Assertion failure: state_ == State::Unknown, at gc/Pretenuring.cpp:267
Categories
(Core :: JavaScript: GC, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox89 | --- | unaffected |
firefox90 | --- | unaffected |
firefox91 | --- | verified |
People
(Reporter: decoder, Assigned: jonco)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20210603-3350b68026ed (debug build, run with --fuzzing-safe --ion-offthread-compile=off --ion-gvn=off --ion-warmup-threshold=10):
for (v8 = 0; v8 < 13.37; bailAfter(10))
if (hasOwnProperty)
Intl.DateTimeFormat(0, {}).format();
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555574e8628 in js::gc::AllocSite::maybeResetState() ()
#1 0x00005555579be50a in js::jit::JitScript::resetAllocSites(bool, bool) ()
#2 0x0000555557538065 in JS::Zone::resetAllocSitesAndInvalidate(bool, bool) ()
#3 0x000055555745d8f8 in js::gc::GCRuntime::discardJITCodeForGC() ()
#4 0x0000555557461273 in js::gc::GCRuntime::endPreparePhase(JS::GCReason) ()
#5 0x0000555557476abe in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason) ()
#6 0x0000555557479cc3 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason) ()
#7 0x000055555747b03b in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason) ()
#8 0x000055555747c0a1 in js::gc::GCRuntime::gcSlice(JS::GCReason, long) ()
#9 0x00005555574561bd in js::gc::GCRuntime::gcIfRequested() ()
#10 0x000055555742d4a9 in bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) ()
#11 0x000055555742f5e9 in JSString* js::AllocateStringImpl<JSString, (js::AllowGC)1>(JSContext*, js::gc::InitialHeap) ()
#12 0x0000555556fda4e3 in JSInlineString* NewInlineStringDeflated<(js::AllowGC)1>(JSContext*, mozilla::Range<char16_t const> const&, js::gc::InitialHeap) ()
#13 0x0000555556fd7d65 in JSLinearString* NewStringDeflated<(js::AllowGC)1>(JSContext*, char16_t const*, unsigned long, js::gc::InitialHeap) ()
#14 0x0000555557117c14 in intl_FormatDateTime(JSContext*, void* const*, JS::ClippedTime, JS::MutableHandle<JS::Value>) ()
#15 0x0000555557116514 in js::intl_FormatDateTime(JSContext*, unsigned int, JS::Value*) ()
#16 0x0000215f24fcd07f in ?? ()
#17 0x42779d66ff4ac000 in ?? ()
#18 0x00007fffffffbab8 in ?? ()
#19 0xfffffffffffff000 in ?? ()
#20 0x0000000000000000 in ?? ()
rax 0x5555558153a8 93824995120040
rbx 0x0 0
rcx 0x555558058e28 93825037340200
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffb1c0 140737488335296
rsp 0x7fffffffb1c0 140737488335296
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x0 0
r13 0x1 1
r14 0x8 8
r15 0x7ffff60580b0 140737320943792
rip 0x5555574e8628 <js::gc::AllocSite::maybeResetState()+152>
=> 0x5555574e8628 <_ZN2js2gc9AllocSite15maybeResetStateEv+152>: movl $0x10b,0x0
0x5555574e8633 <_ZN2js2gc9AllocSite15maybeResetStateEv+163>: callq 0x555556a9a9fa <abort>
Marking s-s until investigated because this involves JIT and GC.
Reporter | ||
Comment 1•3 years ago
|
||
Assignee | ||
Comment 2•3 years ago
|
||
This is not a security issue. It means the allocation site might be in a different state to the on we expect after we reach the maximum number of invalidations due to pretenuring, but this shouldn't have much effect.
Assignee | ||
Comment 3•3 years ago
|
||
Currently we set the state to Unknown the next time we try to invalidate, so
the invariant | invalidationLimitReached() => state_ == Unknown | doesn't hold.
Comment 4•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210604154219-963df76dc655.
The bug appears to have been introduced in the following build range:
Start: 68a5da06734a7140b3d8f57e1c887919095b5b11 (20210601094818)
End: f8bcefb8c7328432683afdc956ef8df7e8bc0af5 (20210601095955)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=68a5da06734a7140b3d8f57e1c887919095b5b11&tochange=f8bcefb8c7328432683afdc956ef8df7e8bc0af5
Comment 5•3 years ago
|
||
:jonco, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Updated•3 years ago
|
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5248f1fb3ee4 Set AllocSite state to Unknown when we reach the invalidation limit r=jandem
Comment 7•3 years ago
|
||
bugherder |
Comment 8•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210607214637-d3303869191c.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Comment 9•3 years ago
|
||
Set release status flags based on info from the regressing bug 1711063
Description
•