Assertion failure: ok, at js/src/gc/Scheduling.cpp:677 or MOZ_CRASH(Association already present: f54360e0 0x38 ObjectElements) at gc/Scheduling.cpp:713
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox99 | --- | unaffected |
| firefox100 | --- | unaffected |
| firefox101 | --- | fixed |
| firefox102 | --- | verified |
People
(Reporter: decoder, Assigned: jonco)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(3 files)
|
1.64 KB,
text/plain
|
Details | |
|
461 bytes,
text/plain
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
The following testcase crashes on mozilla-central revision 20220427-139c89a60b72 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):
const thisGlobal = this;
const otherGlobalSameCompartment = newGlobal({sameCompartmentAs: thisGlobal});
const globals = [thisGlobal, otherGlobalSameCompartment, undefined ];
function testProperties(global, count) {
let {object: source, transplant} = transplantableObject();
for (let i9 = 0; i9 < count; i9++)
source[(0) + i9] = i9;
transplant(global);
}
for (let global of globals)
for (let count of [0, 10, 30])
testProperties(global, count);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555575d0abf in js::gc::MemoryTracker::checkEmptyOnDestroy() ()
#1 0x000055555761b169 in js::ZoneAllocator::~ZoneAllocator() ()
#2 0x000055555761c9b4 in JS::Zone::~Zone() ()
#3 0x000055555754a0cd in JS::Zone::destroy(JS::GCContext*) ()
#4 0x000055555754ab65 in js::gc::GCRuntime::sweepZones(JS::GCContext*, bool) ()
#5 0x00005555575557aa in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, bool) ()
#6 0x0000555557559461 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) ()
#7 0x000055555755a6a6 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) ()
#8 0x00005555575274c8 in js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) ()
#9 0x000055555704c62c in JSRuntime::destroyRuntime() ()
#10 0x0000555556ecd426 in js::DestroyContext(JSContext*) ()
#11 0x0000555556b43447 in main ()
rax 0x55555575a42a 93824994354218
rbx 0x7ffff6040f20 140737320849184
rcx 0x5555581d5ae8 93825038899944
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffd920 140737488345376
rsp 0x7fffffffd8a0 140737488345248
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x7fffffffd8b0 140737488345264
r13 0x1d411a001510 32165446292752
r14 0x4 4
r15 0x100 256
rip 0x5555575d0abf <js::gc::MemoryTracker::checkEmptyOnDestroy()+415>
=> 0x5555575d0abf <_ZN2js2gc13MemoryTracker19checkEmptyOnDestroyEv+415>: movl $0x2a5,0x0
0x5555575d0aca <_ZN2js2gc13MemoryTracker19checkEmptyOnDestroyEv+426>: callq 0x555556bd9e68 <abort>
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
|
||
Comment 3•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220427094429-139c89a60b72.
The bug appears to have been introduced in the following build range:
Start: 062865b2b0dffd4c7be2d1b39765e52fe9df51e9 (20220422161407)
End: ace593c684dbf397b1575c1e818a47b383462c72 (20220422103514)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=062865b2b0dffd4c7be2d1b39765e52fe9df51e9&tochange=ace593c684dbf397b1575c1e818a47b383462c72
|
||
Comment 4•2 years ago
|
||
Probably related to the nursery transplanting work in bug 1765338.
|
||
Updated•2 years ago
|
|
|
Reporter | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
Assignee | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Comment 5•2 years ago
|
||
Set release status flags based on info from the regressing bug 1765338
|
|
Assignee | |
Comment 6•2 years ago
|
||
We need to copy nursery allocated elements into malloc memory when swapping a
nursery obect into the tenured heap, and update memory accounting in a few
places.
The patch also fixes a bug in calculating how much of the nursery was tenured
which came up during testing (we don't know how big proxy objects if they've
been swpping into the nursery so assume the minimum size).
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/dd9b3908837c Take account of dynamic elements when swapping object r=jandem
|
||
Comment 8•2 years ago
|
||
| bugherder | ||
|
|
||
Comment 9•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220511160229-b1a6d4894004.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 10•2 years ago
|
||
The patch landed in nightly and beta is affected.
:jonco, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 11•2 years ago
|
||
Comment on attachment 9275433 [details]
Bug 1766656 - Take account of dynamic elements when swapping object r?jandem
Beta/Release Uplift Approval Request
- User impact if declined: Possible crash when transplanting objects.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): This is a complex area of the code and the changes are non-trivial. However it is covered by exhaustive tests (in the patch) and has baked on central for 6 days.
- String changes made/needed: None
- Is Android affected?: Yes
|
|
||
Comment 12•2 years ago
|
||
Comment on attachment 9275433 [details]
Bug 1766656 - Take account of dynamic elements when swapping object r?jandem
Fixes a possible crash in new code shipping in 101. Approved for 101.0b8. Thanks for including the test.
|
|
||
Comment 13•2 years ago
|
||
| bugherder uplift | ||
Description
•