1813556 - Assertion failure: !tc->isMarkedGray(), at js/src/gc/GC.cpp:5044

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect, P1)

Description

[lukas.bernhard]

Attachment: reprl.py

Steps to reproduce:

The following bug is a bit annoying to reproduce, sorry for that. During fuzzing, I encountered an assertion violation at js/src/gc/GC.cpp:5044
Unfortunately, the I only managed to reproduce the crash when supplying 2 separate files via the reprl interface (standard for Fuzzilli fuzzing); neither concatenating nor -f a.js -f b.js worked. I wrote a small python script which instanciates the js-shell in reprl mode and feeds the 2 snippets.
First, there will be an assertion violation at Assertion failure: rt->supportedImportAssertions.ref().empty(), at js/src/vm/Modules.cpp:45. This one in probably unrelated; I removed this assert as it triggers occasionally during fuzzing.
The second assert, !tc->isMarkedGray() seems more interesting.
Bisecting the GC issue points to commit 8d993476b0fca3d388d139a207d8fe838aeb2187 related to bug 1749298. Setting s-s because one other regressor of bug 1749298 was set to sec-high.

Tested on commit fb1e6d6e5735dcf12d96fde70351aca305961b53. The option --enable-js-fuzzilli is required in .mozconfig for enabling the reprl interface.
Note that debugging the issue under rr might not work out of the box because (on my system). rr uses one of the hard-coded fuzzilli file-descriptors
(100, used by fuzzilli for REPRL_CRFD). Changing REPRL_{CRFD, CWFD, DRFD, DWFD} in the attached script and js.cpp allows reproduction under rr.

#0  0x000055555859559d in js::gc::detail::AssertCellIsNotGray (cell=0x1d6a25a67988)
    at js/src/gc/GC.cpp:5044
#1  0x000055555752bb30 in JS::AssertCellIsNotGray (maybeCell=0x1d6a25a67988)
    at obj-x86_64-pc-linux-gnu/dist/include/js/RootingAPI.h:423
#2  0x000055555754f511 in JSContext::enterRealmOf (this=0x7ffff6b2f100, target=0x1d6a25a67988)
    at js/src/vm/JSContext-inl.h:301
#3  0x000055555759cac6 in js::AutoRealm::AutoRealm<JSFunction*> (this=0x7fffffffe680, cx=0x7ffff6b2f100,
    target=@0x7fffffffe690: 0x1d6a25a67988) at js/src/vm/Realm-inl.h:62
#4  0x0000555557520cd9 in MaybeRunFinalizationRegistryCleanupTasks (cx=0x7ffff6b2f100)
    at js/src/shell/js.cpp:1115
#5  0x00005555574f8abe in RunShellJobs (cx=0x7ffff6b2f100)
    at js/src/shell/js.cpp:1162
#6  0x00005555574ea836 in Shell (cx=0x7ffff6b2f100, op=0x7fffffffea58)
    at js/src/shell/js.cpp:11333
#7  0x00005555574e541c in main (argc=8, argv=0x7fffffffed18)
    at js/src/shell/js.cpp:12459

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1749298

Comment 2

[Jon Coppeard (:jonco)]

We need to expose the queued finalization registry callback objects to active JS. The queue itself is a roots but objects can be queue while gray and they won't be marked black until the next GC.

Comment 3

[Andrew McCreight [:mccr8]]

I think black-grey edges just cause null derefs, so I'll unhide this.

Comment 4

[Jon Coppeard (:jonco)]

Attachment: Bug 1813556 - Expose finalization registry callback objects to active JS r?sfink

Comment 5

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a5d59a0ec5a3
Expose finalization registry callback objects to active JS r=sfink

Comment 6

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/a5d59a0ec5a3