Assertion failure: WeakMapBase::checkMarkingForZone(zone), at js/src/gc/GC.cpp:5364
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox-esr91 | --- | unaffected |
| firefox90 | --- | unaffected |
| firefox91 | --- | unaffected |
| firefox92 | --- | verified |
People
(Reporter: decoder, Assigned: jonco)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20210803-524aef2e3307 (--enable-debug build, run with --fuzzing-safe --no-threads):
m0 = new WeakMap;
o = {};
s = '';
m0.set(o,s);
verifyprebarriers();
startgc('');
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x00005555574ec22b in js::gc::GCRuntime::endMarkingSweepGroup(JSFreeOp*, js::SliceBudget&) ()
#0 0x00005555574ec22b in js::gc::GCRuntime::endMarkingSweepGroup(JSFreeOp*, js::SliceBudget&) ()
#1 0x0000555557535d81 in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&) ()
#2 0x0000555557524c85 in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run(js::gc::SweepAction::Args&) ()
#3 0x00005555574f379c in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) ()
#4 0x00005555574f9bc6 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason, bool) ()
[...]
#9 0x0000555556a6e2c3 in main ()
rax 0x555555783a20 93824994523680
rbx 0x7ffff5de5000 140737318375424
rcx 0x555558120a70 93825038158448
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffd800 140737488345088
rsp 0x7fffffffd790 140737488344976
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x7ffff603b838 140737320826936
r13 0x7ffff603b7b0 140737320826800
r14 0x7ffff603c450 140737320830032
r15 0x1 1
rip 0x5555574ec22b <js::gc::GCRuntime::endMarkingSweepGroup(JSFreeOp*, js::SliceBudget&)+811>
=> 0x5555574ec22b <_ZN2js2gc9GCRuntime20endMarkingSweepGroupEP8JSFreeOpRNS_11SliceBudgetE+811>: movl $0x14f4,0x0
0x5555574ec236 <_ZN2js2gc9GCRuntime20endMarkingSweepGroupEP8JSFreeOpRNS_11SliceBudgetE+822>: callq 0x555556b0473a <abort>
|
Reporter | |
Comment 1•4 years ago
|
||
|
|
Reporter | |
Comment 2•4 years ago
|
||
|
Assignee | |
Comment 3•4 years ago
|
||
This is the same bug as 1723840, but in the pre-barrier verifier. Also not security sensitive.
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 5•4 years ago
|
||
This is the same as bug 1723840 but in the prebarrier verifier. I factored out
the unmarking code and removed the problematic and now-unused MarkBitmap::clear.
Depends on D121707
|
||
Comment 6•4 years ago
|
||
Set release status flags based on info from the regressing bug 1669669
|
||
Comment 7•4 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210804214554-a72c2fe44761.
The bug appears to have been introduced in the following build range:
Start: ca9b5386b47d10cfa351da0de8705acf391a360d (20210802085148)
End: d3e0ca7e2145805b86596ce93afc4a0b4ed9b175 (20210802090128)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=ca9b5386b47d10cfa351da0de8705acf391a360d&tochange=d3e0ca7e2145805b86596ce93afc4a0b4ed9b175
|
||
Comment 9•4 years ago
|
||
| bugherder | ||
|
||
Updated•4 years ago
|
|
|
||
Comment 10•4 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210805163446-f5921ffeaee4.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•