Closed Bug 1902139 Opened 8 months ago Closed 8 months ago

Assertion failure: zone->isGCMarkingBlackAndGray(), at /js/src/gc/Sweeping.cpp:591

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
129 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox127 --- unaffected
firefox128 --- unaffected
firefox129 --- verified

People

(Reporter: decoder, Assigned: jonco)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])

Attachments

(3 files)

Detailed Crash Information
2.45 KB, text/plain
Details
Testcase
50 bytes, text/plain
Details
Bug 1902139 - Fix zone state assertion for incremental marking verifier r?sfink
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20240612-55142668d011 (debug build, run with --fuzzing-safe --ion-offthread-compile=off test.js):

gczeal(11)
a = ""
for (;;) a += "0123456789abcdef"

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x58911cca in js::gc::GCRuntime::markAllGrayReferences(js::gcstats::PhaseKind) ()
#1  0x5892f730 in js::gc::MarkingValidator::nonIncrementalMark(js::gc::AutoGCSession&) ()
#2  0x5891bfdb in js::gc::GCRuntime::computeNonIncrementalMarkingForValidation(js::gc::AutoGCSession&) ()
#3  0x5891bc71 in js::gc::GCRuntime::beginSweepPhase(JS::GCReason, js::gc::AutoGCSession&) ()
#4  0x58879a91 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, bool) ()
#5  0x5887cdab in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) ()
#6  0x5887e4ca in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) ()
#7  0x588695e1 in js::gc::GCRuntime::gcIfRequestedImpl(bool) ()
#8  0x5831cdb1 in JSContext::handleInterrupt() ()
#9  0xe81f4551 in ?? ()
#10 0xe821d3e1 in ?? ()
#11 0xe81ea7ed in ?? ()
#12 0x58a292c8 in js::jit::EnterBaselineInterpreterAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) ()
#13 0x57f9b966 in js::Interpret(JSContext*, js::RunState&) ()
[...]
#22 0x57df113a in Shell(JSContext*, js::cli::OptionParser*) ()
#23 0x57de8ba4 in main ()
eax	0x567e0a78	1451100792
ebx	0x5974f0c8	1500836040
ecx	0x597544b4	1500857524
edx	0xf7bfccc7	-138425145
esi	0xf6a13448	-157207480
edi	0xffedf650	-1182128
ebp	0xffedf688	4293785224
esp	0xffedf640	4293785152
eip	0x58911cca <js::gc::GCRuntime::markAllGrayReferences(js::gcstats::PhaseKind)+266>
=> 0x58911cca <_ZN2js2gc9GCRuntime21markAllGrayReferencesENS_7gcstats9PhaseKindE+266>:	movl   $0x24f,0x0
   0x58911cd4 <_ZN2js2gc9GCRuntime21markAllGrayReferencesENS_7gcstats9PhaseKindE+276>:	call   0x57e7c6b0 <abort>

Fwiw, I am seeing this assert all over the place, some larger tests from jsfunfuzz, wasm tests from LangFuzz and this one. It is hard to tell them apart, so filing this one first as a fuzzblocker to see if these are multiple bugs or the same issue.

Attached file Testcase

Verified bug as reproducible on mozilla-central 20240612215151-157e7e735044.
The bug appears to have been introduced in the following build range:

Start: 73118a713e7bca98f71d900b359dee8e84e78f4b (20240610151042)
End: 098328a0eeccc3704d617d0b929ec8b1f24aa4b2 (20240610160311)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=73118a713e7bca98f71d900b359dee8e84e78f4b&tochange=098328a0eeccc3704d617d0b929ec8b1f24aa4b2

Whiteboard: [bugmon:update,bisect][fuzzblocker] → [bugmon:update,bisected,confirmed][fuzzblocker]
Assignee: nobody → jcoppeard

This is an over eager assertion and only affects incremental marking verification which is not present in release builds. Not security sensitive.

Group: javascript-core-security

The assertion should check that all zones being collected are in the expected
state, not all zones in the runtime.

Based on comment #3, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:jonco, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Flags: needinfo?(jcoppeard)
Flags: needinfo?(jcoppeard)
Regressed by: 1900001

Set release status flags based on info from the regressing bug 1900001

status-firefox127: --- → unaffected
status-firefox128: --- → unaffected
status-firefox-esr115: --- → unaffected
Severity: -- → S3
Priority: -- → P1
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3360f5500856 Fix zone state assertion for incremental marking verifier r=sfink

https://hg.mozilla.org/mozilla-central/rev/3360f5500856

Status: NEW → RESOLVED
Closed: 8 months ago
status-firefox129: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 129 Branch

Verified bug as fixed on rev mozilla-central 20240614204945-97bce31758a5.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox129: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: