1762771 - Assertion failure: !hasBlackEntries(), at gc/Marking.cpp:2469

Status: VERIFIED FIXED

(Core :: JavaScript: GC, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20220403-b9165a6769de (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

function b() {
  c = newGlobal();
  for (action of e) {
    if (action == 'key') {
      enqueueMark('set-color-black'); 
      enqueueMark(c);   
    } else {
      enqueueMark('set-color-gray');   
    }
  }
  startgc()
}
for (e of [['', 'key'], 'otherzone'])            
  b();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000055555754c391 in js::GCMarker::setMarkColor(js::gc::MarkColor) ()
#1  0x000055555754a7da in js::GCMarker::processMarkQueue() ()
#2  0x00005555575093e5 in js::gc::GCRuntime::markUntilBudgetExhausted(js::SliceBudget&, js::GCMarker::ShouldReportMarkTime) ()
#3  0x00005555575a1499 in js::gc::GCRuntime::markGray(JS::GCContext*, js::SliceBudget&) ()
#4  0x00005555575c38a1 in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&) ()
#5  0x00005555575b8f95 in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run(js::gc::SweepAction::Args&) ()
#6  0x00005555575a926a in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) ()
#7  0x000055555750bb69 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, bool) ()
#8  0x000055555750f4f8 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) ()
#9  0x0000555557510746 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) ()
#10 0x0000555556fbe84f in StartGC(JSContext*, unsigned int, JS::Value*) ()
#11 0x0000555556c895d0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#24 0x0000000000000000 in ?? ()
rax	0x55555584eb53	93824995355475
rbx	0x7ffff6019550	140737320686928
rcx	0x5555581b3898	93825038760088
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb190	140737488335248
rsp	0x7fffffffb170	140737488335216
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7ffff6044a00	140737320864256
r13	0x7ffff6019550	140737320686928
r14	0x1	1
r15	0x1	1
rip	0x55555754c391 <js::GCMarker::setMarkColor(js::gc::MarkColor)+353>
=> 0x55555754c391 <_ZN2js8GCMarker12setMarkColorENS_2gc9MarkColorE+353>:	movl   $0x9a5,0x0
   0x55555754c39c <_ZN2js8GCMarker12setMarkColorENS_2gc9MarkColorE+364>:	callq  0x555556b76777 <abort>

Comment 1

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 2

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 3

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220403215202-2d8724cbbddd.
The bug appears to have been introduced in the following build range:

Start: a27f2f698323860d680f0d042d0a833411935057 (20220202172237)
End: 26438f963a5ffab579ede7738679bc2ae34102e2 (20220202173131)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a27f2f698323860d680f0d042d0a833411935057&tochange=26438f963a5ffab579ede7738679bc2ae34102e2

Comment 4

[Jon Coppeard (:jonco)]

This is probably an issue with the mark queue, which is a test feature.

Comment 5

[Steve Fink [:sfink] [:s:]]

Minimized test case:

enqueueMark('set-color-gray');
enqueueMark('set-color-black');
enqueueMark(newGlobal());
enqueueMark('set-color-gray');
newGlobal();
startgc();

Comment 6

[Steve Fink [:sfink] [:s:]]

Attachment: Bug 1762771 - disallow gray marking when black objects are on the stack, again

Comment 7

[Steve Fink [:sfink] [:s:]]

Yes, this needs to be updated now that we've gone back to having a single color of entries on the mark stack.

Comment 8

[Steve Fink [:sfink] [:s:]]

(To be clear, this is a test-only failure. Or rather, it is a bug in the test mechanism.)

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

:sfink, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Comment 10

[Pulsebot]

Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8c1a97bfe469
disallow gray marking when black objects are on the stack, again r=jonco

Comment 11

[Cosmin Sabou [:CosminS]]

Backed out for causing spidermonkey failures on bug-1762771.js.

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&resultStatus=pending%2Crunning%2Csuccess%2Ctestfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel&revision=8c1a97bfe4699ee0ae9b23403d314db22cf8d9ae&searchStr=sm&group_state=expanded&selectedTaskRun=ALIj_chUQFGjLSArEi38uQ.0

Failure logs:
https://treeherder.mozilla.org/logviewer?job_id=374109932&repo=autoland
https://treeherder.mozilla.org/logviewer?job_id=374111239&repo=autoland

Backout link: https://hg.mozilla.org/integration/autoland/rev/c50b2f878c17fed23443962b2b74784255e17740

[task 2022-04-11T18:52:52.296Z] TEST-PASS | js/src/jit-test/tests/gc/bug-1757573.js | Success (code 0, args "--no-blinterp --no-baseline --no-ion --more-compartments") [0.0 s]
[task 2022-04-11T18:52:52.300Z] /builds/worker/checkouts/gecko/js/src/jit-test/tests/gc/bug-1762771.js:1:1 ReferenceError: enqueueMark is not defined
[task 2022-04-11T18:52:52.300Z] Stack:
[task 2022-04-11T18:52:52.300Z]   @/builds/worker/checkouts/gecko/js/src/jit-test/tests/gc/bug-1762771.js:1:1
[task 2022-04-11T18:52:52.300Z] Exit code: 3
[task 2022-04-11T18:52:52.300Z] FAIL - gc/bug-1762771.js
[task 2022-04-11T18:52:52.300Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/gc/bug-1762771.js | /builds/worker/checkouts/gecko/js/src/jit-test/tests/gc/bug-1762771.js:1:1 ReferenceError: enqueueMark is not defined (code 3, args "") [0.0 s]
[task 2022-04-11T18:52:52.300Z] INFO exit-status     : 3
[task 2022-04-11T18:52:52.300Z] INFO timed-out       : False
[task 2022-04-11T18:52:52.300Z] INFO stderr         2> /builds/worker/checkouts/gecko/js/src/jit-test/tests/gc/bug-1762771.js:1:1 ReferenceError: enqueueMark is not defined
[task 2022-04-11T18:52:52.300Z] INFO stderr         2> Stack:
[task 2022-04-11T18:52:52.300Z] INFO stderr         2> @/builds/worker/checkouts/gecko/js/src/jit-test/tests/gc/bug-1762771.js:1:1
[task 2022-04-11T18:52:52.303Z] TEST-PASS | js/src/jit-test/tests/gc/bug-1757573.js | Success (code 0, args "--blinterp-eager") [0.0 s]
[task 2022-04-11T18:52:52.303Z] /builds/worker/checkouts/gecko/js/src/jit-test/tests/gc/bug-1762771.js:1:1 ReferenceError: enqueueMark is not defined
[task 2022-04-11T18:52:52.303Z] Stack:
[task 2022-04-11T18:52:52.303Z]   @/builds/worker/checkouts/gecko/js/src/jit-test/tests/gc/bug-1762771.js:1:1
[task 2022-04-11T18:52:52.303Z] Exit code: 3
[task 2022-04-11T18:52:52.303Z] FAIL - gc/bug-1762771.js
[task 2022-04-11T18:52:52.303Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/gc/bug-1762771.js | /builds/worker/checkouts/gecko/js/src/jit-test/tests/gc/bug-1762771.js:1:1 ReferenceError: enqueueMark is not defined (code 3, args "--ion-eager --ion-offthread-compile=off --more-compartments") [0.0 s]
[task 2022-04-11T18:52:52.303Z] INFO exit-status     : 3
[task 2022-04-11T18:52:52.303Z] INFO timed-out       : False
[task 2022-04-11T18:52:52.303Z] INFO stderr         2> /builds/worker/checkouts/gecko/js/src/jit-test/tests/gc/bug-1762771.js:1:1 ReferenceError: enqueueMark is not defined
[task 2022-04-11T18:52:52.303Z] INFO stderr         2> Stack:
[task 2022-04-11T18:52:52.303Z] INFO stderr         2> @/builds/worker/checkouts/gecko/js/src/jit-test/tests/gc/bug-1762771.js:1:1
[task 2022-04-11T18:52:52.308Z] /builds/worker/checkouts/gecko/js/src/jit-test/tests/gc/bug-1762771.js:1:1 ReferenceError: enqueueMark is not defined
[task 2022-04-11T18:52:52.308Z] Stack:
[task 2022-04-11T18:52:52.308Z]   @/builds/worker/checkouts/gecko/js/src/jit-test/tests/gc/bug-1762771.js:1:1
[task 2022-04-11T18:52:52.308Z] Exit code: 3
[task 2022-04-11T18:52:52.308Z] FAIL - gc/bug-1762771.js
[task 2022-04-11T18:52:52.308Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/gc/bug-1762771.js | /builds/worker/checkouts/gecko/js/src/jit-test/tests/gc/bug-1762771.js:1:1 ReferenceError: enqueueMark is not defined (code 3, args "--ion-eager --ion-offthread-compile=off --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads") [0.0 s]
[task 2022-04-11T18:52:52.308Z] INFO exit-status     : 3
[task 2022-04-11T18:52:52.308Z] INFO timed-out       : False
[task 2022-04-11T18:52:52.308Z] INFO stderr         2> /builds/worker/checkouts/gecko/js/src/jit-test/tests/gc/bug-1762771.js:1:1 ReferenceError: enqueueMark is not defined
[task 2022-04-11T18:52:52.308Z] INFO stderr         2> Stack:
[task 2022-04-11T18:52:52.308Z] INFO stderr         2> @/builds/worker/checkouts/gecko/js/src/jit-test/tests/gc/bug-1762771.js:1:1
[task 2022-04-11T18:52:52.308Z] /builds/worker/checkouts/gecko/js/src/jit-test/tests/gc/bug-1762771.js:1:1 ReferenceError: enqueueMark is not defined

Comment 12

[Pulsebot]

Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0f57a57f3e44
disallow gray marking when black objects are on the stack, again r=jonco

Comment 13

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/0f57a57f3e44

Comment 14

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220414034541-7483423001f5.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 15

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1751959