Closed Bug 1735993 Opened 2 months ago Closed 1 month ago

Assertion failure: CurrentThreadIsGCSweeping() || CurrentThreadIsGCFinalizing(), at js/src/gc/Barrier.h:582

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
95 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- wontfix
firefox93 --- wontfix
firefox94 --- wontfix
firefox95 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed][Mark testcase s-s before opening])

Attachments

(2 files)

Detailed Crash Information
1.18 KB, text/plain
Details
Bug 1735993 - Use HeapPtr instead of GCPtr in ShapeSnapshot. r?jonco!
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20211014-c2a85e89a843 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --baseline-eager):

See attachment.

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555557159633 in ShapeSnapshot::~ShapeSnapshot() ()
#1  0x000055555714c74d in ShapeSnapshotObject::create(JSContext*, JS::Handle<JSObject*>) ()
#2  0x0000555557173b90 in CreateShapeSnapshot(JSContext*, unsigned int, JS::Value*) ()
#3  0x000019f713cdcbc6 in ?? ()
#4  0x00007ffff10c8830 in ?? ()
#5  0x00007ffff10c88e8 in ?? ()
#6  0x00007ffff10c87f8 in ?? ()
#7  0x0000000000000000 in ?? ()
rax	0x55555580795f	93824995064159
rbx	0x7ffff12df040	140737239707712
rcx	0x555558164da0	93825038437792
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7ffff10c87e0	140737237518304
rsp	0x7ffff10c87d0	140737237518288
r8	0x7ffff7105770	140737338431344
r9	0x7ffff11ff700	140737238791936
r10	0x0	0
r11	0x0	0
r12	0x5555580f1e70	93825037966960
r13	0x7ffff10c8808	140737237518344
r14	0x0	0
r15	0x5555580eec28	93825037954088
rip	0x555557159633 <ShapeSnapshot::~ShapeSnapshot()+259>
=> 0x555557159633 <_ZN13ShapeSnapshotD2Ev+259>:	movl   $0x246,0x0
   0x55555715963e <_ZN13ShapeSnapshotD2Ev+270>:	callq  0x555556b1550e <abort>

The attached test is still quite large and contains major portions of the fuzzer but reproduces deterministically for me. I am still trying to find a smaller version but it seems very sensitive to reduction. Marking s-s due to GC assert.

Attached file Testcase
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect][Mark testcase s-s before opening]

From the stack, it looks like we're hitting an error in ShapeSnapshotObject::create(), which causes us to immediately destroy the ShapeSnapshot, which causes us to hit asserts because ShapeSnapshot is destroying a GCPtr outside of a GC. The comment on the assertion is: "If this assertion fails you may need to make the containing object use a HeapPtr instead, as this can be deleted from outside of GC." So at a first glance to me, this is more of an issue with the testing code in ShapeSnapshot than an actual GC issue.

Flags: needinfo?(jdemooij)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211015095004-bb0faec6af52.
The bug appears to have been introduced in the following build range:

Start: 84780909157a7a0ddbd1201bd84d54be2bf49922 (20210824092223)
End: d33f443a5aef3cbefc982207c02576cdb318936c (20210824092358)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=84780909157a7a0ddbd1201bd84d54be2bf49922&tochange=d33f443a5aef3cbefc982207c02576cdb318936c

Whiteboard: [bugmon:update,bisect][Mark testcase s-s before opening] → [bugmon:update,bisected,confirmed][Mark testcase s-s before opening]

Bugmon Analysis
Unable to reproduce bug 1735993 using build mozilla-central 20211014093415-c2a85e89a843. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Yeah this is a problem with the testing function.

Flags: needinfo?(jdemooij)
Group: javascript-core-security

Not adding the test case because it's so large, and this is just a testing function.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED

:jandem, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(jdemooij)
Flags: needinfo?(jdemooij)
Regressed by: 1702196
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5c70a0088b01
Use HeapPtr instead of GCPtr in ShapeSnapshot. r=jonco

https://hg.mozilla.org/mozilla-central/rev/5c70a0088b01

Status: ASSIGNED → RESOLVED
Closed: 1 month ago
status-firefox95: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch
You need to log in before you can comment on or make changes to this bug.