1894593 - Assertion failure: zone->isGCMarking(), at gc/Marking.cpp:774

Status: RESOLVED DUPLICATE of bug 1894547

(Core :: JavaScript: GC, defect, P1)

Description

[lukas.bernhard]

Steps to reproduce:

On git commit 73271a6e76f52eff6d2783d12e0fc749b4080701 the attached sample asserts in the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js.
Bisecting the issue points to commit 0b33b3cba170b8defc445cbcf7738baf8867fc08 related to bug 1890670.

function f2() {
}
x = f2;
const v4 = new WeakMap();
y = v4;
y.set(x, Symbol());
for (let v10 = 0; v10 < 500; v10++) {
    class C11 {
    }
    new C11();
    function F13(a15, a16) {
        if (!new.target) { throw 'must be called with new'; }
        this.g = C11;
    }
    gc(this, "shrinking");
}

#0  js::GCMarker::markImplicitEdges<JS::Symbol> (this=this@entry=0x7ffff7428e20, markedThing=markedThing@entry=0x17d2fe66030)
    at js/src/gc/Marking.cpp:774
#1  0x0000555557f44f67 in js::GCMarker::traverse<4u> (this=0x7ffff7428e20, thing=0x17d2fe66030) at js/src/gc/Marking.cpp:1024
#2  js::GCMarker::markAndTraverse<4u, JS::Symbol> (this=0x7ffff7428e20, thing=0x17d2fe66030) at js/src/gc/Marking.cpp:977
#3  js::GCMarker::markEphemeronEdges(mozilla::Vector<js::gc::EphemeronEdge, 2ul, js::SystemAllocPolicy>&, js::gc::MarkColor)::$_0::operator()<JS::Symbol*>(JS::Symbol*) const (t=0x17d2fe66030, this=<optimised out>) at js/src/gc/Marking.cpp:735
#4  JS::MapGCThingTyped<js::GCMarker::markEphemeronEdges(mozilla::Vector<js::gc::EphemeronEdge, 2ul, js::SystemAllocPolicy>&, js::gc::MarkColor)::$_0>(void*, JS::TraceKind, js::GCMarker::markEphemeronEdges(mozilla::Vector<js::gc::EphemeronEdge, 2ul, js::SystemAllocPolicy>&, js::gc::MarkColor)::$_0&&) (thing=0x17d2fe66030,
    traceKind=<optimised out>, f=...) at obj-x86_64-pc-linux-gnu/dist/include/js/TraceKind.h:253
#5  JS::ApplyGCThingTyped<js::GCMarker::markEphemeronEdges(mozilla::Vector<js::gc::EphemeronEdge, 2ul, js::SystemAllocPolicy>&, js::gc::MarkColor)::$_0>(void*, JS::TraceKind, js::GCMarker::markEphemeronEdges(mozilla::Vector<js::gc::EphemeronEdge, 2ul, js::SystemAllocPolicy>&, js::gc::MarkColor)::$_0&&) (thing=0x17d2fe66030, 
    traceKind=<optimised out>, f=...) at obj-x86_64-pc-linux-gnu/dist/include/js/TraceKind.h:268
#6  js::GCMarker::markEphemeronEdges (this=this@entry=0x7ffff7428e20, edges=..., srcColor=js::gc::MarkColor::Black)
    at js/src/gc/Marking.cpp:733
#7  0x0000555557f4e317 in JS::Zone::enterWeakMarkingMode (this=<optimised out>, marker=0x7ffff7428e20, budget=...)
    at js/src/gc/Marking.cpp:2250
#8  0x0000555557fea307 in js::gc::GCRuntime::markWeakReferences<js::gc::SweepGroupZonesIter> (this=this@entry=0x7ffff742f798, incrementalBudget=...)
    at js/src/gc/Sweeping.cpp:525
#9  0x0000555557fce135 in js::gc::GCRuntime::markWeakReferencesInCurrentGroup (this=0x7ffff742f798, budget=...) at js/src/gc/Sweeping.cpp:556
#10 js::gc::GCRuntime::endMarkingSweepGroup (this=0x7ffff742f798, gcx=<optimised out>, budget=...) at js/src/gc/Sweeping.cpp:1155
#11 0x000055555800a8d1 in sweepaction::SweepActionSequence::run (this=0x7ffff7410920, args=...) at js/src/gc/Sweeping.cpp:2179
#12 0x00005555580013df in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run (this=0x7ffff7425370, args=...)
    at js/src/gc/Sweeping.cpp:2214
#13 0x0000555557fd6bd1 in js::gc::GCRuntime::performSweepActions (this=0x7ffff742f798, budget=...) at js/src/gc/Sweeping.cpp:2362
#14 0x0000555557f0b052 in js::gc::GCRuntime::incrementalSlice (this=this@entry=0x7ffff742f798, budget=..., reason=reason@entry=JS::GCReason::API, 
    budgetWasIncreased=<optimised out>) at js/src/gc/GC.cpp:3820
#15 0x0000555557f0e2fe in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff742f798, nonincrementalByAPI=true, budgetArg=..., reason=reason@entry=JS::GCReason::API)
    at js/src/gc/GC.cpp:4334
#16 0x0000555557f0fc44 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff742f798, nonincrementalByAPI=true, budget=..., reason=reason@entry=JS::GCReason::API)
    at js/src/gc/GC.cpp:4525
#17 0x0000555557edb8ea in js::gc::GCRuntime::gc (this=0x7ffff742f798, options=JS::GCOptions::Shrink, reason=JS::GCReason::API)
    at js/src/gc/GC.cpp:4602
#18 0x0000555557f3732c in JS::NonIncrementalGC (cx=cx@entry=0x7ffff7439100, options=options@entry=JS::GCOptions::Shrink, reason=reason@entry=JS::GCReason::API)
    at js/src/gc/GCAPI.cpp:298
#19 0x0000555557a7afa6 in GC (cx=cx@entry=0x7ffff7439100, argc=<optimised out>, vp=<optimised out>) at js/src/builtin/TestingFunctions.cpp:777
#20 0x0000555557275167 in CallJSNative (cx=cx@entry=0x7ffff7439100, native=native@entry=0x555557a7ac90 <GC(JSContext*, unsigned int, JS::Value*)>, 
    reason=reason@entry=js::CallReason::Call, args=...) at js/src/vm/Interpreter.cpp:480
#21 0x0000555557274385 in js::InternalCallOrConstruct (cx=0x7ffff7439100, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:574
#22 0x00005555572760d6 in InternalCall (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>, args=..., reason=1506064704) at js/src/vm/Interpreter.cpp:641
#23 0x000055555728a3dc in js::CallFromStack (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>, args=..., reason=<optimised out>)
    at js/src/vm/Interpreter.cpp:646
#24 js::Interpret (cx=0x7ffff7439100, state=...) at js/src/vm/Interpreter.cpp:3071
#25 0x00005555572738d7 in MaybeEnterInterpreterTrampoline (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>, cx@entry=0x7ffff7439100, state=...)
    at js/src/vm/Interpreter.cpp:394
#26 0x00005555572735ca in js::RunScript (cx=cx@entry=0x7ffff7439100, state=...) at js/src/vm/Interpreter.cpp:452
#27 0x00005555572785a2 in js::ExecuteKernel (cx=cx@entry=0x7ffff7439100, script=script@entry=..., envChainArg=envChainArg@entry=..., evalInFrame=evalInFrame@entry=..., 
    result=result@entry=...) at js/src/vm/Interpreter.cpp:839
#28 0x0000555557278dad in js::Execute (cx=cx@entry=0x7ffff7439100, script=script@entry=..., envChain=..., rval=rval@entry=...)
    at js/src/vm/Interpreter.cpp:871
#29 0x00005555574c6d5a in ExecuteScript (cx=cx@entry=0x7ffff7439100, envChain=..., script=..., rval=rval@entry=...)
    at js/src/vm/CompilationAndEvaluation.cpp:494
#30 0x00005555574c6fd8 in JS_ExecuteScript (cx=cx@entry=0x7ffff7439100, scriptArg=scriptArg@entry=...)
    at js/src/vm/CompilationAndEvaluation.cpp:518
#31 0x00005555571b0cb8 in RunFile (cx=0x7ffff7439100, filename=<optimised out>, file=<optimised out>, compileMethod=CompileUtf8::DontInflate, compileOnly=false,
    fullParse=<optimised out>) at js/src/shell/js.cpp:1196
#32 0x00005555571b017e in Process (cx=cx@entry=0x7ffff7439100, filename=0x0, forceTTY=<optimised out>, kind=kind@entry=FileScript)
    at js/src/shell/js.cpp:1782
#33 0x000055555716c003 in ProcessArgs (cx=0x7ffff7439100, op=0x7fffffffe638) at js/src/shell/js.cpp:11146
#34 Shell (cx=0x7ffff7439100, op=op@entry=0x7fffffffe638) at js/src/shell/js.cpp:11405
#35 0x00005555571643f9 in main (argc=<optimised out>, argv=0x7fffffffe8c8) at js/src/shell/js.cpp:11918

Comment 1

[Andrew McCreight [:mccr8]]

This could be a dupe of bug 1894442.

Comment 2

[lukas.bernhard]

Still reproduces after bug 1894442 has been fixed.

Comment 3

[Nicolas B. Pierron [:nbp]]

Jon, could this be a duplicate of Bug 1894547?

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1890670

Comment 5

[Jon Coppeard (:jonco)]

I confirmed this is a duplicate of bug 1894547.