1822995 - Assertion failure: CurrentThreadIsGCSweeping() || CurrentThreadIsGCFinalizing(), at gc/Barrier.h:616

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect, P1)

Description

[lukas.bernhard]

Steps to reproduce:

On git commit 585fe519f14ca8f241370573a902fc6d53cf8ac6 the attached sample asserts in the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --baseline-warmup-threshold=10 --fuzzing-safe --ion-warmup-threshold=100 crash.js
Bisecting the issue points to commit cc0a423c96d6ffc5d0d6ea1fabdb0f62b7d534bf related to bug 1816890.
Might not actually be s-s, just flagging as a precaution.

function f0(a1, a2, a3) {
    try {
        a2(a1, a2);
    } catch(e5) {
        const v7 = new Set();
        const v8 = v7.add();
        function f9(a10, a11) {
            a11.sameZoneAs = v8; 
            return this;
        }
        f9(v8, f9).newGlobal(f9).blackRoot(a1);
    }   
    return a2; 
}
const v17 = this.wrapWithProto(f0, this);
const v19 = Proxy.revocable(f0, v17);
v19.proxy(v17, v17);
v19.proxy(v19, v17);
gc();

#0  0x00005555573d321b in js::GCPtr<js::ArrayObject*>::~GCPtr (this=0x7ffff4c26a18)
    at js/src/gc/Barrier.h:616
#1  0x00005555573d318d in ShellCompartmentPrivate::~ShellCompartmentPrivate (
    this=0x7ffff4c26a10) at js/src/shell/js.cpp:582
#2  0x000055555737fcb0 in js_delete<ShellCompartmentPrivate> (p=0x7ffff4c26a10)
    at obj-x86_64-pc-linux-gnu/dist/include/js/Utility.h:555
#3  0x000055555736ffb4 in DestroyShellCompartmentPrivate (gcx=0x7ffff7423740,
    compartment=0x7ffff74033a0) at js/src/shell/js.cpp:4156
#4  0x0000555558421769 in JS::Compartment::destroy (this=0x7ffff74033a0, 
    gcx=0x7ffff7423740) at js/src/gc/GC.cpp:2125
#5  0x0000555558421b41 in JS::Zone::sweepCompartments (this=0x7ffff74fe000, 
    gcx=0x7ffff7423740, keepAtleastOne=false, destroyingRuntime=false)
    at js/src/gc/GC.cpp:2176
#6  0x0000555558422409 in js::gc::GCRuntime::sweepZones (this=0x7ffff7423728, 
    gcx=0x7ffff7423740, destroyingRuntime=false)
    at js/src/gc/GC.cpp:2243
#7  0x000055555842a195 in js::gc::GCRuntime::incrementalSlice (this=0x7ffff7423728, 
    budget=..., reason=JS::GCReason::API, budgetWasIncreased=false)
    at js/src/gc/GC.cpp:3724
#8  0x000055555842c435 in js::gc::GCRuntime::gcCycle (this=0x7ffff7423728, 
    nonincrementalByAPI=true, budgetArg=..., reason=JS::GCReason::API)
    at js/src/gc/GC.cpp:4212
#9  0x000055555842d3b2 in js::gc::GCRuntime::collect (this=0x7ffff7423728,
#10 0x000055555840c402 in js::gc::GCRuntime::gc (this=0x7ffff7423728, options=JS::GCOptions::Normal, 
    reason=JS::GCReason::API) at js/src/gc/GC.cpp:4477
#11 0x00005555584803de in JS::NonIncrementalGC (cx=0x7ffff7430100, options=JS::GCOptions::Normal, 
    reason=JS::GCReason::API) at js/src/gc/GCAPI.cpp:297
#12 0x0000555557e521a0 in GC (cx=0x7ffff7430100, argc=0, vp=0x7ffff4cf3090)
    at js/src/builtin/TestingFunctions.cpp:706
#13 0x000055555757affe in CallJSNative (cx=0x7ffff7430100, 
    native=0x555557e51cd0 <GC(JSContext*, unsigned int, JS::Value*)>, reason=js::CallReason::Call, args=...)
    at js/src/vm/Interpreter.cpp:459
#14 0x000055555757a7dd in js::InternalCallOrConstruct (cx=0x7ffff7430100, args=..., construct=js::NO_CONSTRUCT, 
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:553
#15 0x000055555757bbd1 in InternalCall (cx=0x7ffff7430100, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:620
#16 0x000055555757b995 in js::CallFromStack (cx=0x7ffff7430100, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:625
#17 0x000055555756c664 in Interpret (cx=0x7ffff7430100, state=...)
    at js/src/vm/Interpreter.cpp:3368
#18 0x000055555755e740 in js::RunScript (cx=0x7ffff7430100, state=...)
    at js/src/vm/Interpreter.cpp:431
#19 0x000055555757d78c in js::ExecuteKernel (cx=0x7ffff7430100, script=..., envChainArg=..., evalInFrame=..., result=...)
    at js/src/vm/Interpreter.cpp:818
#20 0x000055555757e035 in js::Execute (cx=0x7ffff7430100, script=..., envChain=..., rval=...)
    at js/src/vm/Interpreter.cpp:850
#21 0x00005555577bf876 in ExecuteScript (cx=0x7ffff7430100, envChain=..., script=..., rval=...)
    at js/src/vm/CompilationAndEvaluation.cpp:472
#22 0x00005555577bf9cd in JS_ExecuteScript (cx=0x7ffff7430100, scriptArg=...)
    at js/src/vm/CompilationAndEvaluation.cpp:496
#23 0x00005555573a924f in RunFile (cx=0x7ffff7430100, filename=0x7fffffffea62 "crash_2023_03_16.js", file=0x7ffff7769020, 
    compileMethod=CompileUtf8::DontInflate, compileOnly=false, fullParse=false)
    at js/src/shell/js.cpp:1098
#24 0x00005555573a8af5 in Process (cx=0x7ffff7430100, filename=0x7fffffffea62 "crash_2023_03_16.js", forceTTY=false,
    kind=FileScript) at js/src/shell/js.cpp:1697
#25 0x00005555573829e8 in ProcessArgs (cx=0x7ffff7430100, op=0x7fffffffe420)
    at js/src/shell/js.cpp:10584
#26 0x0000555557371983 in Shell (cx=0x7ffff7430100, op=0x7fffffffe420)
    at js/src/shell/js.cpp:10808
#27 0x000055555736ca46 in main (argc=5, argv=0x7fffffffe688) at js/src/shell/js.cpp:11240

Comment 1

[Jan de Mooij [:jandem]]

Based on the stack trace, this looks like an issue with ShellCompartmentPrivate::blackRoot.

Comment 2

[Jon Coppeard (:jonco)]

This is a problem with the assertions and doesn't affect release builds.

Comment 3

[Jon Coppeard (:jonco)]

Attachment: Bug 1822995 - Always set thread sweeping state when calling Zone::sweepCompartments r?jandem

This is just a problem with assertions and doesn't affect release builds. We
need to move AutoSetThreadIsSweeping so it always covers calls to
sweepCompartments.

Comment 4

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9b8212e97745
Always set thread sweeping state when calling Zone::sweepCompartments r=jandem

Comment 5

[Marian-Vasile Laza]

https://hg.mozilla.org/mozilla-central/rev/9b8212e97745