Closed Bug 1717405 Opened 3 years ago Closed 3 years ago

Assertion failure: map->asLinked()->canSkipMarkingTable(), at gc/Marking.cpp:1569

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
91 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox89 --- unaffected
firefox90 --- unaffected
firefox91 --- verified

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisect])

Attachments

(2 files)

Testcase
114 bytes, text/plain
Details
Bug 1717405 - Trigger pre-barrier before mutating the table. r?jonco!
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20210620-95970359b68e (debug build, run with --fuzzing-safe --ion-offthread-compile=off test.js):

gczeal(4)
for (;;) {
    a = 37
    b = {}
    do {
        c = Math.random()
        b[c] = a--
    } while (a)
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x5840a0fc in js::GCMarker::eagerlyMarkChildren(js::PropMap*) ()
#1  0x5844de2e in auto JS::MapGCThingTyped<js::GCMarker::traceBarrieredCell(JS::GCCellPtr)::$_7&>(JS::GCCellPtr, js::GCMarker::traceBarrieredCell(JS::GCCellPtr)::$_7&) ()
#2  0x5841ff28 in js::GCMarker::traceBarrieredCell(JS::GCCellPtr) ()
#3  0x584063aa in js::gc::BarrierTracer::performBarrier(JS::GCCellPtr) ()
#4  0x58406636 in js::gc::PerformIncrementalBarrier(js::gc::TenuredCell*) ()
#5  0x57ea704b in js::SharedPropMap::addPropertyInternal(JSContext*, JS::MutableHandle<js::SharedPropMap*>, unsigned int*, JS::Handle<JS::PropertyKey>, js::PropertyInfoBase<unsigned int>) ()
#6  0x57ea6a6b in js::SharedPropMap::addProperty(JSContext*, JSClass const*, JS::MutableHandle<js::SharedPropMap*>, unsigned int*, JS::Handle<JS::PropertyKey>, js::PropertyFlags, js::EnumFlags<js::ObjectFlag>*, unsigned int*) ()
#7  0x57efdcff in js::NativeObject::addProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, js::PropertyFlags, unsigned int*) ()
#8  0x57e76463 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) ()
#9  0x57b532af in js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) ()
#10 0x57b4d4aa in js::SetObjectElement(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, bool) ()
#11 0x5894cb54 in js::jit::IonSetPropertyIC::update(JSContext*, JS::Handle<JSScript*>, js::jit::IonSetPropertyIC*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) ()
#12 0x3577929e in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
eax	0x56758d6f	1450544495
ebx	0x590013ec	1493177324
ecx	0x59002d6c	1493183852
edx	0xf7b58cc7	-139096889
esi	0x0	0
edi	0xf04575b0	-263883344
ebp	0xfffd2878	4294781048
esp	0xfffd2840	4294780992
eip	0x5840a0fc <js::GCMarker::eagerlyMarkChildren(js::PropMap*)+1196>
=> 0x5840a0fc <_ZN2js8GCMarker19eagerlyMarkChildrenEPNS_7PropMapE+1196>:	movl   $0x621,0x0
   0x5840a106 <_ZN2js8GCMarker19eagerlyMarkChildrenEPNS_7PropMapE+1206>:	call   0x57a4870e <abort>
Severity: -- → S2
Attached file Testcase 

    
    

    
  
This is probably related to the recent PropMap work.


Flags: needinfo?(jdemooij)

    
    

    
  
I'll take a look. This is probably a false positive though, the canSkipMarkingTable assertion seems overly strict and keeps biting me when making changes in this area.



    
  
Flags: needinfo?(jdemooij)

    
  
Group: javascript-core-security
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED

    
    

    
  
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7aacd5400052
Trigger pre-barrier before mutating the table. r=jonco

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/7aacd5400052


Status: ASSIGNED → RESOLVED
Closed: 3 years ago

          status-firefox91:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch

          status-firefox89:
          --- → unaffected

          status-firefox90:
          --- → unaffected

          status-firefox-esr78:
          --- → unaffected
Flags: in-testsuite+
Regressed by: 1715512

    
  
Has Regression Range: --- → yes

    
    

    
      
  

    
    

    
  
Bugmon Analysis

Verified bug as fixed on rev mozilla-central 20210622212907-536a892dd51f.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox91:
          fixedverified
Keywords: bugmon

    
    

    
  
This test case seems to be failing intermittently as Bug 1717717



          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: