Closed Bug 1756590 Opened 2 years ago Closed 2 years ago

Crash [@ js::gc::TenuredCell::zone() const] and other GC-related crashes

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1756567
Tracking Flags:
Tracking Status
firefox99 --- affected

People

(Reporter: decoder, Assigned: jonco)

References

(Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Crash Data

Attachments

(2 files)

Detailed Crash Information
6.00 KB, text/plain
Details
Testcase
525 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20220222-9852e8d821d0 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

function asyncGC(...targets) {
  var finalizationRegistry = new FinalizationRegistry(() => {});
  for (let target of targets) {
    finalizationRegistry.register(target, 'target');
  }
  return Promise.resolve('tick').then(() => asyncGCDeref()).then(() => {
    finalizationRegistry.cleanupSome(name => { names.push(name); });
  });
}
const root = newGlobal({newCompartment: true});
const dbg = new Debugger();
dbg.each = asyncGC;
const wrappedRoot = dbg.each (root)
gczeal(14,10);
evaluate(`
  var StructType = class {};
`);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556ae7548 in js::gc::TenuredCell::zone() const ()
#1  0x0000555557535ca8 in ShouldTraceCrossCompartment(JSTracer*, JSObject*, js::gc::Cell*) ()
#2  0x0000555557535b03 in void js::TraceManuallyBarrieredCrossCompartmentEdge<JSObject*>(JSTracer*, JSObject*, JSObject**, char const*) ()
#3  0x00005555574e71ff in js::gc::FinalizationRegistryGlobalData::trace(JSTracer*, js::GlobalObject*) ()
#4  0x00005555571bb9b4 in JS_GlobalObjectTraceHook(JSTracer*, JSObject*) ()
#5  0x000055555753e226 in js::GCMarker::processMarkStackTop(js::SliceBudget&) ()
#6  0x000055555753e7f6 in js::GCMarker::markUntilBudgetExhausted(js::SliceBudget&, js::GCMarker::ShouldReportMarkTime) ()
#7  0x00005555574fb845 in js::gc::GCRuntime::markUntilBudgetExhausted(js::SliceBudget&, js::GCMarker::ShouldReportMarkTime) ()
#8  0x00005555574fe7b2 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, bool) ()
#9  0x0000555557502408 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) ()
#10 0x0000555557503656 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) ()
#11 0x00005555574d3308 in js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) ()
#12 0x0000555557506dcb in js::gc::GCRuntime::runDebugGC() ()
#13 0x00005555574d0b37 in bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) ()
#14 0x00005555574d0949 in JSObject* js::AllocateObject<(js::AllowGC)1>(JSContext*, js::gc::AllocKind, unsigned long, js::gc::InitialHeap, JSClass const*, js::gc::AllocSite*) ()
#15 0x0000555556c07b77 in js::NativeObject::create(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, js::gc::AllocSite*) ()
#16 0x0000555556e8e45f in NewObject(JSContext*, JSClass const*, JS::Handle<js::TaggedProto>, js::gc::AllocKind, js::NewObjectKind) ()
#17 0x0000555556ff28e3 in js::SavedFrame::create(JSContext*) ()
#18 0x0000555556ffb8c5 in js::SavedStacks::createFrameFromLookup(JSContext*, JS::Handle<js::SavedFrame::Lookup>) ()
#19 0x0000555556ffb335 in js::SavedStacks::getOrCreateSavedFrame(JSContext*, JS::Handle<js::SavedFrame::Lookup>) ()
#20 0x0000555556ff87b9 in js::SavedStacks::insertFrames(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) ()
#21 0x0000555556ff769a in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) ()
#22 0x00005555571ce9d5 in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) ()
#23 0x00005555571d4733 in js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) ()
#24 0x0000555556df4949 in js::ReportErrorNumberVA(JSContext*, js::IsWarning, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, js::ErrorArgumentsType, __va_list_tag*) ()
#25 0x00005555571b2c4f in JS_ReportErrorNumberUTF8(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, ...) ()
#26 0x0000555556e65cb6 in js::ReportIsNotDefined(JSContext*, JS::Handle<js::PropertyName*>) ()
#27 0x0000555556c68d89 in bool js::FetchName<(js::GetNameMode)0>(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, js::PropertyResult const&, JS::MutableHandle<JS::Value>) ()
#28 0x0000555556c95449 in bool js::GetEnvironmentName<(js::GetNameMode)0>(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) ()
#29 0x0000555556c73146 in Interpret(JSContext*, js::RunState&) ()
#30 0x0000555556c6987f in js::RunScript(JSContext*, js::RunState&) ()
#31 0x0000555556c7cfae in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#32 0x0000555556c7e7b0 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#33 0x0000555556c7e9a0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#34 0x0000555556cfad1d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#35 0x0000555556f61771 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) ()
#36 0x0000555556c7d9c0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#37 0x0000555556c7d0a5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#38 0x0000555556c7e7b0 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#39 0x0000555556c7e9a0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#40 0x0000555556d922c2 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) ()
#41 0x0000555556e6868b in js::InternalJobQueue::runJobs(JSContext*) ()
#42 0x0000555556e680e6 in js::RunJobs(JSContext*) ()
#43 0x0000555556afb998 in RunShellJobs(JSContext*) ()
#44 0x0000555556adbe83 in Shell(JSContext*, js::cli::OptionParser*) ()
#45 0x0000555556ad443f in main ()
rax	0x2817c7c00000	44082600607744
rbx	0x7ffff6019518	140737320686872
rcx	0x88040	557120
rdx	0x1	1
rsi	0x1	1
rdi	0x2817c7c88000	44082601164800
rbp	0x7fffffffa3c0	140737488331712
rsp	0x7fffffffa3b0	140737488331696
r8	0x20	32
r9	0x7ffff6045a80	140737320868480
r10	0x1	1
r11	0x7ffff6045b80	140737320868736
r12	0x2817c7ca1102	44082601267458
r13	0x2817c7ca11e8	44082601267688
r14	0x2817c7c88040	44082601164864
r15	0x7ffff6045b01	140737320868609
rip	0x555556ae7548 <js::gc::TenuredCell::zone() const+72>
=> 0x555556ae7548 <_ZNK2js2gc11TenuredCell4zoneEv+72>:	mov    0x8(%rdi),%rbx
   0x555556ae754c <_ZNK2js2gc11TenuredCell4zoneEv+76>:	callq  0x5555574db820 <_ZN2js24CurrentThreadIsGCMarkingEv>

I'm still seeing a variety of GC-related crashes, some involving the debugger, such as this one, others just involving FinalizationRegistry. Filing s-s until investigated.

Attached file Testcase 

    
  
Flags: needinfo?(jcoppeard)

    
  
Assignee: nobody → jcoppeard
Priority: -- → P1

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220222144226-8f6979e6d30e.

The bug appears to have been introduced in the following build range:




Start: 1a579edbc613cf0151ea5f85b03ada1503c77712 (20220211110300)

End: e9a80289cc3be6b3ff4786cdf9f06493e1fe12c4 (20220211113101)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1a579edbc613cf0151ea5f85b03ada1503c77712&tochange=e9a80289cc3be6b3ff4786cdf9f06493e1fe12c4




Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

    
    

    
  
This will be fixed by bug 1756567 which removes some non-standard tracing code.


Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(jcoppeard)
Regressed by: 1749298
Resolution: --- → DUPLICATE
Has Regression Range: --- → yes

    
    

    
  
No valid actions for resolution (DUPLICATE).

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Keywords: bugmon
Group: javascript-core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: