Closed Bug 1901407 Opened 4 months ago Closed 4 months ago

Assertion failure: this->flags() == 0, at /root/src/js/src/gc/Cell.h:798

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
129 Branch
Tracking Flags:
Tracking Status
firefox129 --- fixed

People

(Reporter: nils.bars, Assigned: jandem)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

bug.js
271 bytes, application/x-javascript
Details
Bug 1901407 - Use MaybeForwardedObjectIs in DebuggerScript::trace. r?jonco!
48 bytes, text/x-phabricator-request
Details | Review
Attached file bug.js

Steps to reproduce:

This bug seems to be flakey and does not trigger every time on my machine.

Checkout commit 15778b8c32f8535624fff2af36fc669e65a9af3 and invoke the js shell as follows:

/root/js-spidermonkey-shell  --fast-warmup --ion-check-range-analysis --ion-extra-checks --fuzzing-safe --disable-oom-functions --enable-new-set-methods --small-function-length=2048 --inlining-entry-threshold=16 --gc-zeal=10,90 --ion-scalar-replacement=on --ion-pruning=off --ion-range-analysis=off --ion-inlining=on --ion-gvn=on --ion-osr=off --ion-edgecase-analysis=on --spectre-mitigations=on --ion-limit-script-size=on --ion-offthread-compile=off --ion-optimize-gcbarriers=on --ion-iterator-indices=off --no-ggc --ion-optimize-shapeguards=on --ion-licm=on --ion-instruction-reordering=off --cache-ir-stubs=on --no-sse41 --monomorphic-inlining=never --ion-load-keys=off --ion-sink=off  <testcase>

Actual results:

Assertion failure: this->flags() == 0, at /root/src/js/src/gc/Cell.h:798
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Version: Firefox 125 → Trunk
Group: core-security → javascript-core-security

I can reproduce this intermittently with rr record -h with --gc-zeal=10 with the reduced test below.

var mod = new WebAssembly.Module(wasmTextToBinary(`(func)`))
var inst = new WebAssembly.Instance(mod);
for (var i = 0; i < 5; i++) {
    newGlobal({"sameZoneAs": this}).Debugger(this).findScripts();
}
Assignee: nobody → jdemooij
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

The code that's affected/changed is a debug assertion.

Group: javascript-core-security
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f948b0d908e2 Use MaybeForwardedObjectIs in DebuggerScript::trace. r=jonco

https://hg.mozilla.org/mozilla-central/rev/f948b0d908e2

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
status-firefox129: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 129 Branch
Blocks: 1903968
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: