in js::Shape::removeFromDictionary(js::NativeObject*) ()
#6 0x0000555556f67eab in js::NativeObject::removeProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::PropertyKey) ()
#7 0x0000555556ede1eb in js::NativeObject::maybeDensifySparseElements(JSContext*, JS::Handle<js::NativeObject*>) ()
#8 0x0000555556ee2276 in bool AddOrChangeProperty<(IsAddOrChange)0>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::PropertyDescriptor>, js::PropertyResult*) ()
#9 0x0000555556ee842c in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) ()
#10 0x0000555556b947a5 in SetObjectElementOperation(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, bool) ()
#11 0x0000555556b944d3 in js::SetObjectElement(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, bool) ()
#12 0x00005555579648c2 in js::jit::IonSetPropertyIC::update(JSContext*, JS::Handle<JSScript*>, js::jit::IonSetPropertyIC*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) ()
#13 0x000032aefaea1a25 in ?? ()
[...]
#36 0xfff8800000004992 in ?? ()
#37 0x0000555556cd6441 in js::CheckContextLocal::check() const ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
rax 0x55555573c0d3 93824994230483
rbx 0x3c18e1cd99d0 66077565229520
rcx 0x555558023238 93825037120056
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffb350 140737488335696
rsp 0x7fffffffb300 140737488335616
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x7ffff4e1c580 140737301824896
r13 0x0 0
r14 0x7fffffffb308 140737488335624
r15 0x7fffffffb318 140737488335640
rip 0x555556f69c09 <js::Shape::canSkipMarkingShapeCache()+633>
=> 0x555556f69c09 <_ZN2js5Shape24canSkipMarkingShapeCacheEv+633>: movl $0x503,0x0
0x555556f69c14 <_ZN2js5Shape24canSkipMarkingShapeCacheEv+644>: callq 0x555556a8553e <abort>
Marking s-s until triaged because the test involves gczeal.
|
Reporter | |
Comment 1•3 years ago
|
||
|
||
Comment 2•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210505041336-2cc060f28173.
The bug appears to have been introduced in the following build range:
Start: 673e7a764fae324a38b3520d1249b4ccf514c520 (20210426105021)
End: 81284c0d6bdd44246c1043fd4cb6902b1ccdf57e (20210426110250)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=673e7a764fae324a38b3520d1249b4ccf514c520&tochange=81284c0d6bdd44246c1043fd4cb6902b1ccdf57e
|
||
Comment 3•3 years ago
|
||
:jandem could you investigate this bug it seems it may be related to some recent reshape changes (based on comment 2)
|
Assignee | |
Comment 4•3 years ago
|
||
This is harmless in release builds. The problem is that in canSkipMarkingShapeCache we're now a bit more strict and assert that every shape in the shape lineage is also found in the ShapeTable. When removing a dictionary property, we first remove the entry from the ShapeTable and the pre-barrier for the shape then asserts because of that. I think we can just switch the order of these operations.
|
|
Assignee | |
Comment 5•3 years ago
|
||
In canSkipMarkingShapeCache we're now a bit more strict and assert that every shape
in the shape lineage is also found in the ShapeTable. However when removing a dictionary
property we first removed the entry from the ShapeTable and we can then assert as part
of the pre-barrier (verifier) when removing the shape from the shape list.
|
||
Updated•3 years ago
|
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b94a31a890f1 Remove property from shape table after (instead of before) removing it from the shape list. r=jonco
|
||
Comment 7•3 years ago
|
||
:jandem, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
|
||
Comment 8•3 years ago
|
||
| bugherder | ||
|
||
Updated•3 years ago
|
|
|
||
Comment 9•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210511020931-509cb523d4f7.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 10•3 years ago
|
||
Set release status flags based on info from the regressing bug 1706900
Description
•