Hit MOZ_CRASH(JS holder PromiseRejectionEvent contains pointers to GC things in more than one zone (found in mReason) ) at src/xpcom/base/CycleCollectedJSRuntime.cpp:1295
Categories
(Core :: DOM: Events, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox91 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
304 bytes,
text/html
|
Details |
Found while fuzzing m-c 20210604-963df76dc655 (--enable-debug --enable-fuzzing)
Hit MOZ_CRASH(JS holder PromiseRejectionEvent contains pointers to GC things in more than one zone (found in mReason) ) at src/xpcom/base/CycleCollectedJSRuntime.cpp:1295
#0 0x7f8da0aa66a4 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:256:3
#1 0x7f8da0aa66a4 in checkZone src/xpcom/base/CycleCollectedJSRuntime.cpp:1292:5
#2 0x7f8da0aa66a4 in CheckZoneTracer::Trace(JS::Heap<JS::Value>*, char const*, void*) const src/xpcom/base/CycleCollectedJSRuntime.cpp:1302:7
#3 0x7f8da0aa649a in CheckHolderIsSingleZone src/xpcom/base/CycleCollectedJSRuntime.cpp:1361:17
#4 0x7f8da0aa649a in operator() src/xpcom/base/CycleCollectedJSRuntime.cpp:1389:11
#5 0x7f8da0aa649a in void mozilla::JSHolderMap::ForEach<mozilla::CycleCollectedJSRuntime::TraceNativeGrayRoots(JSTracer*, mozilla::JSHolderMap::WhichHolders)::$_4>(mozilla::SegmentedVector<mozilla::JSHolderMap::Entry, 256ul, InfallibleAllocPolicy>&, mozilla::CycleCollectedJSRuntime::TraceNativeGrayRoots(JSTracer*, mozilla::JSHolderMap::WhichHolders)::$_4 const&, JS::Zone*) src/xpcom/base/CycleCollectedJSRuntime.cpp:518:5
#6 0x7f8da0a88040 in ForEach<(lambda at src/xpcom/base/CycleCollectedJSRuntime.cpp:1385:7)> src/xpcom/base/CycleCollectedJSRuntime.cpp:490:3
#7 0x7f8da0a88040 in mozilla::CycleCollectedJSRuntime::TraceNativeGrayRoots(JSTracer*, mozilla::JSHolderMap::WhichHolders) src/xpcom/base/CycleCollectedJSRuntime.cpp:1384:14
#8 0x7f8da7695d0f in traceEmbeddingGrayRoots src/js/src/gc/RootMarking.cpp:426:5
#9 0x7f8da7695d0f in js::gc::GCRuntime::bufferGrayRoots() src/js/src/gc/RootMarking.cpp:546:3
#10 0x7f8da764f01c in AutoRunParallelTask::run(js::AutoLockHelperThreadState&) src/js/src/gc/GC.cpp:3958:5
#11 0x7f8da7639879 in js::GCParallelTask::runTask(js::AutoLockHelperThreadState&) src/js/src/gc/GCParallelTask.cpp:157:3
#12 0x7f8da7639b64 in js::GCParallelTask::runHelperThreadTask(js::AutoLockHelperThreadState&) src/js/src/gc/GCParallelTask.cpp:144:3
#13 0x7f8da6fa57a2 in js::GlobalHelperThreadState::runTaskLocked(js::HelperThreadTask*, js::AutoLockHelperThreadState&) src/js/src/vm/HelperThreads.cpp:2786:9
#14 0x7f8da6fa3da3 in js::HelperThread::threadLoop() src/js/src/vm/HelperThreads.cpp:2754:25
#15 0x7f8da6fa3b97 in js::HelperThread::ThreadMain(void*) src/js/src/vm/HelperThreads.cpp:2445:11
#16 0x7f8da6fdda83 in callMain<0> src/js/src/threading/Thread.h:220:5
#17 0x7f8da6fdda83 in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start(void*) src/js/src/threading/Thread.h:209:11
#18 0x7f8db5ff2608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#19 0x7f8db5bbb292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
||
Comment 1•3 years ago
|
||
Jon, this might be the test case you were looking for, for the atom zone issue you were looking at.
|
Reporter | |
Comment 2•3 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/Qv4KxmSVlOnUCR42LpP-2Q/index.html
|
||
Comment 3•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210604213013-61484a56d30a.
Failed to bisect testcase (Testcase reproduces on start build!):
Start: 6237102f005d965efebc464ce3f93dec32b10268 (20200606094603)
End: 963df76dc6553a8739372c75c8e2d87c3d1c9cfb (20210604154219)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False)
|
||
Comment 4•3 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #1)
Jon, this might be the test case you were looking for, for the atom zone issue you were looking at.
Great, I'll add this as a test case.
|
|
||
Updated•3 years ago
|
|
|
||
Comment 6•3 years ago
|
||
Bugmon Analysis
No valid actions for resolution (DUPLICATE)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•