Closed Bug 1735993 Opened 2 months ago Closed 1 month ago

Assertion failure: CurrentThreadIsGCSweeping() || CurrentThreadIsGCFinalizing(), at js/src/gc/Barrier.h:582


(Core :: JavaScript: GC, defect)




95 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- wontfix
firefox93 --- wontfix
firefox94 --- wontfix
firefox95 --- fixed


(Reporter: decoder, Assigned: jandem)




(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed][Mark testcase s-s before opening])


(2 files)

The following testcase crashes on mozilla-central revision 20211014-c2a85e89a843 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --baseline-eager):

See attachment.


received signal SIGSEGV, Segmentation fault.
#0  0x0000555557159633 in ShapeSnapshot::~ShapeSnapshot() ()
#1  0x000055555714c74d in ShapeSnapshotObject::create(JSContext*, JS::Handle<JSObject*>) ()
#2  0x0000555557173b90 in CreateShapeSnapshot(JSContext*, unsigned int, JS::Value*) ()
#3  0x000019f713cdcbc6 in ?? ()
#4  0x00007ffff10c8830 in ?? ()
#5  0x00007ffff10c88e8 in ?? ()
#6  0x00007ffff10c87f8 in ?? ()
#7  0x0000000000000000 in ?? ()
rax	0x55555580795f	93824995064159
rbx	0x7ffff12df040	140737239707712
rcx	0x555558164da0	93825038437792
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7ffff10c87e0	140737237518304
rsp	0x7ffff10c87d0	140737237518288
r8	0x7ffff7105770	140737338431344
r9	0x7ffff11ff700	140737238791936
r10	0x0	0
r11	0x0	0
r12	0x5555580f1e70	93825037966960
r13	0x7ffff10c8808	140737237518344
r14	0x0	0
r15	0x5555580eec28	93825037954088
rip	0x555557159633 <ShapeSnapshot::~ShapeSnapshot()+259>
=> 0x555557159633 <_ZN13ShapeSnapshotD2Ev+259>:	movl   $0x246,0x0
   0x55555715963e <_ZN13ShapeSnapshotD2Ev+270>:	callq  0x555556b1550e <abort>

The attached test is still quite large and contains major portions of the fuzzer but reproduces deterministically for me. I am still trying to find a smaller version but it seems very sensitive to reduction. Marking s-s due to GC assert.

Attached file Testcase
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect][Mark testcase s-s before opening]

From the stack, it looks like we're hitting an error in ShapeSnapshotObject::create(), which causes us to immediately destroy the ShapeSnapshot, which causes us to hit asserts because ShapeSnapshot is destroying a GCPtr outside of a GC. The comment on the assertion is: "If this assertion fails you may need to make the containing object use a HeapPtr instead, as this can be deleted from outside of GC." So at a first glance to me, this is more of an issue with the testing code in ShapeSnapshot than an actual GC issue.

Flags: needinfo?(jdemooij)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211015095004-bb0faec6af52.
The bug appears to have been introduced in the following build range:

Start: 84780909157a7a0ddbd1201bd84d54be2bf49922 (20210824092223)
End: d33f443a5aef3cbefc982207c02576cdb318936c (20210824092358)

Whiteboard: [bugmon:update,bisect][Mark testcase s-s before opening] → [bugmon:update,bisected,confirmed][Mark testcase s-s before opening]

Bugmon Analysis
Unable to reproduce bug 1735993 using build mozilla-central 20211014093415-c2a85e89a843. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Yeah this is a problem with the testing function.

Flags: needinfo?(jdemooij)
Group: javascript-core-security

Not adding the test case because it's so large, and this is just a testing function.

Assignee: nobody → jdemooij

:jandem, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(jdemooij)
Flags: needinfo?(jdemooij)
Regressed by: 1702196
Pushed by
Use HeapPtr instead of GCPtr in ShapeSnapshot. r=jonco
Closed: 1 month ago
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch
You need to log in before you can comment on or make changes to this bug.