Closed Bug 1839062 Opened 2 years ago Closed 2 years ago

Assertion failure: isEnabled(), at gc/Nursery.cpp:1630

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
116 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- unaffected
firefox114 --- unaffected
firefox115 --- unaffected
firefox116 --- verified

People

(Reporter: decoder, Assigned: jonco)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])

Attachments

(3 files)

Detailed Crash Information
1.03 KB, text/plain
Details
Testcase
64 bytes, text/plain
Details
Bug 1839062 - Check whether nursery is enabled before requesting minor GC during JIT BigInt allocation r?jandem
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20230618-72d2cda2651d (debug build, run with --fuzzing-safe --ion-offthread-compile=off --baseline-eager):

gczeal(4);
a = new BigInt64Array(2);
for (x=1;x<100;++x)
  a[0];

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555577c9ca2 in js::Nursery::requestMinorGC(JS::GCReason) ()
#1  0x00005555579e72b1 in js::jit::AllocateBigIntNoGC(JSContext*, bool) ()
#2  0x00002ee6de34c78f in ?? ()
#3  0x0000168c3983e030 in ?? ()
#4  0x00007fffffffd138 in ?? ()
#5  0x00007ffff2dfae48 in ?? ()
#6  0x0000000000000000 in ?? ()
rax	0x555555770cc2	93824994446530
rbx	0xa	10
rcx	0x5555585a2338	93825042883384
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffd0d0	140737488343248
rsp	0x7fffffffd0c0	140737488343232
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9a840	140737353721920
r10	0x2	2
r11	0x0	0
r12	0x0	0
r13	0x0	0
r14	0x7ffff3e26280	140737285087872
r15	0x0	0
rip	0x5555577c9ca2 <js::Nursery::requestMinorGC(JS::GCReason)+354>
=> 0x5555577c9ca2 <_ZN2js7Nursery14requestMinorGCEN2JS8GCReasonE+354>:	movl   $0x65e,0x0
   0x5555577c9cad <_ZN2js7Nursery14requestMinorGCEN2JS8GCReasonE+365>:	callq  0x555556ca5e3f <abort>
Attached file Testcase

Verified bug as reproducible on mozilla-central 20230618205154-1634cff61cb0.
Unable to bisect testcase (Unable to launch the start build!):

Start: 650064fa4401c5deab12db900f76c19ec8dd8007 (20220620095248)
End: 72d2cda2651d8fe01c8649f60e0620bc794a87fe (20230618082615)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:update,bisect][fuzzblocker] → [bugmon:update,bisected,confirmed][fuzzblocker]
Assignee: nobody → jcoppeard
Regressed by: 1836085

I previously added an assertion to Nursery::requestMinorGC that the nursery is
enabled and the fuzzers have found another case where it isn't true. When
nursery big int allocation fails in JIT code we request a minor GC, but the
nursery could be disabled so we have to add this check.

Set release status flags based on info from the regressing bug 1836085

status-firefox114: --- → unaffected
status-firefox115: --- → unaffected
status-firefox-esr102: --- → unaffected
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/41581deb338a Check whether nursery is enabled before requesting minor GC during JIT BigInt allocation r=jandem

https://hg.mozilla.org/mozilla-central/rev/41581deb338a

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox116: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch

Verified bug as fixed on rev mozilla-central 20230619213151-e06365982ef6.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox116: fixedverified
Keywords: bugmon

Set release status flags based on info from the regressing bug 1836085

status-firefox-esr115: --- → unaffected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: