Closed
Bug 1825936
Opened 3 years ago
Closed 3 years ago
Assertion failure: !tc->isMarkedGray(), at gc/GC.cpp:5097
Categories
(Core :: JavaScript: GC, defect, P3)
Core
JavaScript: GC
Tracking
()
RESOLVED
FIXED
113 Branch
| Tracking | Status | |
|---|---|---|
| firefox113 | --- | fixed |
People
(Reporter: lukas.bernhard, Assigned: jonco)
References
(Blocks 1 open bug)
Details
Attachments
(4 files)
Steps to reproduce:
On git commit be62edbf403e6f21e935acc7611521c09aa9a436 a fuzzer found an assertion violation in the js-shell. The crash is deterministic but requires sending 2 samples via the reprl interface (standard fuzzilli interface).
I attached the 2 js files and a script sending them to the engine via the reprl interface.
#0 0x00005555584376cd in js::gc::detail::AssertCellIsNotGray (cell=0x18eb10194040)
at js/src/gc/GC.cpp:5097
#1 0x00005555573b8b80 in JS::AssertCellIsNotGray (maybeCell=0x18eb10194040)
at obj-x86_64-pc-linux-gnu/dist/include/js/RootingAPI.h:423
#2 0x00005555574159a5 in js::gc::Cell::assertThingIsNotGray (cell=0x18eb10194040)
at js/src/gc/Cell.h:633
#3 0x00005555576a0519 in js::InternalBarrierMethods<js::FinalizationRecordObject*, void>::assertThingIsNotGray (
v=0x18eb10194040) at js/src/gc/Barrier.h:354
#4 0x00005555576a0483 in js::AssertTargetIsNotGray<js::FinalizationRecordObject*> (v=@0x7ffff4c269b8: 0x18eb10194040)
at js/src/gc/Barrier.h:446
#5 0x00005555576a00ca in js::WeakHeapPtr<js::FinalizationRecordObject*>::operator= (this=0x7ffff4c269b0, v=...)
at js/src/gc/Barrier.h:880
#6 0x000055555769ff33 in JS::GCVector<js::WeakHeapPtr<js::FinalizationRecordObject*>, 1ul, js::TrackedAllocPolicy<(js::TrackingKind)0> >::mutableEraseIf<JS::GCVector<js::WeakHeapPtr<js::FinalizationRe
cordObject*>, 1ul, js::TrackedAllocPolicy<(js::TrackingKind)0> >::traceWeak(JSTracer*)::{lambda(js::WeakHeapPtr<js::FinalizationRecordObject*>&)#1}>(JS::GCVector<js::WeakHeapPtr<js::FinalizationRecordO
bject*>, 1ul, js::TrackedAllocPolicy<(js::TrackingKind)0> >::traceWeak(JSTracer*)::{lambda(js::WeakHeapPtr<js::FinalizationRecordObject*>&)#1}) (this=0x7ffff4c7f500, pred=...)
at obj-x86_64-pc-linux-gnu/dist/include/js/GCVector.h:185
#7 0x000055555769fe15 in JS::GCVector<js::WeakHeapPtr<js::FinalizationRecordObject*>, 1ul, js::TrackedAllocPolicy<(js::TrackingKind)0> >::traceWeak (this=0x7ffff4c7f500, trc=0x7fffffff9fb8)
at obj-x86_64-pc-linux-gnu/dist/include/js/GCVector.h:172
#8 0x000055555765e530 in js::FinalizationRegistrationsObject::traceWeak (this=0x18eb1013f0d8, trc=0x7fffffff9fb8)
at js/src/builtin/FinalizationRegistryObject.cpp:184
#9 0x000055555765e272 in js::FinalizationRegistryObject::traceWeak (this=0x18eb10175038, trc=0x7fffffff9fb8)
at js/src/builtin/FinalizationRegistryObject.cpp:308
#10 0x000055555841d630 in js::gc::FinalizationObservers::traceWeakFinalizationRegistryEdges (this=0x7ffff74a8d20, trc=0x7fffffff9fb8)
at js/src/gc/FinalizationObservers.cpp:206
#11 0x000055555841d1de in js::gc::FinalizationObservers::traceWeakEdges (this=0x7ffff74a8d20, trc=0x7fffffff9fb8)
at js/src/gc/FinalizationObservers.cpp:189
#12 0x000055555841aa1f in js::gc::GCRuntime::traceWeakFinalizationObserverEdges (this=0x7ffff7423728, trc=0x7fffffff9fb8, zone=0x7ffff74e7000)
at js/src/gc/FinalizationObservers.cpp:176
#13 0x000055555852887c in js::gc::GCRuntime::sweepFinalizationObserversOnMainThread (this=0x7ffff7423728)
at js/src/gc/Sweeping.cpp:1304
#14 0x00005555585294ad in js::gc::GCRuntime::beginSweepingSweepGroup (this=0x7ffff7423728, gcx=0x7ffff7423740, budget=...)
at js/src/gc/Sweeping.cpp:1533
#15 0x000055555855c72a in sweepaction::SweepActionCall::run (this=0x7ffff741c260, args=...)
