Crash [@ bool js::gc::IsMarkedInternal<JSObject>(JSRuntime*, JSObject*)]
Categories
(Core :: JavaScript: GC, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox106 | --- | unaffected |
| firefox107 | --- | unaffected |
| firefox108 | --- | verified |
People
(Reporter: decoder, Assigned: jonco)
References
(Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Crash Data
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20221108-a62fef9a10c5 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):
setMarkStackLimit(1);
loadFile(`
function wasmEvalText(str, imports) {
let binary = wasmTextToBinary(str);
m = new WebAssembly.Module(binary);
return new WebAssembly.Instance(m, imports);
}
let WasmFuncrefValues = [
wasmEvalText(\`(module (func (export "")))\`).exports[''],
];
g1 = newGlobal({newCompartment: true});
gczeal(10,10);
`);
for (let i = 0; i < 1000; ++i)
loadFile("}");
function loadFile(lfVarx) {
try {
evaluate(lfVarx);
} catch (lfVare) {}
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff5fff700 (LWP 13228)]
#0 0x00005555575d0026 in bool js::gc::IsMarkedInternal<JSObject>(JSRuntime*, JSObject*) ()
#1 0x0000555557d5f77d in js::wasm::Instance::tracePrivate(JSTracer*) ()
#2 0x0000555556f2a032 in JSObject::traceChildren(JSTracer*) ()
#3 0x000055555763d55a in JS::TraceChildren(JSTracer*, JS::GCCellPtr) ()
#4 0x00005555575ccced in js::GCMarker::markDelayedChildren(js::gc::Arena*) ()
#5 0x00005555575cd173 in js::GCMarker::processDelayedMarkingList(js::gc::MarkColor) ()
#6 0x00005555575ca57e in js::GCMarker::markAllDelayedChildren(js::GCMarker::ShouldReportMarkTime) ()
#7 0x00005555575c9593 in js::GCMarker::markUntilBudgetExhausted(js::SliceBudget&, js::GCMarker::ShouldReportMarkTime) ()
#8 0x00005555575865ef in js::gc::GCRuntime::markUntilBudgetExhausted(js::SliceBudget&, js::GCMarker::ShouldReportMarkTime) ()
#9 0x000055555761905a in js::gc::BackgroundMarkTask::run(js::AutoLockHelperThreadState&) ()
#10 0x00005555575b3337 in js::GCParallelTask::runTask(JS::GCContext*, js::AutoLockHelperThreadState&) ()
#11 0x00005555575b35ac in js::GCParallelTask::runHelperThreadTask(js::AutoLockHelperThreadState&) ()
#12 0x0000555556ea69d7 in js::GlobalHelperThreadState::runTaskLocked(js::HelperThreadTask*, js::AutoLockHelperThreadState&) ()
#13 0x0000555556ea6780 in js::GlobalHelperThreadState::runOneTask(js::AutoLockHelperThreadState&) ()
#14 0x0000555556eb9082 in js::HelperThread::threadLoop(js::InternalThreadPool*) ()
#15 0x0000555556eb8e3c in js::HelperThread::ThreadMain(js::InternalThreadPool*, js::HelperThread*) ()
#16 0x0000555556ec6ed8 in js::detail::ThreadTrampoline<void (&)(js::InternalThreadPool*, js::HelperThread*), js::InternalThreadPool*&, js::HelperThread*>::Start(void*) ()
#17 0x00007ffff7bc16ba in start_thread (arg=0x7ffff5fff700) at pthread_create.c:333
#18 0x00007ffff6e4641d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax 0x0 0
rbx 0x70edffb2138 7760468713784
rcx 0x0 0
rdx 0x7ffff5af4780 140737315293056
rsi 0x70edffb2138 7760468713784
rdi 0x7ffff6018000 140737320681472
rbp 0x7ffff5ffe920 140737320577312
rsp 0x7ffff5ffe900 140737320577280
r8 0x1 1
r9 0x20 32
r10 0x7ffff5af4780 140737315293056
r11 0x1 1
r12 0x7ffff6019348 140737320686408
r13 0x6 6
r14 0x7ffff6018000 140737320681472
r15 0x7ffff6019348 140737320686408
rip 0x5555575d0026 <bool js::gc::IsMarkedInternal<JSObject>(JSRuntime*, JSObject*)+70>
=> 0x5555575d0026 <_ZN2js2gc16IsMarkedInternalI8JSObjectEEbP9JSRuntimePT_+70>: mov 0xc8(%rax),%r15
0x5555575d002d <_ZN2js2gc16IsMarkedInternalI8JSObjectEEbP9JSRuntimePT_+77>: mov 0xcd5b94(%rip),%rax # 0x5555582a5bc8 <_ZN2js28AutoNoteSingleThreadedRegion5countE>
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
|
||
Comment 3•2 years ago
|
||
I don't know if this is shell-only, but if it isn't it looks like sec-high to me so I'll mark it that for now.
|
||
Comment 4•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20221108094235-a62fef9a10c5.
The bug appears to have been introduced in the following build range:
Start: f6aaa6865516679c87696987461fbf7d9dba6f5b (20221028180304)
End: 5fa2ef9fb2f60fb8370a3b210e6f3d585c65b107 (20221028180431)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f6aaa6865516679c87696987461fbf7d9dba6f5b&tochange=5fa2ef9fb2f60fb8370a3b210e6f3d585c65b107
|
||
Updated•2 years ago
|
|
Assignee | |
Comment 5•2 years ago
|
||
This a problem with an assertion and is not security sensitive.
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 6•2 years ago
|
||
JS::RuntimeHeapIsMinorCollecting() gets the JSContext from TLS, but
IsMarkedInternal() can be called from a helper thread where this is null.
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0857304e4134 Fix assertion that assumed it could be only happen on the main thread r=sfink
|
||
Comment 8•2 years ago
|
||
| bugherder | ||
|
|
||
Comment 9•2 years ago
|
||
Verified bug as fixed on rev mozilla-central 20221110044858-57d2a9aee4e4.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Comment 10•2 years ago
|
||
Setting Regressed by field after analyzing regression range found by bugmon in comment #4.
|
|
||
Comment 11•2 years ago
|
||
Set release status flags based on info from the regressing bug 1797755
Description
•