at js/src/gc/Sweeping.cpp:2058
#16 0x000055555856b53d in sweepaction::SweepActionSequence::run (this=0x7ffff74061a0, args=...)
at js/src/gc/Sweeping.cpp:2128
#17 0x000055555855baba in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run (this=0x7ffff741a3a0, args=...)
at js/src/gc/Sweeping.cpp:2163
#18 0x000055555852d15e in js::gc::GCRuntime::performSweepActions (this=0x7ffff7423728, budget=...)
at js/src/gc/Sweeping.cpp:2305
#19 0x0000555558431943 in js::gc::GCRuntime::incrementalSlice (this=0x7ffff7423728, budget=..., reason=JS::GCReason::API,
budgetWasIncreased=false) at js/src/gc/GC.cpp:3701
#20 0x0000555558433d15 in js::gc::GCRuntime::gcCycle (this=0x7ffff7423728, nonincrementalByAPI=true, budgetArg=..., reason=JS::GCReason::API)
at js/src/gc/GC.cpp:4212
#21 0x0000555558434c92 in js::gc::GCRuntime::collect (this=0x7ffff7423728, nonincrementalByAPI=true, budget=..., reason=JS::GCReason::API)
at js/src/gc/GC.cpp:4400
#22 0x0000555558413cf2 in js::gc::GCRuntime::gc (this=0x7ffff7423728, options=JS::GCOptions::Normal, reason=JS::GCReason::API)
at js/src/gc/GC.cpp:4477
#23 0x0000555558487b2e in JS::NonIncrementalGC (cx=0x7ffff7430100, options=JS::GCOptions::Normal, reason=JS::GCReason::API)
at js/src/gc/GCAPI.cpp:297
#24 0x0000555557e57d60 in GC (cx=0x7ffff7430100, argc=0, vp=0x7ffff4cf9090)
at js/src/builtin/TestingFunctions.cpp:703
#25 0x000055555757f24e in CallJSNative (cx=0x7ffff7430100, native=0x555557e57890 <GC(JSContext*, unsigned int, JS::Value*)>,
reason=js::CallReason::Call, args=...) at js/src/vm/Interpreter.cpp:459
#26 0x000055555757ea2d in js::InternalCallOrConstruct (cx=0x7ffff7430100, args=..., construct=js::NO_CONSTRUCT, reason=js::CallReason::Call)
at js/src/vm/Interpreter.cpp:553
#27 0x000055555757fe21 in InternalCall (cx=0x7ffff7430100, args=..., reason=js::CallReason::Call)
at js/src/vm/Interpreter.cpp:620
#28 0x000055555757fbe5 in js::CallFromStack (cx=0x7ffff7430100, args=..., reason=js::CallReason::Call)
at js/src/vm/Interpreter.cpp:625
#29 0x00005555575705d4 in Interpret (cx=0x7ffff7430100, state=...) at js/src/vm/Interpreter.cpp:3368
#30 0x00005555575626b0 in js::RunScript (cx=0x7ffff7430100, state=...) at js/src/vm/Interpreter.cpp:431
#31 0x00005555575819dc in js::ExecuteKernel (cx=0x7ffff7430100, script=..., envChainArg=..., evalInFrame=..., result=...)
at js/src/vm/Interpreter.cpp:818
#32 0x0000555557582285 in js::Execute (cx=0x7ffff7430100, script=..., envChain=..., rval=...)
at js/src/vm/Interpreter.cpp:850
#33 0x00005555577c34a6 in ExecuteScript (cx=0x7ffff7430100, envChain=..., script=..., rval=...)
at js/src/vm/CompilationAndEvaluation.cpp:472
#34 0x00005555577c35fd in JS_ExecuteScript (cx=0x7ffff7430100, scriptArg=...)
at js/src/vm/CompilationAndEvaluation.cpp:496
#35 0x00005555573abb5f in FuzzilliReprlGetAndRun (cx=0x7ffff7430100) at js/src/shell/js.cpp:3727
#36 0x0000555557385352 in ProcessArgs (cx=0x7ffff7430100, op=0x7fffffffe4b0) at js/src/shell/js.cpp:10496
#37 0x0000555557374b53 in Shell (cx=0x7ffff7430100, op=0x7fffffffe4b0) at js/src/shell/js.cpp:10815
#38 0x000055555736fbf6 in main (argc=4, argv=0x7fffffffe718) at js/src/shell/js.cpp:11247
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
|
|
Reporter | |
Updated•3 years ago
|
|
Assignee | |
Comment 3•3 years ago
|
||
This is caused an over-strict assertion and has no impact in release builds.
Assignee: nobody → jcoppeard
Priority: -- → P3
|
|
Assignee | |
Comment 4•3 years ago
|
||
We are triggering an assertion failure that's designed to catch writing gray GC
pointers into black GC things. This is happening because sweeping finalization
registry vectors can reorder the elements of the vector when dead elements are
removed, and writing into the vector checks the new element is not gray.
This is not a problem in this case and the solution is to disable this
assertion while sweeping.
|
||
Updated•3 years ago
|
Severity: -- → S3
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5e83211fc39e
Allow touching gray things while sweeping finalization registry vectors r=sfink
|
||
Comment 6•3 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox113:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 113 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•